BB_C

joined 3 years ago
[–] BB_C@programming.dev -1 points 12 hours ago

I'm going to call cargo a Rust runtime from now on, considering cargo-script exists.

[–] BB_C@programming.dev -2 points 17 hours ago* (last edited 17 hours ago) (2 children)

First of all. Strictly speaking, there is no such a thing as a TS runtime. TS compiles to JS.

Second of all, bun binds against JavaScriptCore, which is the JS engine used in Safari. Node binds against V8, which is the engine used by Blink (Chromium et al). Both are implemented in C++. And the latter is considered the fastest engine.

Ironically, both engines are mentioned by name in the very bun blog post being discussed, which points to a problem that is almost bigger than mere tech literacy from the pseudo-intellectual OP.

[–] BB_C@programming.dev -3 points 18 hours ago (1 children)

You can interface with a C++ JS engine without unsafe (which is equivalent to just using C btw), if you just really put a real effort into it.

😇

I do love me some internet gantry commentary. Especially when it's super confident and acting knowledgable, with multiple layers of genius on display.

[–] BB_C@programming.dev -3 points 18 hours ago (4 children)

You clearly don't even know what unsafe in rust means. And it's not something you can avoid when FFI is involved, slopping involved or otherwise.

[–] BB_C@programming.dev 3 points 19 hours ago

Code viewing was always a part of rustdoc, and thus available via docs.rs. I actually don't like this violation of abstraction separation.

And doing this before doing the most obvious sensible trivial addition, a download link, is doubly ironic in my view.

[–] BB_C@programming.dev -5 points 20 hours ago (4 children)

Bun is a TypeScript runtime, like a faster NodeJS.

I guess the target audience is non-coding AI skeptics looking for pseudo-intellectual takes, which appears to be a growing market. Because getting the very first technical detail, and a very basic one at that, this wrong is not a good look.

[–] BB_C@programming.dev 2 points 1 week ago

I don't do Android (or much UI in general), but from what I gather, going with something like flutter_rust_bridge or membrane is probably the best route. The UI is not done in Rust. But it's as close as you can get for non-toy use-cases, and without bringing a JVM language into the fray.

Toyota people apparently developed membrane for serious production use. But I haven't used either, so I don't have first hand experience to share.

[–] BB_C@programming.dev 2 points 1 week ago

Bro forgot to demangle. And now the kids are scared.

[–] BB_C@programming.dev 4 points 1 week ago

Congrats.

Perhaps no project is more deserving.

[–] BB_C@programming.dev 6 points 2 weeks ago
  • Unused deps: cfg-if, mime_guess, sysinfo

  • Unused dep openssl. There are mentions of it being used for "remote compilation". I have no idea what that means, or how it would work by adding a dependency like this. Not only openssl is not referenced anywhere in code, but it's not even a build/dev dependency, and there is no build.rs file.

  • Depends on ffmpeg-sidecar which apparently downloads ffmpeg binaries from weird places if ffmpeg is not in $PATH, a crate apparently "inspired" by webshits, and based on a GitHub action (which clearly has a very different threat model compared to executing those binaries on end-user machines).

[–] BB_C@programming.dev 1 points 2 weeks ago* (last edited 2 weeks ago)

There is a huge difference between vetting packages once every 6 years,

And here the myth shows its head. No one is actually "vetting" 10s of thousand of packages, to a meaningful degree.

And all distros have rolling channels and testing channels, so the every X years part is mythical itself.

In the case of Debian, when is the mythical vetting taking place exactly? Whenever a Debian unstable/sid package gets updated? That's a rolling repo.
Or is it when world is frozen, and the unvetted packages which lived happily in "unstable" and "testing" will now magically get vetted on their way to "stable", in a few months (not six years as you imagined).

You clearly lack basic knowledge about what actually goes on in a distro release cycle.

This is because rust and crates makes it impossible to do any form of dynamic linking. Which is why some people have gripes with rust and avoid it.

You missed the point. crates.io is a source registry. Debian ships binary packages (yes, including rust ones).

