[armitron]

I've never seen a C program use hundreds of dependencies. This is typical in Rust (and Node). I know a few high assurance teams that dropped Rust for this very reason.

[okanat]

https://archlinux.org/packages/extra/x86_64/blender/

https://archlinux.org/packages/extra/x86_64/apache/

They look no different than your usual Rust crate. And their full flattened dependency trees already exceeds hundreds of packages.

C/C++ libraries have much more complex build systems with many optional features shipped inside the library. Just think of curl and how many protocols it supports.

Rust's build system, however, is extremely simplistic and limited. So to have things like multiple backends for rendering, parsing, serializing etc. you have to split your library into multiple crates due to limitations Cargo impose on you. So the full equivalent of curl will be 20+ individual crates.

I think the hundreds of dependencies is overblown due to this effect. I maintain my argument. C and C++ projects are just as complex and vulnerable. CMake and fully binary distribution via Linux package managers just hide their complexity.

[dwattttt]

I haven't seen hundreds of dependencies in C projects either. But I _have_ seen on the scale of 1s to 10s of libraries and algorithms vendored in (sometimes just a header or 5).

It's also an indirect risk, but I've seen C projects reimplement things that would be a dependency in Rust, and introduce subtle (or not subtle) bugs.

[pjmlp]

Because most of them depend on UNIX being there in first place, aka all of POSIX, alongside Khronos APIs.

Additionally, most C libraries tend to come via UNIX package managers directly, and then consumed via CMake, pkg-config or what not.

I do agree Rust dependency trees are a problem, for security, and always compiling everything from source.