Comment by dralley

3 days ago

Rust is nowhere close to Node in terms of package number bloat. Most Rust libraries are actually useful and nontrivial and the supply chain risk is not necessarily as high for the simple reason that many crates are split up into sub-crates.

For example, instead of having one library like "hashlib" that handles all different kinds of hashing algorithms, the most "official" Rust libraries are broken up into one for sha1, one for sha2, one for sha3, one for md5, one for the generic interfaces shared by all of them, etc... but all maintained by the same organization: https://github.com/rustcrypto/

Most crypto libraries do the same. Ripgrep split off aho-corastick and memchr, the regex crate has a separate pcre library, etc.

Maybe that bumps the numbers up if you need more than one algorithm, but predominantly it is still anti-bloat and has a purpose...

5 comments

dralley

Reply
rustystump  3 days ago

While i agree the exact line “rust libraries are useful and non-trivial” i have heard from all over the place as if the value of a library is how complex it is. The rust community has an elitist bent to it or a minority is very vocal.

Supply chain attacks are real for all package registries. The js ones had more todo with registry accounts getting hacked than the compromised libraries being bad or useless.

egorfine  3 days ago

I am sensing a "is-odd" and "is-even" vibes from that approach.

  • jasomill  2 days ago

    Not at all.

    Most programs only use one or a few hash functions, so grouping each family into a separate crate reduces compliation time for the majority of users. Could also help when auditing the removal of vulnerable hash functions.

    As for ripgrep, the organization is quite sensible:

    1. one crate to define an interface for regex matchers

    2. one crate to implement the native matcher

    3. one crate to implement the PCRE2 matcher

    4. one crate to define a safe interface to the underlying PCRE2 library

    Depending on the application, any one of 1+2+3+4, 1+2, 1+3+4, or 4 alone could be useful.

    • egorfine  2 days ago

      Yes I perfectly understand the reasoning and technically it is sound.

      It becomes insane once you start thinking of real life implications, specifically supply chain attacks.

      Although it's only marginally more insane than the other ecosystems.

      1 reply →