| ▲ | ruuda 4 hours ago |
| https://github.com/doy/rbw is a Rust alternative to the Bitwarden CLI. Although the Rust ecosystem is moving in NPM's direction (very large and very deep dependency trees), you still need to trust far fewer authors in your dependency tree than what is common for Javascript. |
|
| ▲ | pregnenolone 3 hours ago | parent | next [-] |
| Well.. https://github.com/doy/rbw/blob/main/Cargo.toml#L16 You're still pulling a lot of dependencies. At least they're pinned though. |
| |
| ▲ | mayama 3 hours ago | parent | next [-] | | That's just direct dependencies. Including all the dependency tree is 785k LOC according to lib.rs. Most rust libraries include tons of others. https://lib.rs/crates/rbw | | |
| ▲ | embedding-shape 3 hours ago | parent | next [-] | | 326 packages right now when doing a build. Seems large in general, but for a Rust project, not abnormal. Takes what, maybe 15 seconds to compile on a high-core machine from scratch? Isn't the end of the world. Worse is the scope to have to review all those things, if you'd like to use it for your main passwords, that'd be my biggest worry. Luckily most are well established already as far as I can tell. | | |
| ▲ | elAhmo 21 minutes ago | parent [-] | | "326 seems large, but not abnormal" was the state of JS in the past as well. Chance of someone auditing all of them is virtually zero, and in practice no one audits anything, so you are still effectively blindly trusting that none of those 326 got compromised. |
| |
| ▲ | xvedejas 3 hours ago | parent | prev | next [-] | | Does this take into account feature flags when summing LOC? It's common practice in Rust to really only use a subset of a dependency, controlled by compile-time flags. | | |
| ▲ | gsnedders 2 hours ago | parent [-] | | Also just unit tests in the source files, which again aren’t included in the binary via compile-time flags! |
| |
| ▲ | traderj0e 2 hours ago | parent | prev [-] | | For a given tool, I'd expect the Rust version to have even more deps than the JS version because code reuse is more important in a lower-level language. I get the argument that JS users are on average less competent than Rust users, but we're talking about authors who build serious tools/libs in the first place. |
| |
| ▲ | vablings 2 hours ago | parent | prev [-] | | Wait, you're telling me that node deps are not pin by default. Every time you run your code you might be pulling in a new version. No wonder... | | |
|
|
| ▲ | ramon156 4 hours ago | parent | prev | next [-] |
| This + vaultwarden is an awesome self-hostable rust version of bitwarden. We might as well close the loop! |
|
| ▲ | infogulch 2 hours ago | parent | prev | next [-] |
| Oh nice it works as an ssh-agent too. Definitely checking this one out. |
|
| ▲ | guywithahat 43 minutes ago | parent | prev [-] |
| That’s my concern too. Rust has the same dependency concerns, which is how hackers get into code. VaultWarden has the same Rust dependency concern. Ironically we’re entering an age where C/C++ seems to have everything figured out from a dependency injection standpoint |
