Hacker News new | ask | show | jobs
by nullifidian 139 days ago
I would rather check urls with the following method:

  echo -e -n "https://іnstall.example-clі.dev" | python -c 'exec("""import sys, unicodedata\nfor ch in sys.stdin.read():\n  try:\n    print (ch, " ", unicodedata.name(ch))\n  except ValueError:\n    print ("codepoint ", ord(ch))\n""")'
instead of putting my trust in the hundreds of crates in this tool's Cargo.lock not having a supply chain attack.
2 comments
yencabulator 137 days ago
python -c 'exec()' what? why?
link
nullifidian 135 days ago
I should have converted it to $' ', yes. It was posix shell compliant this way tho. (probably written when I knew more python than bash).
link
whatisasupchain 139 days ago
How on Earth did something like this become the norm? I don't work with software like most here, but just opening the Cargo.lock file sets off an alarm in my brain.

After seeing how much stuff was pulled when I once installed a couple programs with cargo, I added it to the "don't touch a project if it's made with this language" pile, alongside NIM and Python (though Python I can't quite avoid).

link
mayhemducks 139 days ago
Go write a floating point package, by yourself (no AI assistance), from scratch. Then you will understand.
link
whatisasupchain 139 days ago
Sure, the decision to "offload" some components is understandable, and sometimes preferred (crypto libs, etc). We're not all masters of every field. But if you do it 200+ times I'll question what you're even trying to do.
link
queenkjuul 138 days ago
You don't; you import 3-4 libraries that do what you need, each of them imports 10-30 libraries they need, next thing you know, you've got 100 dependencies.

I don't really see the big deal--for as long as I've been using Linux, which is over 20 years now, installing many packages requires pulling in dozens of other packages, themselves perhaps composed of multiple libraries... The problem is they come from cargo and not a distro? I get the problem with the language repos being more prone to supply chain attack than distro repos, but i don't really get the impression it was ever normal to build complete apps without dependencies.

link
nullifidian 138 days ago
>installing many packages

The issue is HOW MANY. This simple utility is in the 100-200 range, Zed editor is in 2000+ range. C/C++ software you find in distros is not only stabilized by the unstable/testing queue, which language repos don't have and don't plan to have, but also has 5-10x less dependencies on average.

link