Comment by wongarsu

24 days ago

> In practice you will tend to have a few, but you won't be vendoring out critical things like HTTP, TCP, JSON, string sanitation, cryptography

Unless you are Python, where the standard library includes multiple HTTP libraries and everyone installs the requests package anyways.

Few languages have good models for evolving their standard library, so you end up with lots of bad designs sticking around forever. Libraries are much easier to evolve, giving them the advantage in terms of developer UX and performance.

15 comments

wongarsu

Reply
paintbox  24 days ago

What type of developer chooses UX and performance over security? So reckless.

I removed the locks from all the doors, now entering/exiting is 87% faster! After removing all the safety equipment, our vehicles have significantly improved in mileage, acceleration and top speed!

  • integralid  24 days ago

    >What type of developer chooses UX and performance over security? So reckless.

    Initially I assumed this is sarcastic, but apparently not. UX and performance is what programmers are paid to do! Making sure UX is good is one of the most important things in programmer job.

    While security is a moving target, a goal, something that can never be perfect, just "good enough" (if NSA wants to hack you, they will). You make it sound like installing third party packages is basically equivalent to a security hole, while in practice the risk is low, especially if you don't overdo it.

    Wild to read extreme security views like that, while at the same time there are people here that run unconstrained AI agents with --dangerous-skip-confirm flags and see nothing wrong with it.

    • toss1  24 days ago

      Even more wild to read that sarcasm about "removing locks from doors for 87% speedup" is considered extreme...

      And yes, we agree that running unconstrained AI agents with --dangerous-skip-confirm flags and seeing nothing wrong with it is insane. Kind of like just advertising for burglars to come open your doors for you before you get home - yeah, it's lots faster to get in (and to move about the house with all your stuff gone).

  • wongarsu  24 days ago

    Better developer UX can directly lead to better safety. "You are holding it wrong" is a frequent source of security bugs, and better UX reduces the ways you can hold it wrong, or at least makes you more likely to hold it the right way

    • lelanthran  24 days ago

      > Better developer UX can directly lead to better safety.

      Depends. If you had to add to a Makefile for your dependencies, you sure as hell aren't going to add 5k dependencies manually just to get a function that does $FOO; you'd write it yourself.

      Now, with AI in the mix, there's fewer and fewer reasons to use so many dependencies.

    • skydhash  24 days ago

      Friction is helpful. Putting seatbelts on takes more time than just driving, but it’s way safer for the driver. Current dev practices increase speed, not safety.

  • duskdozer  24 days ago

    "Security" is often more about corporate CYA than improving my actual security as a user, and sometimes in opposition, and there is often blatant disregard for any UX concession at all. The most secure system is fully encrypted with all copies of the encryption key erased.

ptx  24 days ago

I'm pretty sure it's really one HTTP library: urllib.request is built on top of http.client. But the very Java-inspired API for the former is awful.

nicce  24 days ago

> Unless you are Python, where the standard library includes multiple HTTP libraries and everyone installs the requests package anyways.

The amount of time defining same data structures over and over again vs `pip install requests` with well defined data structures.

throwaway2037  24 days ago 

    >  Few languages have good models for evolving their standard library

Can you name some examples?

  • KajMagnus  24 days ago

    Scala could be one example? When I upgraded to a newer version of the standard library (the Scala 2.13 or Scala 3 collections library), there was a tool, Scalafix [1], that could update my source code to work with the new library. Don't think it was perfect (don't remember), but helpful.

    [1] https://scalacenter.github.io/scalafix/

  • msdz  24 days ago

    Personally I've heard Odin [1] to do a decent job with this, at least from what I've superficially learned about its stdlib and included modules as an "outsider" (not a regular user). It appears to have things like support for e.g. image file formats built-in, and new things are somewhat liberally getting added to core if they prove practically useful, since there isn't a package manager in the traditional sense. Here's a blog post by the language author literally named "Package Managers are Evil" [2]

    (Please do correct me if this is wrong, again, I don't have the experience myself.)

    [1] https://pkg.odin-lang.org/

    [2] https://www.gingerbill.org/article/2025/09/08/package-manage...