undefined | Better HN

story

0 pointsrandomint645mo ago0 comments

Indeed, Rust's supply chains story is an absolute horror, and there are countless articles explaining what should be done instead (e.g. https://kerkour.com/rust-stdx)

TL;DR: ditch crates.io and copy Go with decentralized packages based directly on and an extended standard library.

Centralized package managers only add a layer of obfuscation that attackers can use to their advantage.

On the other hand, C / C++ style dependency management is even worse than Rust's... Both in terms of development velocity and dependencies that never get updated.

0 comments

Ygg25mo ago

> countless articles explaining what should be done instead (e.g. https://kerkour.com/rust-stdx)

Don't make me tap the sign: https://news.ycombinator.com/item?id=41727085#41727410

> Centralized package managers only add a layer of obfuscation that attackers can use to their advantage.

They add a layer of convenience. C/C++ are missing that convenience because they aren't as composable and have a long tail of pre-package manager projects.

Java didn't start with packages, but today we have packages. Same with JS, etc.

eichin5mo ago

Or from another angle, dpkg/apt is the package manager for C/C++ ...

Ygg25mo ago

Yeah, but it's not immune to supply chain attacks. Counting on maintainers of dpkg is not that different from counting on maintainers of random crate package.

j / k navigate · click thread line to collapse

0 comments

Ygg25mo ago

> countless articles explaining what should be done instead (e.g. https://kerkour.com/rust-stdx)

Don't make me tap the sign: https://news.ycombinator.com/item?id=41727085#41727410

> Centralized package managers only add a layer of obfuscation that attackers can use to their advantage.

They add a layer of convenience. C/C++ are missing that convenience because they aren't as composable and have a long tail of pre-package manager projects.

Java didn't start with packages, but today we have packages. Same with JS, etc.

eichin5mo ago

Or from another angle, dpkg/apt is the package manager for C/C++ ...

Ygg25mo ago

Yeah, but it's not immune to supply chain attacks. Counting on maintainers of dpkg is not that different from counting on maintainers of random crate package.

j / k navigate · click thread line to collapse