Yeah, I’ve given up trying to know all the libraries in my projects. I feel like the added development speed and code quality is just so good that not taking the risk of a supply chain attack is basically not an option.
I do try to primarily use libraries from the Rust team or from more widely known devs (and hope that they also do that), but most projects worth doing will need one or two specialty libraries where all bets and bus factors are off…
Yes, offloading complexity to a separate project which has already invested more time into code quality than I could possibly justify.
As for your second point, I don’t care who solved the problem. If you care, I hope you’re smelting your own sand to build your own CPU and assembly language. But I’m obviously also not solving the exact same problem as the library already solved.
This leads me to assume that you don’t actually know that those dependencies are as well maintained as you claim.
Well, I can’t guarantee that none of them are buggy, unmaintained etc… But that’s why I prefixed that sentence with “I feel”.
On average, it seems to me like the code quality is a good bit higher than I’m able to produce under money/time constraints.
In particular, even the worst libraries tend to be not as bad as they may be in many other languages, because Rust’s strict type system + compiler enforces quite a bit of correctness on its own.
Well, and the good libraries are just obsessed with correctness and performance, so they drag code quality upwards, even if they introduce a mild risk of a transitive dependency being a dud…
This assumes that I could implement something as well as the maintainers of the library I use. I agree that something trivially should be implemented on your own, but if there is special knowledge required (the obvious example is cryptography, but also something like HTTP requests) I rather rely on a widely used library than my own code that I now have to maintain and check for security issues instead of just updating the dependency version whenever a CVE is published.
Also if there is. A client by an API provider for my language, why shouldn’t I use it instead of rolling my own?
Another example is a framework like React or Angular or Svelte, which brings along a whole lot of dependencies. Sure, I could not use something like that and write everything from scratch.
But where is the value of all that code to customers? If I want to roll my own HTTP server up from the sockets, I can do that as a play project. But not using libraries for a real world project to solve business needs is a bit of an odd take.
Anyways, that’s enough of a rant. Have fun in the replies. 😎
This sounds like you want to prove something. That you can do it better than the maintainers of the library. That you can solve hard problems on your own instead of relying on other people.
That’s all great and sometimes it’s good to do hard things on your own and make sure you could do it just in case. But it’s not always necessary to do everything yourself and learn every lesson yourself. It’s a valid way to build on knowledge and work of others to achieve your goals.
Holy shit this. I’ve observed a lot of competent devs go through that phase, trying to be clever and come up with what inevitably ends up being pale imitations of existing established solutions. Yes, we do avoid pulling in dependencies when we can avoid it, but this reeks of “Real Programmers Don’t Use Pascal”, without the tongue in cheek tone lol
Yeah, I’ve given up trying to know all the libraries in my projects. I feel like the added development speed and code quality is just so good that not taking the risk of a supply chain attack is basically not an option.
I do try to primarily use libraries from the Rust team or from more widely known devs (and hope that they also do that), but most projects worth doing will need one or two specialty libraries where all bets and bus factors are off…
deleted by creator
Yes, offloading complexity to a separate project which has already invested more time into code quality than I could possibly justify.
As for your second point, I don’t care who solved the problem. If you care, I hope you’re smelting your own sand to build your own CPU and assembly language. But I’m obviously also not solving the exact same problem as the library already solved.
Why are you looking for conflict?
If you want to build something from scratch, you first have to invent the universe :) (paraphrased from Carl Sagan)
deleted by creator
Apology taken.
Well, I can’t guarantee that none of them are buggy, unmaintained etc… But that’s why I prefixed that sentence with “I feel”.
On average, it seems to me like the code quality is a good bit higher than I’m able to produce under money/time constraints.
In particular, even the worst libraries tend to be not as bad as they may be in many other languages, because Rust’s strict type system + compiler enforces quite a bit of correctness on its own.
Well, and the good libraries are just obsessed with correctness and performance, so they drag code quality upwards, even if they introduce a mild risk of a transitive dependency being a dud…
This assumes that I could implement something as well as the maintainers of the library I use. I agree that something trivially should be implemented on your own, but if there is special knowledge required (the obvious example is cryptography, but also something like HTTP requests) I rather rely on a widely used library than my own code that I now have to maintain and check for security issues instead of just updating the dependency version whenever a CVE is published.
Also if there is. A client by an API provider for my language, why shouldn’t I use it instead of rolling my own?
Another example is a framework like React or Angular or Svelte, which brings along a whole lot of dependencies. Sure, I could not use something like that and write everything from scratch.
But where is the value of all that code to customers? If I want to roll my own HTTP server up from the sockets, I can do that as a play project. But not using libraries for a real world project to solve business needs is a bit of an odd take.
Anyways, that’s enough of a rant. Have fun in the replies. 😎
Oh, I forgot one thing:
This sounds like you want to prove something. That you can do it better than the maintainers of the library. That you can solve hard problems on your own instead of relying on other people.
That’s all great and sometimes it’s good to do hard things on your own and make sure you could do it just in case. But it’s not always necessary to do everything yourself and learn every lesson yourself. It’s a valid way to build on knowledge and work of others to achieve your goals.
Holy shit this. I’ve observed a lot of competent devs go through that phase, trying to be clever and come up with what inevitably ends up being pale imitations of existing established solutions. Yes, we do avoid pulling in dependencies when we can avoid it, but this reeks of “Real Programmers Don’t Use Pascal”, without the tongue in cheek tone lol