July 2, 2024

Sylvain Kerkour writes:

Rust adoption is stagnating not because it’s missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.

… no company outside of AWS is making SDKs for Rust … it has no official HTTP library.

As a result of Rust’s lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.

  • cargo imports over 400 crates.

  • crates.io has over 500 transitive dependencies.

…the offical libsignal (from the Signal messaging app) uses 500 third-party packages.

… what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn’t even match the content of their Git repository.

…how I would do it (there may be better ways):

A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. … to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.

[stdx packages to include, among others]:

gzip, hex, http, json, net, rand

Read Rust has a HUGE supply chain security problem


Submitter’s note:

I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.

  • FizzyOrange@programming.dev
    link
    fedilink
    arrow-up
    1
    ·
    5 months ago

    I am asking for some kind of official badge or something on crates.io. Currently it just looks like any other crate. Dart has a feature like this I believe.

    And regex was just an example. There are other crates that should be officially sanctioned but aren’t.

    • Soso@pouet.chapril.org
      link
      fedilink
      arrow-up
      1
      ·
      5 months ago

      @FizzyOrange@programming.de It’s shown in the “owners”.

      Regarding the crates that should be “officially sanctionned”, what would this mean besides a fancy badge?

      • FizzyOrange@programming.dev
        link
        fedilink
        arrow-up
        1
        ·
        5 months ago

        It would mean a fancy badge, ideally being listed in the official docs, and probably some kind of promise about maintaining it.

        It’s shown in the “owners”.

        This is just way too subtle IMO.