this post was submitted on 30 Jan 2024
780 points (98.3% liked)

Programmer Humor

32495 readers
259 users here now

Post funny things about programming here! (Or just rant about your favourite programming language.)

Rules:

founded 5 years ago
MODERATORS
 
top 50 comments
sorted by: hot top controversial new old
[–] Ephera@lemmy.ml 60 points 9 months ago (1 children)

Yeah, I've given up trying to know all the libraries in my projects. I feel like the added development speed and code quality is just so good that not taking the risk of a supply chain attack is basically not an option.

I do try to primarily use libraries from the Rust team or from more widely known devs (and hope that they also do that), but most projects worth doing will need one or two specialty libraries where all bets and bus factors are off...

[–] DacoTaco@lemmy.world 37 points 9 months ago* (last edited 9 months ago) (1 children)

Welcome to modern framework development!

  • C# has nuget
  • any nodejs based framework ( react, vue, angular, ... ) (npm)
  • python ...

All of the above are chuckful of dependecies upon dependencies, and webdev stacks are the worst of them. They make it VERY hard to make software that requires any security related certification because of the dependency hell...
I swear to god, all those frameworks are designed so badly when looking at dependency hell ...

... Yet i will write c and c# code everyday haha

[–] racketlauncher831@lemmy.ml 6 points 9 months ago (2 children)

Who can we blame though? If we need something simple as sed, yes, go ahead and have a great security scan report. Web development has a complexity to make a dog puke so naturally you can't practically write every line of code by yourself. The choices are either trust those package maintainers will maintain their software regularly, or build no web application.

[–] vithigar@lemmy.ca 7 points 9 months ago

or build no web application

Don't threaten me with a good time.

[–] DacoTaco@lemmy.world 1 points 9 months ago

I mean, to some degree i believe you are right. I myself manage a .net library to parse barcodes. However, webdev has layers upon layers upon layers of dependencies. The advantage is that even my cat could make a website. The downside is it will be horribly inefficient because of those layers of dependencies. 90% of what they bring is stuff you dont need and are in the way. Or you use, but because youre going through all those layers, its fucking slow.

This applies to desktop dev too, but less hard than webdev. Most of the webdev development i just question why something was created and most of the time i can only conclude its because of some hack job and something missing. So they take a huge library and use only part of it for something. Its just.. Eug

I am i developer/lead that likes to make things as small and efficient as possible and that just makes me die a little inside every time :p

[–] rockSlayer@lemmy.world 35 points 9 months ago (1 children)

Ez, feature bloat the project so all those dependancies are actively used

[–] theneverfox@pawb.social 2 points 9 months ago

The real LPT is always in the comments

[–] RustyNova@lemmy.world 35 points 9 months ago

At least there's tree shaking. Not everything is getting in the final build

[–] SrTobi@feddit.de 28 points 9 months ago (1 children)

Fuck that. It's awesome! I want to have lazy initialized globals. It's that package. I want code to shorten my builder pattern I import that. I need a typed concurrent work steel queue. No problem.

I look at a c project. Everywhere custom macros to do the most basic shit. I want to parse an xml in c? Better use a sax Parser and put all the data into globals. Cryptography? Better implement that ourselves... Using a library would be too much of a hassle.

[–] platypus_plumba@lemmy.world 9 points 9 months ago* (last edited 9 months ago) (1 children)

I mean, it's awesome until it isn't.

NPM is already on the "isn't" side of it. Specially with all the malware going around. Who has time to read the code of the dependencies of the dependencies of their dependencies? For every single version. It's just not possible...

I guess the main concern with this is security. You're literally running code you don't even know about on your machine, probably next to personal files or your company's code base.

A simple http call to publish all your private code wouldn't be hard to sneak in a 6th level dependency.

[–] sxan@midwest.social 2 points 9 months ago (1 children)

So, to expound on this a little...

There's a password manager I use, but the CLI tooling sucks. Thankfully, there's a third party CLI tool in a language I know fairly well, and because I'm a little paranoid, I reviewed the code. Then I reviewed the code of the libraries it imported. And then the code of the libraries of the libraries it imported. Thankfully, that was as far as it went, and I was mainly looking for any code that made network calls... it was manageable, just barely.

And I made some improvements and submitted PRs, only some of which were accepted, but I used them so I maintained a fork. Which was lucky, because a few months later upstream changed their parseargs library to a framework, and the dependencies exploded. 6 layers deep, and dozens of new dependencies - utterly unauditable without massive effort. I caught it only because of the rebase from upstream. I abandoned the rebase and now maintain a hard fork, of which I'm the only user AFAIK.

The moral of the story is that introducing dependencies under the guise of "reuse" is a poisoned fruit, a Trojan Horse. It sounds good, but isn't worth it in the long run. The Go team got it right with their proverb: a little copying is better than a little dependancy.

[–] platypus_plumba@lemmy.world 2 points 9 months ago

Honestly, I don't like the Go way. If they are going to have that philosophy, at least they should have provided a strong core with high level functions and generics. From the start. Not 5 years later.

[–] limelight79@lemm.ee 18 points 9 months ago

I've never used Rust, but this definitely reminds me of my days running Slackware on my computers.

Oh, hey, I'd like to run this new package. Great. I'll need this dependency...and that one...and the one over there....

I know it now has dependency management, but I just couldn't do it any more. I was tired of worrying about what was going to break. I started with Slackware in the 3.x days, too.

I switched my server to Debian, and I feel like I never have to worry about it any more. Laptop and desktop are both Kubuntu, but they're going to go to Debian at some point in the near future.

