Comment by randomint64

4 days ago

Indeed, Rust's supply chains story is an absolute horror, and there are countless articles explaining what should be done instead (e.g. https://kerkour.com/rust-stdx)

TL;DR: ditch crates.io and copy Go with decentralized packages based directly on and an extended standard library.

Centralized package managers only add a layer of obfuscation that attackers can use to their advantage.

On the other hand, C / C++ style dependency management is even worse than Rust's... Both in terms of development velocity and dependencies that never get updated.

3 comments

randomint64

Reply
Ygg2  4 days ago

> countless articles explaining what should be done instead (e.g. https://news.ycombinator.com/item?id=41727085#41727410

> Centralized package managers only add a layer of obfuscation that attackers can use to their advantage.

They add a layer of convenience. C/C++ are missing that convenience because they aren't as composable and have a long tail of pre-package manager projects.

Java didn't start with packages, but today we have packages. Same with JS, etc.

  • eichin  4 days ago

    Or from another angle, dpkg/apt is the package manager for C/C++ ...

    • Ygg2  3 days ago

      Yeah, but it's not immune to supply chain attacks. Counting on maintainers of dpkg is not that different from counting on maintainers of random crate package.