July 2, 2024
Sylvain Kerkour writes:
Rust adoption is stagnating not because it’s missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.
… no company outside of AWS is making SDKs for Rust … it has no official HTTP library.
As a result of Rust’s lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.
cargo imports over 400 crates.
crates.io has over 500 transitive dependencies.
…the offical libsignal (from the Signal messaging app) uses 500 third-party packages.
… what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn’t even match the content of their Git repository.
…how I would do it (there may be better ways):
A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. … to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.
[stdx packages to include, among others]:
gzip, hex, http, json, net, rand
Read Rust has a HUGE supply chain security problem
Submitter’s note:
I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.
I am asking for some kind of official badge or something on crates.io. Currently it just looks like any other crate. Dart has a feature like this I believe.
And
regex
was just an example. There are other crates that should be officially sanctioned but aren’t.@[email protected] It’s shown in the “owners”.
Regarding the crates that should be “officially sanctionned”, what would this mean besides a fancy badge?
It would mean a fancy badge, ideally being listed in the official docs, and probably some kind of promise about maintaining it.
This is just way too subtle IMO.
@FizzyOrange the Rust project is not an organisation you have a contract with. The only guarantee of maintenance you get are that of the MIT and Apache licenses.
@FizzyOrange And a lot of crates you would want to see “blessed”, are already in the Rust cookbook: https://rust-lang-nursery.github.io/rust-cookbook/
I clearly didn’t mean a legal contract. Come on.