I really like many aspects Rust programming language and do deploy software programmed in Rust in production (commercial). However, I disapprove of many things regarding the ecosystem especially in the context of security and safety for which Rust is advertised. To some degree I would even consider it as broken beyond repair. Previously, I commented on an aspect regarding rust security (integrity) - yes https is used but curl | sh is simply asking for trouble. Another security aspect is the usage of third party libraries aka dependencies. I thought Java, Julia and Python are bad in terms of their dependency handling but Rust puts this to a whole new level. Why? Well, unlike others, I would not consider the dependency hell solved. Actually, it seems to gotten worse.
Even smaller examples require some external crates and whenever I explore a new crate and build some examples, I easily end up with 100+ crates as dependencies. Seriously, WHO SHOULD AUDIT THIS? Apparently, I’m not the only one who thinks that there are a few things wrong with some packages. I should also make clear what kind of audits I mean:
- license compliance - very important for commercial use
- source code origins (hello “I found this magic USB stick on a parking lot” ;)
- maintenance of dependencies - are they are still maintained or deprecated?
Yes, it might be more package/crate specific than Rust specific. Many packages seem to be split into many which contributes to this problem a bit as well. Perhaps they simply attracted too many developers used to node.js … . But again Rust is aiming at more secure programming and I believe that this dependency hell is contradicting some of the efforts. However, there is another component and this is more cultural shift in programming. People tend to rather use additional (external) libraries and try to resolve dependencies than programming a more specific solution (< 20 lines of code) using tools from the standard library only.