> Worse, early prototypes already pulled in nearly a thousand third-party Rust crates, many of which were transitive dependencies and largely unvetted, posing potential supply-chain risks.
Rust really going for the node ecosystem's crown in package number bloat
Rust is nowhere close to Node in terms of package number bloat. Most Rust libraries are actually useful and nontrivial and the supply chain risk is not necessarily as high for the simple reason that many crates are split up into sub-crates.
For example, instead of having one library like "hashlib" that handles all different kinds of hashing algorithms, the most "official" Rust libraries are broken up into one for sha1, one for sha2, one for sha3, one for md5, one for the generic interfaces shared by all of them, etc... but all maintained by the same organization: https://github.com/rustcrypto/
Most crypto libraries do the same. Ripgrep split off aho-corastick and memchr, the regex crate has a separate pcre library, etc.
Maybe that bumps the numbers up if you need more than one algorithm, but predominantly it is still anti-bloat and has a purpose...
While i agree the exact line “rust libraries are useful and non-trivial” i have heard from all over the place as if the value of a library is how complex it is. The rust community has an elitist bent to it or a minority is very vocal.
Supply chain attacks are real for all package registries. The js ones had more todo with registry accounts getting hacked than the compromised libraries being bad or useless.
Most programs only use one or a few hash functions, so grouping each family into a separate crate reduces compliation time for the majority of users. Could also help when auditing the removal of vulnerable hash functions.
As for ripgrep, the organization is quite sensible:
1. one crate to define an interface for regex matchers
2. one crate to implement the native matcher
3. one crate to implement the PCRE2 matcher
4. one crate to define a safe interface to the underlying PCRE2 library
Depending on the application, any one of 1+2+3+4, 1+2, 1+3+4, or 4 alone could be useful.
There is a difference between individual packages coming out of a single project (or even a single Cargo workspace) vs them coming out of completely different people.
The former isn't a problem, it is actually desirable to have good granularity for projects. The latter is a huge liability and the actual supply chain risk.
For example, Tokio project maintains another popular library called Prost for Protobufs. I don't think having those as two separate libraries with their own set of dependencies is a problem. As long as Tokio developers' expertise and testing culture go into Prost, it is not a big deal to have multiple packages. Similarly different components of the Tokio itself can be different crates, as long as they are built and tested together, them being separate dependencies is GOOD.
Now to use Prost with a gRPC server, I need a different project: tonic which comes from a different vendor: Hyperium. This is an increased supply chain risk that we need to vet. They use Prost. They also use the "h2" crate. Now, I need to vet the code quality and the testing cultute of multiple different organizations.
I have a firm belief that the actual People >>> code, tooling, companies and even licensing. If a project doesn't have (or retain) visionary and experienced developers who can instill good culture, it will ship shit code. So vetting organizations >> vetting indiviual libraries.
There’s a magic word that can be used in scenarios like this: “No.”
Failing that, interpret the requirements.
Nobody can watch a bunch of videos at once that don’t even show up until you scroll! That’s a nonsense requirement and the dev’s failure to push back or redirect in a more viable direction is a sign of their incompetence, not that of the non-technical manager that saw YouTube’s interface and assumes that that’s normal and doable.
It is! You’d have to know about lazy loading and CDNs, but neither is black magic.
> You’d have to know about lazy loading and CDNs, but neither is black magic.
I suppose you've never experienced the corporate hell that can happen with a CDN. The dev could submit a dozen servicenow tickets only to see half of them rejected by those same incompetent non-technical managers, or they could just make the thing work now and move on.
The next project will be better after the dust settles and those rejections have been reviewed and escalated into proper discussions. Nobody tells the story of that project because it does the things everyone expects. Guess who led those discussions and fought to get the meetings on the calendar? The "incompetent" devs of course!
It's not a sign of their incompetence, it's a sign of the realities of many corporate environments.
But hey, if you want to rail against incompetent developers who exist in a make-believe world where they hold all the power are simply too lazy and incompetent to 'do the right thing' then go ahead!
Stop making excuses and start taking ownership and responsibility of your craft.
I work in huge government departments, large financial orgs, and other "enterprise" places that are the poster child for the "realities of corporate environments".
Automatically saying "yes" to everything makes you a useless meat robot.
If you do everything that the customer asks, without push back, negotiation, or at least a deeper understanding, then you will produce broken garbage.
I see this all the time: "The customer asked for X, so I pressed the button!" is the cry of the incompetent junior tech that will never be promoted.
Nobody wants a uselessly slow website. Nobody wants to piss of their customers. Nobody wants angry rants about their online presence to make headline news.
What the customer wanted was multi media content. That's fine. The technical specifics of how that is presented is up to the engineering team to decide. You're not advisors! You own the technical decision making, so act like it.
If you make the decision to shove nearly a gigabyte down the wire to show the landing page, then that's on you. The manager asking for "video clips" or whatever as the feature probably doesn't even know the difference between megabyte and gigabyte! They shouldn't have to in the same way that I shouldn't have to know about my state's electrical wiring standards if I get a sparky out to add a porch light. If my house burns down, that's the electrician's fault, not mine as the customer!
Similarly, if someone asks for lights inside their pool, an electrician that strings ordinary mains cabling through the water should be jailed for criminal negligence. Obviously, only special low-voltage lighting can be used in water, especially near people. Duh.
Act like an electrician, not like a bored shopkeer who's memorised the line "the customer is always right" without realising that the full quote ends in "... in matters of taste."
> Similarly, if someone asks for lights inside their pool, an electrician that strings ordinary mains cabling through the water should be jailed for criminal negligence. Obviously, only special low-voltage lighting can be used in water, especially near people. Duh.
I recon the US electrical code for swimming pool allpows mains voltage as long as the conduit/cabling is certified for use in water (ie: watertight), properly grounded, and behind a GFCI.
And you can skip grounding/GFCI for anything below 24V.
There’s nothing “make believe” here, incompetent devs, and devs (regardless of competence) who don’t push back against silly requirements _absolutely_ exist.
Man, I probably say no to like 40% of the requests I get as a dev. Often we will come up with a better way of doing things by just spending 15-30 mins talking to the business about the actual problem they are having.
Some are just flat out refused as they are just too stupid and will cripple the system in some way.
Now I am curious, Understand that I am from the states, and consequently have zero intuition as to what a VAT is. But... the hard drive importer is directly using the HDDs and as such is not adding any value to the item, why are they paying a value added tax?
If I had to guess it is probably on the value that could have been added to the item.
It’s just the name for sales tax. Why is there a tax on sales, isn’t a sale a discount? Then is the sales tax negative because it’s the tax on the difference between the full price and the discounted price? You’d probably end up with a refund for buying the thing, unless your state has no sales tax.
Sales tax is actually very different beacuse it is usually either cumulative and added to each part of the chain, or only the last one; whereas VAT is deducted in all but the last part of the chain.
Yea, the idea is that the VAT effectively taxes the added value in each step of the value chain because there's a limit to how much you can charge for an item or service. E. g. a 25 % VAT does not necessarily mean the goods become 25 % more expensive; most of those 25 % would have been profit for the reseller, intermediates and manufacturer if it were not for the VAT. Perhaps a little contra-intuitively, a high VAT keeps prices down and business efficient because every intemediate is indirectly taxed even though the VAT is only charged to the final consumer.
> Worse, early prototypes already pulled in nearly a thousand third-party Rust crates, many of which were transitive dependencies and largely unvetted, posing potential supply-chain risks.
Rust really going for the node ecosystem's crown in package number bloat
reply