Hacker News
Why stdx is not on crates.io
maeln
|next
[-]
And in general, people pointing at Rust "limited" stdlib (it's only limited compared to Python) as one of the big issue and risk with rust are, in my opinion, misguided. You will never make an stdlib big enough to remove the need for external dependencies. It also creates a bunch of other problems. Actually, to take Python as an example, some functionality being in the stdlib have created a bunch of issue over the years since you can't just introduce breaking changes in an stdlib as easily. Look at urllib2/3 or xml in python. In the end, almost everyone ends up using requests and lxml instead. There are many issues that need to be dealt with to mitigate supply chain attacks. A bigger stdlib or an "stdlib-extended" a la Boost, is not one of them.
Also, specifically for Rust, many people run in a no-std environment (anything sized constraint for the most part). So another stdlib would do nothing for them.
traceroute66
|root
|parent
|next
[-]
Erm ....
Its limited compared to Go as well.
And that's a BIG deal because Go gives you single binaries with a stdlib that allows you to hit the ground running in a serious manner.
For example, making API calls which is the sort of thing many here do for their bread and butter. Everything you need to do can be don in Go stdlib without opening yourself up to supply chain vulnerabilities or having to choose which crate or having to keep track of crates versioning. The same could be said of crypto or hundreds of other things present in the Go stdlib.
ameliaquining
|root
|parent
|next
[-]
Also, even network services benefit from things like OpenAPI for type safety, and you don't get that from the Go stdlib.
traceroute66
|root
|parent
|next
[-]
Sure, but the point is for the majority of people writing stuff in Go, they can get 99% of the way there with the Go stdlib.
Then, if they need to import one or two things to help them, such as the AWS Go SDK or whatever, that's perfectly fine.
It still means you end up with a go.mod file that has literally only two or three third-party imports in it.
Meanwhile if you wanted to write the equivalent tool in Rust, if you don't care you'll quickly end up with a Cargo.toml measured in hundreds of lines.
And if you are willing to put in the hours to hand-cherry-pick and make your Rust imports "reasonably necessary", then you'll still have a whole bunch more third-party imports than the Go equivalent.
sfdsfef3f3f
|root
|parent
|previous
[-]
kibwen
|root
|parent
|previous
[-]
It depends on perspective. Go is tailored for writing backends, so it's great that it provides things like net/http (we could also interpret cause and effect inversely here; Go provides net/http so it gets used for writing backends). Rust's standard library is actually pretty damn huge, but it doesn't index heavily into specific applications, and instead tries to provide comprehensive support for low-level operations that enable you to build a custom-tailored solution to whatever you need on top of it. Rust's stdlib is "small" if all you want to do is build a webserver and don't want to go shopping around for libraries, but anyone who's intimately familiar with Rust's stdlib can tell you for a fact that it's absolutely not small in absolute terms. Rust literally stabilizes hundreds of new stdlib functions per year.
traceroute66
|root
|parent
[-]
So in other words Rust forces you to either (a) re-invent the wheel (yet again !) or (b) import yet-another-crate into your project.
Of course if you choose (b), then its having first wasted your time deciding which of hundreds of yet-another-crate-doing-the-same-thing you want to import.
Its a waste of time and effort for the majority of projects where you are not working with embedded systems or trying to squeeze every micro-second of performance out of your system.
Sadly the majority of Rust projects show exactly zero import discipline, both from a pure import perspective and a security perspective. Which is why many Rust projects end up importing a gazillion crates.
Import discipline in Rust is hard work. Sure you can reach "reasonably necessary" level of imports the majority of Rust projects simply don't bother because its such a pain in the backside.
Don't get me wrong, Rust has its place in this world. But for many people on many projects they would be better off using Go and only using Rust where there is actually a serious use-case for it in their environment.
greyw
|root
|parent
|next
|previous
[-]
striking
|root
|parent
[-]
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
If the original repo were to disappear, it would be important to know who wrote the code and what the license actually is.
bigstrat2003
|root
|parent
|previous
[-]
And yet, I've been in situations where the only thing I had was urllib2, and I was very grateful it existed. It's awesome that the Python stdlib has everything it does, even if most of the time a pypi package is going to be superior.
cetra3
|next
|previous
[-]
It feels like this is worse than a package manager? As in why would I trust a random git repo to keep things up to date over the officially published channel?
sheept
|root
|parent
|next
[-]
base64 = { git = "https://github.com/rust-stdx/stdx", rev = "<sha1 of malicious commit in fork>" }
testdelacc1
|root
|parent
|previous
[-]
The other reason I don’t trust them is because this repo is 100% AI slop, even for crypto code. He posted it on /r/rust where every comment was highly negative - https://www.reddit.com/r/rust/s/4I4Xc7x7ec. The thread was removed by a moderator with the note:
Please, stop posting articles from kerkour.com.
The blog has been on a downward spiral for years, it's doomed, let it go.
graypegg
|root
|parent
|next
|previous
[-]
So as I understand it, they're not suggesting that we pile many packages into 1 git repo as a sort of pseudo-crates.io, they're just promoting the fact that you can install a package directly from a git URL, rather than using a crate name on a registry.
What seems weird about that model to me is that dependancies will not sync between these individual packages. If package A chooses the canonical git URL for package C, and package B uses a self-hosted version of package C instead, you have two versions of package C.
deeebug
|root
|parent
|next
|previous
[-]
tialaramex
|root
|parent
|next
[-]
oefrha
|root
|parent
[-]
> crypto: spec and test-driven development to the rescue
> Cryptographic code is famously hard, with many, many footguns haunting unsuspecting developers (and even experts!).
