← Back to context

Comment by mayama

1 day ago

That's just direct dependencies. Including all the dependency tree is 785k LOC according to lib.rs. Most rust libraries include tons of others.

https://lib.rs/crates/rbw

22 comments

mayama

Reply
embedding-shape  21 hours ago

326 packages right now when doing a build. Seems large in general, but for a Rust project, not abnormal.

Takes what, maybe 15 seconds to compile on a high-core machine from scratch? Isn't the end of the world.

Worse is the scope to have to review all those things, if you'd like to use it for your main passwords, that'd be my biggest worry. Luckily most are well established already as far as I can tell.

  • dijit  6 hours ago

    Why are you talking about compile times in a thread about supply chain security.

    326 packages is approximately 326 more packages than I will ever fully audit to a point where my employer would be comfortable with me making that decision (I do it because many eyes make bugs shallow).

    It's also approximately 300 more than the community will audit, because it will only be "the big ones" that get audited, like serde and tokio.

    I don't see people rushing to audit `zmij` (v1.0.19), despite it having just as much potential to backdoor my systems as tokio does.

  • elAhmo  19 hours ago

    "326 seems large, but not abnormal" was the state of JS in the past as well.

    Chance of someone auditing all of them is virtually zero, and in practice no one audits anything, so you are still effectively blindly trusting that none of those 326 got compromised.

    • seanw444  18 hours ago

      It is baffling to me that a language that is as focused on safety/security as Rust decided to take the JavaScript approach to their ecosystem. I find it rather contradictory.

      13 replies →

  • Ferret7446  4 hours ago

    > 326 packages right now when doing a build. Seems large in general, but for a Rust project, not abnormal.

    That's a damning indictment of Rust. Something as big as Chrome has IIRC a few thousand dependencies. If a simple password manager CLI has hundreds, something has gone wrong. I'd expect only a few dozen

xvedejas  21 hours ago

Does this take into account feature flags when summing LOC? It's common practice in Rust to really only use a subset of a dependency, controlled by compile-time flags.

  • saghm  15 hours ago

    My experience has been that while there's significant granularity in terms of features, in practice very few people actively go out of their way to prune the default set because the ergonomics are kind of terrible, and whether or not the default feature set is practically empty or pulls in tons of stuff varies considerably. I felt strongly enough about this that I wrote up my only blog post on this a bit over a year ago, and I think most of it still applies: https://saghm.com/cargo-features-rust-compile-times/

  • gsnedders  20 hours ago

    Also just unit tests in the source files, which again aren’t included in the binary via compile-time flags!

traderj0e  21 hours ago

For a given tool, I'd expect the Rust version to have even more deps than the JS version because code reuse is more important in a lower-level language. I get the argument that JS users are on average less competent than Rust users, but we're talking about authors who build serious tools/libs in the first place.