Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
skydhash 2 hours ago

You’ll find more quality libraries in C because people don’t care about splitting them down to microscopic parcels. Even something like ‘just’ have tens of deps, including one to check that something is executable.

https://github.com/casey/just/blob/master/Cargo.toml

That’s just asking for trouble down the line.

bigfatkitten 2 hours ago | parent | next [-]

You also won’t typically find C/C++ developers blinding yolo’ing the latest version of a dependency from the Internet into their CI/CD pipeline.

They’ll stick with a stable version that has the features they need until they have a good reason to move. That version will be one they’ve decided to ship themselves, or it’ll be provided by someone like Debian or Red Hat.

pjmlp 25 minutes ago | parent [-]

Unless of course they are using vcpkg, conan or FetchContent.

Most corporations are already using the likes of Nexus or JFrog Artifactory, regardless of the programming language.

pheggs 2 hours ago | parent | prev [-]

yes, the average amount of dependencies used per dependency appears to be much larger in rust and thats what I meant and is worrying me. In theory C can be written in a memory safe manner, and in theory rust can be used without large junks of supply vulnerabilities. both of these are not the case in practice though

kibwen 16 minutes ago | parent | next [-]

> both of these are not the case in practice though

No, people routinely write Rust with no third-party dependencies, and yet people do not routinely write C code that is memory-safe. Your threat model needs re-evaluating. Also keep in mind that the most common dependencies (rand, serde, regex, etc) are literally provided by the Rust project itself, and are no more susceptible to supply chain attacks than the compiler.

dbdr 21 minutes ago | parent | prev [-]

One difference is that it's an incredibly hard problem to check whether your C code is memory safe since every single line of your code is a risk. On the other hand, it's easy to at least assess where your supply vulnerabilities lie (read Cargo.toml), and you can enforce your policy of choice (e.g. whitelist a few specific dependencies only, vendor them, etc).