Comment by GuB-42
10 hours ago
You have "edit and continue" in Visual Studio (the real IDE, not VS Code).
And I mentioned it as a downside of C++ on Linux, and I would expect a language that has "the best" tooling to have that.
C++ tooling isn't that great, but it has one thing going for it: it is popular in the video game industry, and the video industry has some of the best tools.
And sure enough, if by tooling you mean "package management", I'd say everything is better than C++, and on the other side, it seems that cargo is pretty good. I don't know how they tackle the "left-pad" problem that plagues npm though. By that I mean supply-chain attacks.
It's not like npm is particularly bad at handling supply-chain attacks, it's just a very popular ecosystem and gets targeted more as a result. Idk how you truly solve this without code audits, and if anything the more popular/visible packages will be audited more.
Btw, left-pad fallout wasn't all that bad. It's not like the author put something malicious into the code. For less than a day, people couldn't download that dep from npm. If someone really needed to fix a build, they could copy in a backup. Pretty sure a typical C++ or Python project build gets broken on its own more often than that.
> Idk how you truly solve this without code audits
Idk either, but code audits are definitely a solution. Take Debian packages for instance. Debian has package maintainers, and while they may no do full audits, they will at least test it before publishing. In addition, it doesn't get in the "stable" release before an extensive testing phase. Security patches are usually backported.
Or do like with the Apple App Store, where you don't get to publish anything unreviewed.
These are not perfect solution, there is no such thing as a perfect solution. For instance, Debian is famously lagging behind in versions, and the App Store will sometimes reject your app for no good reason, while being expensive. In every case there is some barrier to entry, a slow process, and it costs time and money, but that mitigates some of the issues.
Npm seems to have very little safeguards, has a culture of always taking the latest version, and as a result is often victim to supply-chain attacks. I don't think it is just popularity. Debian is really popular too, but AFAIK, it doesn't have this problem, in fact, one of the best known supply-chain attack is the xz library, and Debian didn't fall to it.
Cargo tackles none of that, it has the exact same issue of pulling in hundreds of deps like npm has.