Hacker News new | ask | show | jobs
by IshKebab 36 days ago
Noble effort but that ship has sailed. Cargo works because it was there from the start so basically everyone uses it.

C++ doesn't have one true package manager which means all third party dependencies will use totally different build systems and you can never have an easy `cargo add ...`. The closest I know of is vcpkg which has a decent selection but even then it's missing lots and still really clunky to set up.

I also worry about unpopular software repositories like that - it would be very easy to take some popular software that isn't packaged there, add it, bide your time and then poke some malware in. You don't even need to gain the original maintainers' trust.

The same applies to things like Flathub. I'm really surprised it hasn't happened yet (as far as I know).
2 comments
f3408fh 36 days ago
Not the exact scenario you described, but there has been an instance on the Snap store where someone uploaded a crypto wallet management program and it was actually stealing keys.

https://www.reddit.com/r/Ubuntu/comments/1olfrff/there_is_a_...

link
virtualritz 36 days ago
Well, Python's uv seems to suggest people can see the light and pivot to one build/dep mgmt tool.

Decades into a language not having a single one projects/people agree to use, solely.

So I wouldn't be so hasty with that assessment for one for C++.

link