• Ephera@lemmy.ml
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Yeah, I’ve given up trying to know all the libraries in my projects. I feel like the added development speed and code quality is just so good that not taking the risk of a supply chain attack is basically not an option.

    I do try to primarily use libraries from the Rust team or from more widely known devs (and hope that they also do that), but most projects worth doing will need one or two specialty libraries where all bets and bus factors are off…

    • dsemy@lemm.ee
      link
      fedilink
      English
      arrow-up
      1
      ·
      9 months ago

      You think your code is higher quality with more dependencies? All you’re doing is offloading complexity to a separate project.

      If you make a program that does “something worth doing”, but you need some specialty library to actually do it (which you didn’t implement yourself), than sorry, but it wasn’t you who did it.

      • Ephera@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        Yes, offloading complexity to a separate project which has already invested more time into code quality than I could possibly justify.

        As for your second point, I don’t care who solved the problem. If you care, I hope you’re smelting your own sand to build your own CPU and assembly language. But I’m obviously also not solving the exact same problem as the library already solved.

        Why are you looking for conflict?

        • dsemy@lemm.ee
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          My problem was with the first line of your comment:

          Yeah, I’ve given up trying to know all the libraries in my projects.

          This leads me to assume that you don’t actually know that those dependencies are as well maintained as you claim.

          Obviously dependencies are important and make sense to use in many cases, but using trivial dependencies to speed up development isn’t good.

          As for your second point, I don’t care who solved the problem. If you care, I hope you’re smelting your own sand to build your own CPU and assembly language. But I’m obviously also not solving the exact same problem as the library already solved.

          I was just saying it isn’t you who solved the problem in that case, really, as the hard work was done for you. Honestly though, it was pointless and rude so I apologise.

          • Ephera@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            Apology taken.

            This leads me to assume that you don’t actually know that those dependencies are as well maintained as you claim.

            Well, I can’t guarantee that none of them are buggy, unmaintained etc… But that’s why I prefixed that sentence with “I feel”.
            On average, it seems to me like the code quality is a good bit higher than I’m able to produce under money/time constraints.

            In particular, even the worst libraries tend to be not as bad as they may be in many other languages, because Rust’s strict type system + compiler enforces quite a bit of correctness on its own.
            Well, and the good libraries are just obsessed with correctness and performance, so they drag code quality upwards, even if they introduce a mild risk of a transitive dependency being a dud…

  • SrTobi@feddit.de
    link
    fedilink
    arrow-up
    1
    ·
    9 months ago

    Fuck that. It’s awesome! I want to have lazy initialized globals. It’s that package. I want code to shorten my builder pattern I import that. I need a typed concurrent work steel queue. No problem.

    I look at a c project. Everywhere custom macros to do the most basic shit. I want to parse an xml in c? Better use a sax Parser and put all the data into globals. Cryptography? Better implement that ourselves… Using a library would be too much of a hassle.

    • platypus_plumba@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      9 months ago

      I mean, it’s awesome until it isn’t.

      NPM is already on the “isn’t” side of it. Specially with all the malware going around. Who has time to read the code of the dependencies of the dependencies of their dependencies? For every single version. It’s just not possible…

      I guess the main concern with this is security. You’re literally running code you don’t even know about on your machine, probably next to personal files or your company’s code base.

      A simple http call to publish all your private code wouldn’t be hard to sneak in a 6th level dependency.

  • 30p87@feddit.de
    link
    fedilink
    arrow-up
    0
    ·
    9 months ago

    I find it especially weird that it’s almost always labeled like something special if it’s written in Rust, even though as the end user the only thing I know will be different is the compile time, as it usually takes around 10-20 times longer than if it would be written in c, with 500 dependencies being pulled and recompiled every time. Which means if tests fail, even though the app works fine, and I had that happen twice in Rust, it will take three tries or so until I manage to fully remove the test section from the pkgbuild, resulting in an hour loss for just installing something that could’ve taken 5 minutes.

    • simple@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      > Decide to create a very basic GUI app in Rust, as everyone is saying it’s a great language for it

      > First compilation takes over 15 minutes to download and compile 100 libraries

      > Debug files take up 2GB of storage

      > Output binary file comes out massive for no reason

      > “Yeah you’re supposed to write a few lines to optimize for size in your release profile”

      > Compiling now takes 30 minutes instead

      • 30p87@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        Reimplements in C

        Compiles in 5 Minutes (you accidentally did it on the RPi Zero W, on a PC it’s done in 30 secs)

          • snowfalldreamland@lemmy.ml
            link
            fedilink
            arrow-up
            1
            ·
            9 months ago

            Reimplements in C

            Segmentation fault (core dumped)

            change code so it no longer segfaults

            still is UB, has arbitrary code execution vulnerability

            everybody dies

    • Ephera@lemmy.ml
      link
      fedilink
      arrow-up
      0
      ·
      9 months ago

      You seem to be a rather specific user, if the compile time is something you notice, let alone the only thing…

      • 30p87@feddit.de
        link
        fedilink
        arrow-up
        0
        ·
        9 months ago

        It’s just weirdly noticeable when one rust program with ~150 lines of code, designed to connect to a specific device and send commands according to the intensity of music, takes longer to compile than updating a typical Arch testing setup after a month without maintenance, including the (non Rust) AUR packages.

        • Ephera@lemmy.ml
          link
          fedilink
          arrow-up
          1
          ·
          9 months ago

          Well, I’m not here to claim that Rust’s compile times aren’t comparatively long, especially for non-incremental builds. It’s a trade-off that was chosen to not need a runtime environment, nor be as simplistic/footgun as C.

          What I’m saying is that this trade-off was chosen and continues to be popular, because the vast majority of users will never notice (nor will programmers really, as they have incremental builds).
          Maybe you can download the fully built package from somewhere? Maybe Arch can package it in the proper repos?