Where do you think Debian gets source packages for C or C++ from? Did you think they get them in the (physical) mailbox? 🎅

As for dynamic linking, the "security" argument for it has been discussed and debunked. You can search the web for discussions regarding that. Most arguments for .so has been debunked, in fact.

But for C, Java, and other languages, it is possible for distros to ship and manage libraries, which has the benefit that the various libraries can have their security issues fixed automatically.

Nothing is "automatic" when it comes to distro maintenance. Much more so when an upstream doesn't give a f*** about helping you patch your X years old version. If Red Hat, Canonical, ...etc wasn't actively paying developers to do maintenance, Debian wouldn't exist as it is. But even then, that only covers a very small fraction of core packages.

The model of vendoring dependencies, breaks this. With Cargo (or uv or etc), the programs move very fast, and updates break things. In order to prevent their program from breaking, developers pin packages. And then, they don’t update them.

Pinning and vendoring are orthogonal.

The original talking points were about source supply chains. But people like you seem to confuse concerns across multiple chains from the individual upstream dev to the binary distro repo mirror.

Pinning is actually the only way to actually (almost*) guarantee that built code would work correctly. What distros sell you is "should work" and "API looks compatible" and "this patch hopefully doesn't break the interface".

And more ironically, why distros do is global pinning, so the problem is apparently not pinning itself, but upstreams choosing the pinning themselves, right? right?

"But they don't fully pin.. security updates smth smth"

Good. Let's continue..

Here is cargo-audit ran against radicle-tui

Good.

The next best thing to pinning is semver-compatible updates.

Now you have an example where you will see that to "fix all CVEs", you need to run the total of TWO whopping commands.

You ran the first command already. The second is cargo update (or cargo update <only_audit_mentioned_packages> if you want to be more precise.

cargo update only does semver-compatible updates, as released, authorized, and supported by the upstreams, whose knowledge of the code and its interfaces infinitely trumps your random distro maintainer doing raw patching. This is how a coherent competent ecosystem operates.

Some of what the distros do is actually not far away from this. If you looked close enough, you will find that it's not rare for a stated "frozen" version to be a complete lie, with distro patches effectively updating the distro source package to a later patch, or sometimes even minor version, without changing the version number.

But of course, they wouldn't tell you about any of that, because the myths must live on 😉.

I can be confident that if I make a program tied to libraries or programs that the distro provides, this stuff will automatically be patched and handled for me.

While not completely misplaced, your confidence is inspiring 🙂.

[–] BB_C@programming.dev 1 points 2 weeks ago (2 children)

Weird how this random thread came back to life, just to rehash some talking points.

See my comments here and here.

In a recent analysis, Adam Harvey found that among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.

If you followed the link, you would have seen that nothing actually fishy was found, unlike the implication.

Cargo and crates are basically just as bad as npm, just less popular, which is why they haven’t been hit yet… And it’s currently very difficult to build rust programs without cargo.

The number of actual supply chain attacks actually effecting anybody in the crates.io ecosystem is ZERO. In npm, it's a weekly occurrence.

less popular

Rust cleared the critical mass and critical relevance milestone years ago. Most people can run desktops without npm or local js code. This is increasingly unfeasible for rust components. And yet, nothing happened. And that's not a coincidence (read linked threads). That doesn't mean nothing will ever happen. Nothing is fully fail-safe. But the talking points themselves are completely false.

Also, I would like to see you explain how cargo itself is a problem. It's a build tool that is not tied to crates.io. You can use different registries, repos, and even full vendoring with it (which you can switch to with one command, and it will just work). But I can't wait to hear your explanation 🙂. Examples of tools that do it better, with an explanation why would also be appreciated 🙂.

Stable linux distributions have extremely strong supply chain security in comparison to language specific package managers.

This myth is discussed extensively in the linked threads at the start of this comment, especially the second one.

Debian, for example, was not affected by the xz utils backdoor, due to it’s policy of only doing cherry picked security patches, and ignoring feature or bugfixes for the most part.

Also covered in the linked threads. But let's address specifics.

