Posted on Friday, January 24, 2025
Another day, another petition
in relation to trust. from me This time I ask you that we start and support a vibe shift when it comes to dependencies.
You’re probably familiar with the concept of “trustworthiness.” It’s this never-ending treadmill of updates, patches, audits, and transitive dependencies that we as developers love to install for productivity. Who was not happy to wait for another one cargo upgrade
Just so you get that fix for a bug you don’t have?
This is a blow to most ecosystems with good packaging solutions. JavaScript and rust are especially affected by that. A new Tokio project drags 28 crates, a new lloons of the rocket project of up to 172, and a small engine template like a trust SLI-Variant of 142.
If that doesn’t seem like a big deal, let’s think about it terminal_size. This is a crate that does exactly what its name suggests: it focuses on your terminal dimensions. The underlying APIS has been used effectively since the early days of computing terminals – what, 50 years or so? And yet, for a function, the size of the terminal to introduce three or four additional crates, depending on your operating system. That triggers a whole chain reaction, so you end up doing thousands of other functions to determine if your terminal is 80×25 or 120×25. That crate has 26 releases. My own version of that which I compiled in a project from 10 years ago still works without an update. Because of the shocker: There is no part to think about the terminal sizes.
So why? Board the Terminal Will there be more updates if it is stable? Since it builds on top of the platform’s libraries that are constantly churning, it is therefore necessary to update them to avoid code duplication and blowing hours.
But the “big supply chain” will tell you that you have to do it this way. Don’t you dare copy paste your library. Or do you not date using “unsafe” yourself. You are not qualified to write unsafe code, make those platform abstraction architects. Otherwise
you will be destroyed. There are entire companies that make a living supplying you with the tools you need to deal with your trust issues. In the name of security, we are encouraged to have dependencies and maintain their dating, even though most of the dependencies are the main source of security problems.
The purpose of the code in many ways is to write it in such a way that it does not require updates. It should finally reach the stability level. In the rust ecosystem strong code is punished. If you have a fully working dependency but have an inactive bug tracker, rustsecec comes and you will be given a chunk rating.
But there is a much simpler path. You wrote yourself. Sure, it’s more front-facing, but once it’s written, it’s done. There are no new crates, no one is waiting for the authors to lift the content of the content. If it’s broken for you, you fix it yourself. Code that works does not require maintenance of the treadmill. Does your code have a corner case? Who cares. This is the vibe shift we need in the rust world: celebrating fewer dependencies instead of more.
We’re at a point in most ecosystems where pulling libraries isn’t the only default action, it’s seen as a positive: “Look how good my code is!” In fact, it may be a symptom of not wanting to type more than a few lines.
Now one would make the argument that it would take a lot of time to write all of this. It’s 2025 and it’s faster for me to have chatgpt or cursor whipt which is a content free implementation of common functions, than for me to start relying on a dependency. And it makes sense for many small functions the maintenance overhead is small and much lower than actually upgrading dependencies. The code is only one line and you also get the benefit of not having to consume thousands of lines of other people’s code for a single function.
But let’s face it: Corporate Code Review Culture with affected open source software. Companies are more likely to reward engineers than to encourage them for inventing a new “interesting library” that solves a problem they never did. That creates problems, so friends are born. Now I’m just afraid of getting requests to catch up on projects but I have to accept it. I am part of an ecosystem of my tools and that ecosystem is all about churn, churn, churn. In companies you can also keep entire internal engineering teams busy with vending dependencies, internal audits and upgrading things across the company.
Fighting this battle is not difficult at all! Every new hire is trained in the idea that confidence is good, that code rause is good. That having old code sitting around is a sign of a bad engineering culture.
It’s also hard to fight open source. Years ago I wrote SHA1-SMOL which was originally called
Sha1. This becomes the standard crate to calculate SHA1 hashes. Eventually I was forced to donate the rust-crypto package name and trust the rest of the crypto ecosystem as it was established. If you want to use the new Sha1 crate, you can enjoy 10 trusts. But there is no way around it, because that registry name is valuable and people also want to be united in character. It feels exhausting to be the only person in a conversation pushing to keep dropping dependencies.
It’s time to have a new perspective: We should give Kudos to the engineers who wrote a small function themselves instead of hooking a transitive web of crates. We should be suspicious of large CRAT graphs. What is celebrated is the small dependencies, the humble function that quietly does the work, the code that doesn’t need to be touched for years because it got it right once.
And sure, it’s not black and white. There are important libraries that solve difficult problems. Graphics libraries that abstract complex drivers, implementing protocols such as http and quic. I can’t get away from Tokio and I don’t want to. But when you end up using one function, but you accumulate hundreds, some alarm bells should go off.
We need that vibe shift. To celebrate building it yourself if it is appropriate to do so. To give credit to the authors of the library that grows the trustless open to libraries that are libraries.
For example Miniilinja celebrates it by reading:
$ cargo tree
minimal v0.1.0 (examples/minimal)
└── minijinja v2.6.0 (minijinja)
└── serde v1.0.144
And it has a P after all Get the last confidence. And sometime this year I will make it my intention to keep motivated and focus all the fat on my projects.
https://lucumr.pocoo.org/static/avatar-small.jpg
2025-01-24 15:55:00
