this post was submitted on 04 Jul 2024
1 points (100.0% liked)

Rust

5980 readers
10 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

[email protected]

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago
MODERATORS
 

July 2, 2024

Sylvain Kerkour writes:

Rust adoption is stagnating not because it's missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.

... no company outside of AWS is making SDKs for Rust ... it has no official HTTP library.

As a result of Rust's lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.

  • cargo imports over 400 crates.

  • crates.io has over 500 transitive dependencies.

...the offical libsignal (from the Signal messaging app) uses 500 third-party packages.

... what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn't even match the content of their Git repository.

...how I would do it (there may be better ways):

A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. ... to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.

[stdx packages to include, among others]:

gzip, hex, http, json, net, rand

Read Rust has a HUGE supply chain security problem


Submitter's note:

I find the author's writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 3 months ago (1 children)

@FizzyOrange @ericjmorey The Regex crate is already part of the rust-lang organisation on GitHub. I don't know what you are asking for.

[–] [email protected] 0 points 3 months ago (1 children)

I am asking for some kind of official badge or something on crates.io. Currently it just looks like any other crate. Dart has a feature like this I believe.

And regex was just an example. There are other crates that should be officially sanctioned but aren't.

[–] [email protected] 0 points 3 months ago (1 children)

@[email protected] It's shown in the "owners".

Regarding the crates that should be "officially sanctionned", what would this mean besides a fancy badge?

[–] [email protected] 0 points 3 months ago (1 children)

It would mean a fancy badge, ideally being listed in the official docs, and probably some kind of promise about maintaining it.

It’s shown in the “owners”.

This is just way too subtle IMO.

[–] [email protected] 0 points 3 months ago (1 children)

@FizzyOrange the Rust project is not an organisation you have a contract with. The only guarantee of maintenance you get are that of the MIT and Apache licenses.

[–] [email protected] 0 points 3 months ago

I clearly didn't mean a legal contract. Come on.