upvote

points

by OtomotO22 hours ago |
comments
upvoteby desmaraisp18 hours ago|
next
[-]
That's an interesting viewpoint, but one I've noticed is less prevalent in other languages.

The c# guys at microsoft created an enormous stdlib, and the overwhelming majority of it is pretty good. The outliers being of course older stuff they've never really had time to upgrade. And they don't seem to be afraid to deprecate stuff, every major version brings a couple of minor breaking changes. But it all seems to work out just fine somehow

reply
upvoteby CharlieDigital32 minutes ago|
parent|
next
[-]
C# massive standard library and first party libraries means much, much fewer external dependencies and these libraries are managed by a team of paid, professional engineers.

Highly, highly underrated.

reply
upvoteby bborud9 hours ago|
prev|
next
[-]
I’d argue that this is wrong. Having a conservative standard library that aims to contain most things most people need is preferable to third party libraries in 90%. For the 10% that isn’t covered to your liking by the standard library you can turn to third parties. You get both a practical standard library and third party options.

I did a lot of cryptography over the past couple of years. Go has that in the standard library. For the last decade and a half cryptography is something that every developer has to deal with at some point, and it NOT being the awful pain that it is in just about any other language, is a good thing. Sure, it does not contain every algorithm and mechanism in the world, but it contains everything you need for 90% of cases. That means that most of the time you don’t have to do the extra work of ensuring you have an out if the library you depend on should go away/bad, bugs will be fixed, people speak a common language and you don’t have to do twice the work in terms of risk assessment.

People keep forgetting that you have to evaluate these things in the real world. In practical real-world situations. The real world is not about what works in theory but what actually provides value for actual people working on actual projects.

reply
upvoteby amusingimpala7518 hours ago|
prev|
next
[-]
I’m not arguing on quality of the library, I’m arguing on not getting pwned by the sheer number of transitive dependencies
reply
upvoteby surajrmal4 hours ago|
parent|
next
[-]
The problem is that trust shouldn't be so binary. We should have ways to increase trust without needing to resort to the standard library. There was an effort to do this at some point in rust but the idea was sadly not well received. Maybe it'll end up reviving itself with modern supply chain concerns.

The idea is that there could form some groups of well maintained crates that only depend on each other and have a similar amount of oversight. This actually naturally happens in c++ because grabbing dependencies is so painful, but it makes dependencies more trustworthy. For instance boost, absl, folly, etc.

reply
upvoteby cogman102 hours ago|
parent|
[-]
I've harped on this for years, but few devs seem to grasp the concept that less dependencies is better than more. Especially library authors.

It's only now that the supply chain problems with npm are becoming beyond obvious that we are seeing devs come around to this notion (leftpad should have been the canary in the coal mine).

The javascript ecosystem has corrupted far too many other programming ecosystems. The notion of "just make a small package like is-even" is really the core of the problem. But also people making libraries often have the wrong mentality about that process. They think of it like they are making an application (So why not just pull in a bunch of random deps). Every dependency a library brings in should have a serious conversation and analysis on "how much work would it be to just do this functionality here". And if it's not that much, then preference should be to duplicate, not depend.

reply
upvoteby skydhash33 minutes ago|
parent|
[-]
A lot of libraries should have been gists, blog posts, or stack-overflow answers. When I see a library imports a dependency of a few function related to its domain, I can’t help but wonder why they don’t want to take responsibility for that small snippet of code.
reply
upvoteby galangalalgol8 hours ago|
parent|
prev|
[-]
If you look at the number of authors vs the number of dependencies the gap narrows but doesn't disappear. Many of the most commonly used crates are written by members of the rust foundation amd are used in the tools themselves. But it is always a concern. I'm looking forward to the upcoming option to forbid versions newer than N days at the project level. But just manually only y updating versions when you need a new feature or there is a cve works pretty well.
reply
upvoteby 22 hours ago|
prev|
next
[-]
deleted
reply
upvoteby bigstrat200315 hours ago|
prev|
[-]
The stdlib isn't necessarily better, but it's always there. To use Python as an example, I tend to prefer requests to urllib2, as do most programmers. But I've absolutely been in scenarios where all I could get was the stdlib, and having urllib2 saved my ass. I think it's extremely important for the stdlib to be batteries included, even if they aren't the best versions of those batteries on the market.
reply