  • Debian unstable/sid (the rolling branch) was affected. Debian is not special.
  • Debian stable was unaffected because it runs multi-year old packages. This specific attack was discovered early, so they were spared. Other upstream-controlled attacks could target projected-to-be-stable upstream versions, and remove the compromised part later, reversing that effect (depending on who would discover the malicious code, and what are they testing looking at).
  • The stable distro model is broken. Distro developers are not better than upstreams at judging upstream code. Many non-security tagged bugs can become security ones. And out-of-date(ness) itself can have adverse affects in other ways. This was always been known/realized by people who know the reality of the situation. But nowadays, "AI" security scanners had a complete mockery of the stable distro model "security" claims.
  • Debian's willy-nilly "security" patching in particular, lead to multiple scandals in the past. This is not all theoretical. One day half the internet had to re-issue SSL certs/keys because of the mythical Debian super security. And on that subject, do you know what distro wasn't affected by the specific xz attack, despite actually shipping the compromised xz version? It's Arch. Why? Because they didn't patch systemd with xz support thinking they can outsmart an upstream.
  • Distros pull from upstreams anyway (code has to exist somewhere), crates.io included. So they inherently can't have better supply chain security than upstreams at the code level, unless you're also a believer in the popular myth "they review and vet everything ". Some distros may have good/better build security practices. But that's about it.

I would prefer Java if you cared strongly about supply chain security

What makes you think JAVA or its ecosystem(s) are unique or immune from any of this?

 

A lot of work in this release was related to porting to other platforms. We did a large number of refactorings to put ELF-specific behaviour behind traits. We've also started work on porting to Mach-O and WebAssembly. These aren't yet ready for use, but if you'd like to help out with porting, get in touch.

Wild now supports the linker plugin API that was originally part of the Gold linker, but which is also supported by GNU ld and Mold. This lets us do linker-plugin LTO (link time optimisation). There are still a few known issues, but it's already working on a good range of programs. Pure Rust projects generally don't use linker plugins, since Rust can do LTO within the compiler, so this is mostly helpful for C, C++ or mixed language projects. Note that when using a linker plugin, link times will be very slow.

Lots more linker-script features were implemented during this release.

[...]

 

Every programming problem I have, when I track it down to it's source, seems to originate with C/C++. It wasn't till a few years ago that I realized how seriously everything I do somehow, some way, has C/C++ as a foundation. Basically every zero-day exploit in my cyber security class is because of something stupid in C/C++. And it goes well beyond security, the more I dive into C++ the more terrible stuff I find. When I found out even Rust needed the clib, it was like seeing an iron-clad fortress only to look closer and see it was being held up by sticks, ducktape, and prayers.

 

https://nlnet.nl/news/2025/20250321-call-announcement-core.html

Notes

  1. Projects meaningfully sharing two programming languages get 0.5 a point each, even if the split is not exactly half-half.
  2. Two projects are listed under "Multi/Misc/Other" which is opinionated, and some may disagree with.
  3. Three points (5 projects) are assigned to "Unaccounted/Not Available". Two of the projects have no code at all (related to the grant, or otherwise). One project with no published code is (charitably) listed under "Python", however, since the author mentions Python+QT as the choice for implementation.

9.5 (10 projects) Rust

https://git.joyofhardware.com/Products/FastWave2.0
https://github.com/slint-ui/slint
https://github.com/stalwartlabs/mail-server
https://github.com/dimforge
https://github.com/DioxusLabs/blitz
https://github.com/fdtshim
https://github.com/trynova/nova
https://github.com/yaws-rs
https://github.com/lycheeverse/lychee
https://git.syndicate-lang.org/synit/synit
(0.5 rust, 0.5 shell)

9 Python (8 + 1 project without code)

https://github.com/owasp-dep-scan/blint
https://github.com/web-platform-tests/wpt
https://github.com/niccokunzmann/open-web-calendar
https://git.xmpp-it.net/sch/Rivista
https://github.com/DataLab-Platform/DataLab
https://codeberg.org/IzzyOnDroid/rbtlog
https://gitlab.com/py3dtiles/py3dtiles
https://codeberg.org/flohmarkt/flohmarkt
https://rackweaver.app/
(says python+qt, but no code yet)

