undefined | Better HN

0 pointsbonzini2y ago0 comments

The difference is that in another language the build step is delegated to someone else who has packaged the code, and every version has presumably gone through some kind of audit. With Rust I have no idea what new transitive dependencies could be included any time I update one of my dependencies, and what code could be triggered just by building my program without even running it.

Again, we're not talking about the dependencies that I choose, but the whole transitive closure of dependencies, including the most low-level. Did you examine serde the first time you used a dependency that used it? serde did have in the past a slightly sketchy case of using a pre-built binary. Or the whole dependency tree of Bevy?

I mean, Rust has many advantages but the cargo supply chain story is an absolute disaster---not that it's alone, pypi or nodejs or Ruby gems are the same.

0 comments

3 comments · 1 top-level

timschmidt2y ago· 2 in thread

> The difference is that in another language the build step is delegated to someone else who has packaged the code

Fedora packages a large number of Rust libraries, just as you describe. Nothing prevents you from using the packaged libraries if you prefer them.

You may find helpful information here: https://docs.fedoraproject.org/en-US/packaging-guidelines/Ru...

bonziniOP2y ago

> Nothing prevents you from using the packaged libraries if you prefer them

Nothing except, in no particular order: 1) only having one version of crates 2) mismatched features 3) new transitive dependencies that can be introduced at any time without any warning 4) only supporting one version of rust 5) packages being noarch and basically glorified distro-wide vendoring—so their build.rs code is still run on your machine at cargo build time

timschmidt2y ago

> 1) only having one version of crates

Same as any other library provided by the distribution in any other language.

> 2) mismatched features

Same as any other library provided by the distribution in any other language.

> 3) new transitive dependencies that can be introduced at any time without any warning

Not in packaged Rust libraries in Fedora, at least. Please read the aforementioned link.

> 4) only supporting one version of rust

Same as any other library provided by the distribution in any other language.

> 5) packages being noarch and basically glorified distro-wide vendoring

Packages containing only source is a consequence of the Rust ABI still stabilizing, see: https://github.com/rust-lang/rust/pull/105586 After ABI stabilization, Rust libraries will be first class like any other language.

j / k navigate · click thread line to collapse

0 comments

3 comments · 1 top-level

timschmidt2y ago· 2 in thread

> The difference is that in another language the build step is delegated to someone else who has packaged the code

Fedora packages a large number of Rust libraries, just as you describe. Nothing prevents you from using the packaged libraries if you prefer them.

You may find helpful information here: https://docs.fedoraproject.org/en-US/packaging-guidelines/Ru...

bonziniOP2y ago

> Nothing prevents you from using the packaged libraries if you prefer them

timschmidt2y ago

> 1) only having one version of crates

Same as any other library provided by the distribution in any other language.

> 2) mismatched features

Same as any other library provided by the distribution in any other language.

> 3) new transitive dependencies that can be introduced at any time without any warning

Not in packaged Rust libraries in Fedora, at least. Please read the aforementioned link.

> 4) only supporting one version of rust

Same as any other library provided by the distribution in any other language.

> 5) packages being noarch and basically glorified distro-wide vendoring

j / k navigate · click thread line to collapse