this post was submitted on 05 Mar 2024
2 points (100.0% liked)
Linux Gaming
15684 readers
673 users here now
Discussions and news about gaming on the GNU/Linux family of operating systems (including the Steam Deck). Potentially a $HOME
away from home for disgruntled /r/linux_gaming denizens of the redditarian demesne.
This page can be subscribed to via RSS.
Original /r/linux_gaming pengwing by uoou.
Resources
WWW:
Discord:
IRC:
Matrix:
Telegram:
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
From a quick glance through the files, I see maybe a couple dozen direct dependencies. That's not what I would call conservative (especially for a privileged daemon) but the bulk of those hundreds seem to be sub-dependencies.
I've seen similar in the other Rust projects that caught my attention. I suppose this is a predictable result of Rust's Cargo culture: When pulling in other people's code is convenient, automated, and normalized, it tends to happen a lot, and the transitive nature of dependencies amplifies the effect.
So even a small project can easily include code from hundreds of random people other than the author, with practically no accountability, as we see here. And since it's a long tail of small and often obscure projects, rather than a handful of well-known ones like a standard library, there is little hope of meaningful auditing.
There also seems to be a culture of statically linking all those dependencies. That means security patches will never reach a user through OS updates, and with so many dependencies involved, chances are slim that every upstream vulnerability will be patched on the user's machine soon after it's discovered (if ever).
I would find Rust more appealing if it had a standard library (and maybe a few high-profile well-maintained external libs) comprehensive enough to cover most needs, and if the tooling and culture encouraged minimizing dependencies. I think the former might develop with time. I fear the latter might not ever appear.
That is...unfortunate.
I've been thinking about learning Rust after hearing about it's benefits, but was put off by its ugly type syntax that I hate from C++ and the whole "fighting with the borrow checker to do simple stuff" thing. But now it seems it also has the terrible bloated dependency culture I hate from JavaScript too!
IMO any security benefits from the increased memory safety are immediately nullified by the security nightmare that is hundreds of statically compiled dependencies...
I guess I'll keep waiting on the sidelines and see how the standard lib and dependency culture evolves.
You're not alone in finding the syntax awkward and ugly. :)
Rust's promise of lifetime management that can (with help from the programmer) be guaranteed correct is very appealing to me, but that feature alone is not enough to justify excessive code complexity or bad ergonomics.
Rust undermines itself in another way, too: A systems programming language that's difficult to use encourages switching off the safety features when they get in the way. That's frowned upon by the community, but the incentive is there, so it happens nevertheless. The result: overly complex software that's annoying to write/maintain and doesn't always deliver on the language's defining promise.
And then there's the fact that not all dangerous bugs are solved by memory safety. It's no panacea.
If you're interested in something that improves on C++, you might have a look at D. The basic syntax is similar, the advanced syntax is better, it offers memory safety tools less burdensome than Rust's, and has an optional garbage collector. I find the standard library a bit rough, but an improved next edition is in progress. The dependency management tool (Dub) supports not only libraries from a community repo, but also OS-provided libs, git repos, and plain old directories. After using it actively for a month or so, I feel the language itself is sane, and the maintainers seem to be making good decisions about polishing it up in future versions.