Search Results
6/17/2025, 7:47:48 PM
>>105622950
>The point still is that all these cascading microdependencies are a crazy way to do software development.
Having fewer, but larger dependencies is more dangerous. XZ happened even though it was supplied by a regular package managers. Having no cascading micro dependencies didn't prevented any of this from happening. What more, it made it even more difficult to prevent attacks like this. Cargo actually pins versions of your dependencies. You can review all your dependencies and be certain you are safe. On the other hand, if you rely on system's package manager, such vulnerability can be added retroactively to your application and you can't rely on dependency audits. Additionally, with micro dependencies, the libraries you depend on are likely to be much smaller and easier to audit. They often share dependencies so you do not have to audit hundreds of different linked list implementations. In general, it reduces the amount of code you have to audit significantly in contrast to using large, batter-included dependencies that you often see in languages with poor dependency management. Whenever you give people option to efficiently manage dependencies, they will gravitate to using small, specialized libraries because it IS the most sane way to do software development, so called, Unix Philosophy.
>>105622954
>it is not concurrency
[citation needed]
>>105622964
No, I mean just concurrency. You can't have fearless concurrency in C, as in, it is easy to cause UB in C when doing concurrency. FreeRTOS does not give you that either.
>The point still is that all these cascading microdependencies are a crazy way to do software development.
Having fewer, but larger dependencies is more dangerous. XZ happened even though it was supplied by a regular package managers. Having no cascading micro dependencies didn't prevented any of this from happening. What more, it made it even more difficult to prevent attacks like this. Cargo actually pins versions of your dependencies. You can review all your dependencies and be certain you are safe. On the other hand, if you rely on system's package manager, such vulnerability can be added retroactively to your application and you can't rely on dependency audits. Additionally, with micro dependencies, the libraries you depend on are likely to be much smaller and easier to audit. They often share dependencies so you do not have to audit hundreds of different linked list implementations. In general, it reduces the amount of code you have to audit significantly in contrast to using large, batter-included dependencies that you often see in languages with poor dependency management. Whenever you give people option to efficiently manage dependencies, they will gravitate to using small, specialized libraries because it IS the most sane way to do software development, so called, Unix Philosophy.
>>105622954
>it is not concurrency
[citation needed]
>>105622964
No, I mean just concurrency. You can't have fearless concurrency in C, as in, it is easy to cause UB in C when doing concurrency. FreeRTOS does not give you that either.
Page 1