July 2, 2024

Sylvain Kerkour writes:

Rust adoption is stagnating not because it’s missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.

… no company outside of AWS is making SDKs for Rust … it has no official HTTP library.

As a result of Rust’s lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.

  • cargo imports over 400 crates.

  • crates.io has over 500 transitive dependencies.

…the offical libsignal (from the Signal messaging app) uses 500 third-party packages.

… what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn’t even match the content of their Git repository.

…how I would do it (there may be better ways):

A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. … to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.

[stdx packages to include, among others]:

gzip, hex, http, json, net, rand

Read Rust has a HUGE supply chain security problem


Submitter’s note:

I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.

  • Dark Arc@social.packetloss.gg
    link
    fedilink
    English
    arrow-up
    1
    ·
    4 months ago

    Java and Python projects can be based almost entirely on the standard library because there’s so much in there (or packages with minimal/no third party dependencies).

    C++ it’s not uncommon for the entire code base or the majority of the code base to be internal (and maybe make use of the standard library or a library under the boost umbrella).

    The “every language” is largely a “languages that became popular in the NodeJS era” issue.