> But, cryptography also has something that you likely won't find in any other domain: an extensive public collection of test vectors, particularly for edge cases. Every algorithm specification come with a basic suite of test vectors, but there are also community-built wonders such as Wycheproof.
> These test vectors, combined with the official specification documents of the crypto algorithms were rather effective to guide the coding agents and avoid the worst hallucinations.
> Cost: ~ $30
> Time: multiple days of part-time work.
> I'm under no illusion that the crypto crate is currently bug-free, but if my experience told me anything, it's that even experienced programmers are shipping bugs in crypto libraries. So, for similar outcomes, but using 1/100 of the time and at maybe 1/1000 of the cost, I think it's a clear demonstratin of AI's effectiveness.
Yeah, terrifyingly clueless, don't use.
FiloSottile
|root
|parent
|previous
[-]
(I’m more worried about judgement calls than implementation correctness, it’s not about AI.)
tptacek
|root
|parent
|next
|previous
[-]
The big question about this project isn't its distribution, it's the core question it posed when it was first announced: are Rust developers going to seriously entertain an alternative "standard library" curated by one developer.
foresterre
|next
|previous
[-]
It's quite an, ahem, interesting mix of libraries, including three csv libraries, hyper_utils (but not hyper itself), and a ton of copied crates from other maintainers.
I hope the author has a good way of updating these with upstream fixes (some look out-of-date already), otherwise you may replace one security issue with another.
And the name stdx has been taken on crates.io, more than 11 years ago which can also be equally confusing.
NoboruWataya
|next
|previous
[-]
There are other examples of crates registered on crates.io with prominent names that are just stubs with one commit from years ago. I'm sure this problem also exists for other languages but it feels worse with Rust, I suspect because of how easy it is to register a crate on crates.io combined with the "rewrite X in Rust" craze.
thesuperbigfrog
|next
|previous
[-]
But it seems to be a placeholder crate of sorts and is not Kerkour's stdx.
It does re-export several other crates, but has not been maintained or updated in a long time.
rdtsc
|next
|previous
[-]
Oh is that true? They tied themselves to Microsoft it seems. What about people who won't or can't use GitHub.
simonask
|root
|parent
|next
[-]
Keep in mind that all of rustc and libs development takes place on Github.
progval
|root
|parent
[-]
weinzierl
|root
|parent
|previous
[-]
What in my opinion is unacceptable is that it requires you to give permission to "read your organization and team membership and private Projects".
I made a separate GitHub account (weinzierl-trusted-publisher) for crates.io which is far from ideal, because it works completely against the idea to build trust for a single unified identity online, but ¯\(ツ)/¯.
simonreiff
|next
|previous
[-]
1. Supply-chain problems affect the Rust ecosystem arguably even worse than npm. 2. `stdx` extends Rust by adding some other stuff in Go that's good for supply-chain security? 3. crates.io does stuff differently than stdx so that's why it's distributed exclusively via git.
But none of the README or article linked by the author or the other article linked in the README explain anything about what the good things from Go are that are actually added, or what the pain point precisely is compared to using crates.io. I think the first proposition is possibly correct, mainly because I know next to nothing about Rust but am all too familiar with supply-chain complaints (as are most of us by now) whether as to npm or Python ecosystems, and there is no principled reason why Rust should be more secure unless the fundamental assumption of trusting external packages to auto-update safely is somehow different in Rust. I assume without loss of generality that perhaps the author is right that Rust's package management ecosystem is no more secure as a supply-chain than Node.js's ecosystem. The second property also might be true too that Go offers some concrete solutions to the problem, though I have no idea if that's correct and wouldn't necessarily assume that to be true.
Still, even assuming all claims to be true, I do not see is any connection between those claims and actual implementation of code, aside from talk about how stdx is AI-friendly and was generated using AI. I just don't get what this does that is any different. You're still trusting a Git repository to be valid. In fact it almost sounds at one point like the author is suggesting that the whole exercise of providing proof of provenance and demonstrating that a particular version was properly published by its author is too tedious and annoying and should therefore be skipped by utilizing a simpler stdx approach to Rust (but I still don't know what that is or why I should trust it!). Is it just me? This makes no sense.
krzyk
|next
|previous
[-]
But I always thought NPM was what the author describes - just a random set of packages with git sources, which I thought was the main issue (leftpad etc.). Isn't that the case?
What about one system that just works and is there for "ages": maven repository?
zdragnar
|root
|parent
[-]
Then, when someone throws a fit, they upload a broken version to NPM, and everyone downstream is SOL (or the package is given over to a malicious maintainer, or the maintainer is hacked, etc).
Heck, NPM doesn't (didn't?) require a license either. One of my former employers never let us use Webpack 1.x because it depended on something that depended on something that depended on a package from the very early days of NPM that didn't come with a license (it was by isaacs iirc, so it was meant to be public, but the version specified wasn't licensed). It wasn't until webpack 2.x that the versions were updated enough that all of the dependencies were formally open source.
weinzierl
|next
|previous
[-]
Also Debian tries to build and distribute independently from crates.io.
So crates.io is important but is not the (Rust) world.
sourcegrift
|next
|previous
[-]
I appreciate prople's efforts but they are misplaced. If I were passionate about this-- i'd do two things
1) A crates.io alternative which allows namespaces in package names like GitHub or alternatively. Single universal namespace doesn't seem fine (I don't think there would be necessarily changes required on the cargo side if users are willing to use full urls)
2) some kind of trust system so a user can up/down vote a package
3) Take a small one time payment for verifying a package? I don't know how this would work.
jcgrillo
|previous
[-]
1. What problem does stdx actually solve?
2. Ok, it's a git dep, seems fine? Why is the choice to publish or not publish in crates.io a big deal either way?