Comment by jen20
2 months ago
Zero-external-dependency Go apps are far more feasible than Rust or Node, simply because of the size and quality of the standard library.
2 months ago
Zero-external-dependency Go apps are far more feasible than Rust or Node, simply because of the size and quality of the standard library.
Just the other day someone argued with me that it was reasonable for Limbo (the SQLite Rust rewrite) to have 3135 dependencies (of those, 1313 Rust dependencies).
https://github.com/tursodatabase/turso/network/dependencies
Even more wild considering that SQLite prides itself on having zero dependencies. Sounds like a doomed project.
This is incredible.
At this rate, there's a non-zero chance that one of the transitive dependencies is SQLite itself.
3 different types of sqlite, 14 different versions total: https://github.com/tursodatabase/turso/network/dependencies?...
1 reply →
But it will be safe SQlite, called from Rust.
Yeah. You have dev dependencies in there, those alone will increase number of dependencies by ~500, without ending up in the final product.
Those numbers are way off their actual number.
Right. Allowing 500 strangers to push code to our CI infra, or developer laptops, with approximately zero review, sounds similarly ill advised.
That JLR got their factories hacked, rather than customer cars, is less bad for sure. But it's still pretty bad.
Also, before arguing that code generators should get a pass as they don't “end up in the final product”, you really should read “Reflections on trusting trust” by Ken Thompson.
5 replies →
500 dev dependencies doesn’t seem reasonable either…
1 reply →