• mox@lemmy.sdf.org
    link
    fedilink
    English
    arrow-up
    9
    arrow-down
    1
    ·
    edit-2
    14 days ago

    Rather the difference in dependencies between something written in Rust vs. “traditional” C or C++ is that on Unix systems, all these dependencies are still there, just handled by the system instead of the compiler directly. The distro maintainers do more of the work, and our build systems assume the presence of various system libraries in system places. The only thing new about it is that programmers are exposed to more of the costs of it up-front.

    No, that is not the only thing. Here are a few more differences:

    • A distro-supplied dependency undergoes more scrutiny before it reaches users. Security problems are more likely to be caught than they would be in dependencies pulled directly from upstream. For example, the 2024 xz utils back door never made it into Debian Stable.
    • A distro-supplied dependency tends to be shared by multiple applications: Its version, build environment, and build options are usually the same for every program that depends on it, making problems more visible and therefore more likely to be noticed and fixed.
    • A distro-supplied dependency gets security updates along with the rest of the distro. Users don’t have to do anything special to get them.

    These differences are critically important today, since exploits and supply chain attacks have become common.

    (Aside: The author conveniently picked for comparison a program written in C++, and not only that, but one described as “a 3d visualization environment for robots using ROS.” In other words, one of the most complicated languages out there, and an application guaranteed to need things beyond the standard and platform libraries. This is what cherry picking looks like.)

    If we as software developers are going to be “real” about dependencies, we must acknowledge that they are liabilities that we impose upon users. The responsible thing to do is to minimize them, and be very cautious about the few that we use. Languages (or more accurately, dependency managers) that encourage high dependency counts, including indirect dependencies, are a very real security problem.

    Since the article focuses on Rust, it’s worth pointing out that Rust (through Cargo) is among the worst in this department, undermining its own value proposition as a security improvement vs. other languages. I hope it will be better some day.

    • The other, IMHO, bigger difference is that is any one of those dependencies breaks or develops a security issue, many things on your system break.

      I much prefer statically linked programs with as few extremal runtime dependencies as possible. Many times when a program stops working, it takes forever to trace it to a dynamic dependency. Interpreted languages exacerbate this to ridiculous levels. But my statically linked programs - once they work, they work practically forever; it requires a major core library change - libc, or libm - to break them, and that almost never happens.

      I hard disagree with you: build time dependencies are both more secure and more reliable than runtime dependencies.