← Back to context

Comment by orf

1 year ago

it's completely stupid to measure "number of dependencies" in absolute numbers.

Lots of packages have a `-macros` or `-derive` transient dependency, meaning a single dependency can end up coutning as 3 additional dependencies.

Rust makes it simple to split packages into workspaces - for example, regex[1] consists of `regex-automata` and `regex-syntax` packages.

This composition and separation of concerns is a sign of good design, and not an npm-esque hellhole.

1. https://crates.io/crates/regex/1.11.1/dependencies

11 comments

orf

Reply
rectang  1 year ago

I suppose you could say that the audit burden scales linearly with the number of module publishers, with a small additional amount on every release point to confirm that the publisher is still who they purport to be and hasn't been compromised.

This is assuming that the audit consists of validating dependency authorship, and not the more labor-intensive approach of reviewing dependency code.

  • 0x457  1 year ago

    Hard no. Burden scales with number of lines. Lines being split into smaller chunks (crates) only speed up the process in long run.

    • orf  1 year ago

      Hard yes, burden scales with number of authors and not number of lines.

      That’s… the whole rationale about not liking lots of small packages.

      5 replies →

rcxdude  1 year ago

Indeed. It's actually been quite handy on a few occasions to be able to just pull in a smaller crate as opposed to the whole project. (in constrast to, say, boost in C++, which is a big mess of a dependency even though it's one that goes to at least a little bit of effort to let you split it up, but through an ad-hoc process as opposed to a standard package management system).

(I would genuinely be interesting in an experiment which pushes this as far as possible: what if each function was a 'package'? There's already a decent understanding of how dependencies within a library work in the compiler, what if that extended to the package manager? You would know exactly what code you actually needed, and would only pull in exactly what was necessary)

arccy  1 year ago

that's kind of on rust for pushing crates front and center rather than groupings of crates that are developed / reviewed / released together as a single cohesive unit (typically a git repo).

e.g. go dependencies are counted on modules (roughly git repos), rather than packages (directories, compilation units). java is counted in packages rather than classes.

adamc  1 year ago

The vulnerability to supply chain attacks gives me pause. It's not unique to rust and it bothers me with npm or Python as well.