| ▲ | wongarsu 8 hours ago |
| > In practice you will tend to have a few, but you won't be vendoring out critical things like HTTP, TCP, JSON, string sanitation, cryptography Unless you are Python, where the standard library includes multiple HTTP libraries and everyone installs the requests package anyways. Few languages have good models for evolving their standard library, so you end up with lots of bad designs sticking around forever. Libraries are much easier to evolve, giving them the advantage in terms of developer UX and performance. |
|
| ▲ | paintbox 6 hours ago | parent | next [-] |
| What type of developer chooses UX and performance over security? So reckless. I removed the locks from all the doors, now entering/exiting is 87% faster!
After removing all the safety equipment, our vehicles have significantly improved in mileage, acceleration and top speed! |
| |
| ▲ | integralid 5 hours ago | parent | next [-] | | >What type of developer chooses UX and performance over security? So reckless. Initially I assumed this is sarcastic, but apparently not. UX and performance is what programmers are paid to do! Making sure UX is good is one of the most important things in programmer job. While security is a moving target, a goal, something that can never be perfect, just "good enough" (if NSA wants to hack you, they will). You make it sound like installing third party packages is basically equivalent to a security hole, while in practice the risk is low, especially if you don't overdo it. Wild to read extreme security views like that, while at the same time there are people here that run unconstrained AI agents with --dangerous-skip-confirm flags and see nothing wrong with it. | | |
| ▲ | zymhan 19 minutes ago | parent [-] | | Installing 3rd party packages the way Node and Python devs do regularly _is_ a security hole. | | |
| ▲ | fn-mote 10 minutes ago | parent [-] | | We definitely agree on that. Fortunately some of the 600+ comments here include suggestions of what to do about it. |
|
| |
| ▲ | wongarsu 5 hours ago | parent | prev | next [-] | | Better developer UX can directly lead to better safety. "You are holding it wrong" is a frequent source of security bugs, and better UX reduces the ways you can hold it wrong, or at least makes you more likely to hold it the right way | | |
| ▲ | skydhash 5 hours ago | parent [-] | | Friction is helpful. Putting seatbelts on takes more time than just driving, but it’s way safer for the driver. Current dev practices increase speed, not safety. |
| |
| ▲ | duskdozer 5 hours ago | parent | prev [-] | | "Security" is often more about corporate CYA than improving my actual security as a user, and sometimes in opposition, and there is often blatant disregard for any UX concession at all. The most secure system is fully encrypted with all copies of the encryption key erased. |
|
|
| ▲ | seunosewa 3 hours ago | parent | prev | next [-] |
| requests should be in the Python standard library. Hard choices need to be made. |
|
| ▲ | nicce 5 hours ago | parent | prev | next [-] |
| > Unless you are Python, where the standard library includes multiple HTTP libraries and everyone installs the requests package anyways. The amount of time defining same data structures over and over again vs `pip install requests` with well defined data structures. |
|
| ▲ | ptx 7 hours ago | parent | prev | next [-] |
| I'm pretty sure it's really one HTTP library: urllib.request is built on top of http.client. But the very Java-inspired API for the former is awful. |
|
| ▲ | throwaway2037 an hour ago | parent | prev [-] |
| > Few languages have good models for evolving their standard library
Can you name some examples? |
