this post was submitted on 26 Dec 2024
24 points (96.2% liked)

Linux

8329 readers
193 users here now

Welcome to c/linux!

Welcome to our thriving Linux community! Whether you're a seasoned Linux enthusiast or just starting your journey, we're excited to have you here. Explore, learn, and collaborate with like-minded individuals who share a passion for open-source software and the endless possibilities it offers. Together, let's dive into the world of Linux and embrace the power of freedom, customization, and innovation. Enjoy your stay and feel free to join the vibrant discussions that await you!

Rules:

  1. Stay on topic: Posts and discussions should be related to Linux, open source software, and related technologies.

  2. Be respectful: Treat fellow community members with respect and courtesy.

  3. Quality over quantity: Share informative and thought-provoking content.

  4. No spam or self-promotion: Avoid excessive self-promotion or spamming.

  5. No NSFW adult content

  6. Follow general lemmy guidelines.

founded 2 years ago
MODERATORS
[email protected]
24
Lets Be Real About Dependencies | Comparing dependencies of C/C++ to Go/Rust (wiki.alopex.li)
submitted 1 day ago by [email protected] to c/[email protected]
6 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 7 points 1 day ago* (last edited 1 day ago) (1 children)

Rather the difference in dependencies between something written in Rust vs. “traditional” C or C++ is that on Unix systems, all these dependencies are still there, just handled by the system instead of the compiler directly. The distro maintainers do more of the work, and our build systems assume the presence of various system libraries in system places. The only thing new about it is that programmers are exposed to more of the costs of it up-front.

No, that is not the only thing. Here are a few more differences:

  • A distro-supplied dependency undergoes more scrutiny before it reaches users. Security problems are more likely to be caught than they would be in dependencies pulled directly from upstream. For example, the 2024 xz utils back door never made it into Debian Stable.
  • A distro-supplied dependency tends to be shared by multiple applications: Its version, build environment, and build options are usually the same for every program that depends on it, making problems more visible and therefore more likely to be noticed and fixed.
  • A distro-supplied dependency gets security updates along with the rest of the distro. Users don't have to do anything special to get them.

These differences are critically important today, since exploits and supply chain attacks have become common.

(Aside: The author conveniently picked for comparison a program written in C++, and not only that, but one described as "a 3d visualization environment for robots using ROS." In other words, one of the most complicated languages out there, and an application guaranteed to need things beyond the standard and platform libraries. This is what cherry picking looks like.)

If we as software developers are going to be "real" about dependencies, we must acknowledge that they are liabilities that we impose upon users. The responsible thing to do is to minimize them, and be very cautious about the few that we use. Languages (or more accurately, dependency managers) that encourage high dependency counts, including indirect dependencies, are a very real security problem.

Since the article focuses on Rust, it's worth pointing out that Rust (through Cargo) is among the worst in this department, undermining its own value proposition as a security improvement vs. other languages. I hope it will be better some day.

[–] [email protected] 1 points 23 hours ago

The other, IMHO, bigger difference is that is any one of those dependencies breaks or develops a security issue, many things on your system break.

I much prefer statically linked programs with as few extremal runtime dependencies as possible. Many times when a program stops working, it takes forever to trace it to a dynamic dependency. Interpreted languages exacerbate this to ridiculous levels. But my statically linked programs - once they work, they work practically forever; it requires a major core library change - libc, or libm - to break them, and that almost never happens.

I hard disagree with you: build time dependencies are both more secure and more reliable than runtime dependencies.