[–] zarkanian@sh.itjust.works 10 points 9 months ago

cough NodeJS cough

[–] SpaceNoodle@lemmy.world 8 points 9 months ago (2 children)

My only dependency is libstdc++

Fight me

[–] ignotum@lemmy.world 20 points 9 months ago (1 children)

stdc is just bloat, i implement the methods and do the syscalls myself if i need them

[–] Darkrai@kbin.social 0 points 9 months ago (1 children)

C is bloat, thats why everyone should use Asm

[–] agressivelyPassive@feddit.de 1 points 9 months ago* (last edited 9 months ago) (1 children)

Pff, I prefer good ol' flip switches, like on my trusty Altair.

[–] hackris@lemmy.ml 0 points 9 months ago (1 children)

Noob. I prefer to use a screwdriver to poke around the CPU and memory lanes

[–] killeronthecorner@lemmy.world 1 points 9 months ago

I use butterflies

[–] dankm@lemmy.ca 1 points 9 months ago (1 children)
[–] SpaceNoodle@lemmy.world 1 points 9 months ago
[–] 30p87@feddit.de 8 points 9 months ago (3 children)

I find it especially weird that it's almost always labeled like something special if it's written in Rust, even though as the end user the only thing I know will be different is the compile time, as it usually takes around 10-20 times longer than if it would be written in c, with 500 dependencies being pulled and recompiled every time. Which means if tests fail, even though the app works fine, and I had that happen twice in Rust, it will take three tries or so until I manage to fully remove the test section from the pkgbuild, resulting in an hour loss for just installing something that could've taken 5 minutes.

[–] simple@lemm.ee 24 points 9 months ago (1 children)

> Decide to create a very basic GUI app in Rust, as everyone is saying it's a great language for it

> First compilation takes over 15 minutes to download and compile 100 libraries

> Debug files take up 2GB of storage

> Output binary file comes out massive for no reason

> "Yeah you're supposed to write a few lines to optimize for size in your release profile"

> Compiling now takes 30 minutes instead

[–] 30p87@feddit.de 14 points 9 months ago (1 children)

Reimplements in C

Compiles in 5 Minutes (you accidentally did it on the RPi Zero W, on a PC it's done in 30 secs)

[–] beeb@lemm.ee 35 points 9 months ago (1 children)

Reimplements in C

Segmentation fault (core dumped)

[–] snowfalldreamland@lemmy.ml 23 points 9 months ago (1 children)

Reimplements in C

Segmentation fault (core dumped)

change code so it no longer segfaults

still is UB, has arbitrary code execution vulnerability

everybody dies

[–] QuazarOmega@lemy.lol 12 points 9 months ago

But you died faster, that's not to be underestimated

[–] Ephera@lemmy.ml 9 points 9 months ago (1 children)

You seem to be a rather specific user, if the compile time is something you notice, let alone the only thing...

[–] 30p87@feddit.de 3 points 9 months ago (2 children)

It's just weirdly noticeable when one rust program with ~150 lines of code, designed to connect to a specific device and send commands according to the intensity of music, takes longer to compile than updating a typical Arch testing setup after a month without maintenance, including the (non Rust) AUR packages.

[–] Ephera@lemmy.ml 8 points 9 months ago

Well, I'm not here to claim that Rust's compile times aren't comparatively long, especially for non-incremental builds. It's a trade-off that was chosen to not need a runtime environment, nor be as simplistic/footgun as C.

What I'm saying is that this trade-off was chosen and continues to be popular, because the vast majority of users will never notice (nor will programmers really, as they have incremental builds).
Maybe you can download the fully built package from somewhere? Maybe Arch can package it in the proper repos?

[–] arisunz@lemmy.blahaj.zone 6 points 9 months ago

mf conveniently forgetting about incremental compilation

[–] rushaction@programming.dev -3 points 9 months ago (1 children)

Every time I see a project decide to use rust I groan knowing my build/packaging time is about to skyrocket. Case in point, the Python cryptography project.

And given cryptography's importance in the Python ecosystem what used to be an easy pip install of a package now almost always going to include is an enormous and horribly slow rust build environment.

Seeing a rust libraryjust makes me sad now 😭

[–] dsemy@lemm.ee 1 points 9 months ago (1 children)

I seem to recall when the switch was made it took me about a week to figure out how get it to work on OpenBSD, because the Rust build step failed there (for a reason I can't remember now).

[–] rushaction@programming.dev 1 points 9 months ago

Yeeap. My FreeBSD box has such pain with 'em. Because unfortunately *bsd is not in Python's precompiled wheels. So one is almost building from the source.

Now every time I pip install something there's a high likelihood I'm going to end up having to install the rust tool chain and burn so much time on building libraries. I get why the project made the switch, but man does it hurt being downstream of it.

[–] TootSweet@lemmy.world 5 points 9 months ago

Dependencies. Not even once.

[–] reboot6675@sopuli.xyz 4 points 9 months ago

Sounds like JavaScript

[–] AVincentInSpace@pawb.social 3 points 9 months ago (2 children)

I often find myself wishing Cargo had a feature that would warn me if different dependencies I used tried to pull in both openssl and rustls. Happened way too many times.

[–] Ephera@lemmy.ml 5 points 9 months ago

You could use cargo-deny for that: https://embarkstudios.github.io/cargo-deny/checks/bans/index.html#use-case---denying-specific-crates

You'd need to remember to run it, though. Either in CI/CD or as a pre-commit hook or personally, I like to just have a script which also runs unit tests and Clippy, so that it's useful enough that I run it myself.

[–] beeng@discuss.tchncs.de 3 points 9 months ago

Grep cargo.lock on pre-commit?

[–] KingThrillgore@lemmy.ml 3 points 9 months ago

Laravel moment

[–] tigerjerusalem@lemmy.world 2 points 8 months ago* (last edited 8 months ago)