this post was submitted on 21 Oct 2024
199 points (99.0% liked)
Programming
17443 readers
341 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
The inherent problem with this kind of solution is that if you don't break backwards compatibility, you don't get rid off all the insecure code.
And if you do break backwards compatibility, there's not much reason to stick to C++ rather than going for Rust with its established ecosystem...
wake me up when Rust fixes its' supply chain attacks susceptibility (solid stdlib and rejecting external crates, including transitive deps
Probably not going to happen. I will say that it's less bad than you might think, because there is more-or-less an unofficial extended stdlib, i.e. high-quality, widely used libraries which are maintained by people in the Rust team.
But yeah, I'm involved in a somewhat larger project and we've cracked 1000 transitive dependencies a few weeks ago, and I can tell you for free that I don't personally know the maintainers of all of those.
If this was more of a security-critical project, there's probably a dozen or so direct dependencies that we would have implemented ourselves instead.