this post was submitted on 26 Dec 2024
43 points (85.2% liked)

Linux

48721 readers
1247 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
AgreeableLandscape@lemmy.ml
nooter692@lemmy.ml
MarcellusDrum@lemmy.ml
cypherpunks@lemmy.ml
cyclohexane@lemmy.ml
d3Xt3r@lemmy.nz
43
Lets Be Real About Dependencies | Comparing dependencies of C/C++ to Go/Rust (wiki.alopex.li)
submitted 22 hours ago by that_leaflet@lemmy.world to c/linux@lemmy.ml
13 comments fedilink hide all child comments
top 13 comments
sorted by: hot top controversial new old
[–] qaz@lemmy.world 28 points 21 hours ago* (last edited 21 hours ago) (2 children)

TLDR: Rust, Go and other modern languages don't use more dependencies than C/C++, but have larger binaries due to including libraries into the executable binary. This trade-off was chosen to ensure you can reliably run the executable on various systems without dependency issues.

I personally have gone with both options on several occasions. Being able to include an HTTP client without having to debug someone's cURL installation is certainly worth a few extra MiB's of disk space. However, I've also used C instead of Rust to avoid a very simple CLI program turning into several MiB's large binary (due to statically including the Rust std lib).

[–] drspod@lemmy.ml 11 points 21 hours ago (1 children)

The article seems like a rebuttal to a strawman argument to me.

You'd have to be pretty oblivious (or a non-software engineer) to express the premise of this article as an opinion.

The only interesting part to me was asking specifically what types of functionality are being delegated to libraries instead of (re-)implemented in the program itself. The author should ask this same question of some Rust and Javascript programs of similar size, so we can see if left-pad in Javascript is just a meme or if programmers armed with convenient package managers are delegating trivial one-liners to external libraries.

[–] Ephera@lemmy.ml 4 points 19 hours ago (1 children)

Speaking as a Rust programmer, I feel like the biggest hurdle to using libraries in place of one-liners, is finding out about those libraries. At some point, you're going to search "How to pad string in Rust/JS?". And then StackOverflow, or an LLM mindlessly parroting it, will tell you to use leftpad, or well, in the case of Rust, this functionality is actually in the std lib.

So, I'd say, it actually depends a lot on the culture of a given programming language, whether the use of a library will be the top response or a short code snippet.
And I do feel like JS is in somewhat of a special spot in this regard, having been designed by committee, so there's some really silly omissions from the std lib. And it's also often used by hobbyists, who just dish out a project and then move on, never having to deal with the dependency hell that follows...

[–] Serinus@lemmy.world 4 points 19 hours ago* (last edited 18 hours ago) (1 children)

Also, do we just trust all these random libraries? Not just about malicious code, but also what kind of quality/usability are you including?

Big companies do not want to trust open package repositories. They attempt to take countermeasures (but how much can you do?)

The huge benefit of the standard library is that I can always trust it, and it will always be the idiomatic way to do things.

[–] Ephera@lemmy.ml 2 points 18 hours ago

Also, do we just trust all these random libraries? Not just about malicious code, but also what kind of quality/usability are you including?

I mean, no, I don't trust them. At best, I largely trust the libraries that I've included directly, and somewhat trust them to themselves pick libraries which don't look too fishy. But I do not know what most libraries in my project actually even do, so it would be ridiculous to claim that I trust them.

In terms of quality/usability, well, Rust has the advantage that the compiler is very strict and checks a lot of things. If it compiles, it's already half-decent.
You also get easy access to a linter and unit testing. Documentation tooling is built-in. If you put in the tiniest amount of effort, it's really not hard to create something usable.

Rust, like JS, also locks the dependencies. So, it picks out a set of versions that works together and then it documents those versions (as well as checksums of the libraries) in a file, which you put into the repo. And then it uses those documented versions until I run cargo update to grab new versions. So, if a library author pushes a malicious version, I won't be affected unless I do run cargo update at the wrong time. This gives the ecosystem at least some time to react or to find malicious code, if it's been included in an inactive state. Certainly no silver-bullet, but it makes it less attractive for malicious devs to try to include malware in a library.

The huge benefit of the standard library is that I can always trust it, and it will always be the idiomatic way to do things.

Well, counter-example: Python.
Python chose to have a pretty big std lib, which kind of makes sense, because you want scripts to be able to run without having to install dependencies first.
But as a result, Python's std lib also has relatively poor quality, with sometimes just bugs or unexpected behavior in there. And if you look online how to do XYZ, chances are half the people will tell you to use the std lib and the other half will tell you that the std lib is awful, you should use xyzlib instead.
In general, in many languages, parts of the std lib get implemented before anything else, when the language typically hasn't found its style yet. In Python, you can see that, for example, with some stdlib functions not using snake_case. So, I kind of get what you mean with "idiomatic", in that it's normal to use the std lib, but the way how you invoke that std lib function may not be idiomatic at all...

[–] that_leaflet@lemmy.world 7 points 21 hours ago

Yup. Or at the very least, a distro package's listed dependencies don't show you the true dependencies a program needs to function. There are a lot of dependencies that are needed but not listed because they are installed through transitively by other packages.

Rust shows you the true scale because it's statically linked. That being said, Rust really may use more dependencies, but directly comparing the number of dependencies can be misleading without considering the scope and focus of each dependency.

[–] davel@lemmy.ml 10 points 19 hours ago (1 children)

This is not a Linux topic. Please post something like this to a programming community next time.

[–] tate@lemmy.sdf.org 5 points 17 hours ago (1 children)

I believe there is an ongoing feud among Linux kernel maintainers regarding moving to Rust. I don't know much about it myself, but perhaps that is why OP thought this belonged here.

[–] drspod@lemmy.ml 3 points 13 hours ago

This is irrelevant to Linux kernel development.

[–] mactan@lemmy.ml 6 points 21 hours ago (2 children)

my first impression of dependency management was the abomination that is nuget. I'll never forget how bad it can be. every language that has a first class dependency manager like cargo is a win.

[–] F04118F@feddit.nl 9 points 20 hours ago (1 children)

After years of fighting pip and conda, I got a job where "we work with Python but also still have some .NET Framework apps".

NuGet seemed just as bad.

People shit on JavaScript (for very good reasons) but npm is amazing compared to all these. You can have one dependency needing PackageX v1 and another dependency needing PackageX v3 and your project will just work!

A modern statically-linked language with a first-class package manager, like Rust or Go is ideal. No fighting the dependency manager, no issue with deploying on different systems, just "run this binary".

[–] custard_swollower@lemmy.world 1 points 1 hour ago

…and then you learn that packageX v1 is not maintained anymore and relies through a deep set of dependencies on a seriously vulnerable package (in a version which is also not maintained anymore).

Sorry, I had a pretty eventful December :)

[–] qaz@lemmy.world 7 points 21 hours ago* (last edited 21 hours ago)

I personally didn't dislike NuGet that much, but that's coming from someone who has been working with CMake for the last couple of months 😄