6 (7 projects) C

https://mntre.com/sources.html
https://github.com/open-sdr/openwifi
https://wiki.musl-libc.org/
https://github.com/LekKit/RVVM
https://github.com/skarnet/s6-rc
https://git.savannah.gnu.org/git/mes
(scheme interpreter, compiler + minimal libc in C = 0.5)
https://www.gnunet.org/
(gnunet itself is C = 0.5, Anroid work would presumably use Java/Kotlin/Dart/... = 0.5 unaccounted)

3.5 (4 projects) TypeScript

https://github.com/cartesapp/cartes
https://github.com/edumeet
https://github.com/adorsys/open-banking-gateway
(0.5 Java, 0.5 TypeScript)
https://github.com/janeirodigital/sai-js
(grant is about specification work. But implementation is in TypeScript)

3.5 (4 projects) Java

https://github.com/slovensko-digital/autogram
https://github.com/igniterealtime/Openfire
https://github.com/MarginaliaSearch/MarginaliaSearch
https://github.com/adorsys/open-banking-gateway
(0.5 Java, 0.5 TypeScript)

3 Kotlin

https://github.com/florisboard/florisboard
https://github.com/EventFahrplan/EventFahrplan
https://github.com/tuskyapp/Tusky

2.5 (3 projects) Hardware/Verilog/...

https://github.com/opera-platform/opera-dsp
https://github.com/simple-crypto/SMAesH
https://github.com/IObundle/iob-versat
(hardware part = 0.5, software is C++)

2.5 (3 projects) Scheme

https://codeberg.org/spritely/goblins
https://nlnet.nl/project/SchemeTestingFramework
(no external link in grant page)
https://git.savannah.gnu.org/git/mes
(scheme interpreter, compiler + minimal libc in C = 0.5)

2.5 (3 projects) JavaScript

https://github.com/CycloneDX/cdxgen
https://github.com/overte-org/overte
(0.5 C++, 0.5 JS)
https://nlnet.nl/project/TALER-integration-Nuxt
(no external link)

2 Nix

https://nlnet.nl/project/Nix-ControlPlane
https://github.com/ibizaman/selfhostblocks
(no external link)

2 Go

https://github.com/namecoin/encaya
(namecoint-core is written in C++, but the grant is about encaya)
https://github.com/hockeypuck/hockeypuck

1.5 (3 projects) C++

https://github.com/IObundle/iob-versat
(software part = 0.5, hardware is Verilog)
https://github.com/overte-org/overte
(0.5 C++, 0.5 JS)
https://kde.org/plasma-desktop
(grant is about mobile power management improvements, no idea about the code, but KDE/Plasma is C++, so charitable 0.5 for C++, 0.5 unaccounted)

1 Clojure

https://github.com/NyanCAD/Mosaic

1 Assembly

https://lib25519.cr.yp.to/
(grant covers NEON vector implementation)

1 Haskell

https://github.com/ghc-proposals/ghc-proposals

1 Julia

https://github.com/PeaceFounder/AppBundler.jl

0.5 Shell

https://git.syndicate-lang.org/synit/synit
(0.5 rust, 0.5 shell)

2* Multi/Misc/Other

https://github.com/IObundle/iob-linux
(build project, a mix of python, Make, and C from OpenSBI)
https://unifiedpush.org/
(specification for Android and D-Bus. Implementations in Go, C, Kotlin, and Flutter)

3* (5 projects) Unaccounted/Not Available

https://www.gnunet.org/
(possible non-native Android yet to be written)
https://kde.org/plasma-desktop
(grant is about mobile power management improvements, no idea about the code but, KDE/Plasma is C++, so 0.5 for C++, 0.5 unaccounted)
https://nlnet.nl/project/LicenseCompatibilityAutomation
(no external link or specific info about the implementation)
https://librediagnostic.com/
(fully unaccounted, site pages "under construction")
https://github.com/mapterhorn
(fully unaccounted, from org readme "Coming soon...")

 

https://nlnet.nl/news/2025/20250321-call-announcement-core.html

Notes

  1. Projects meaningfully sharing two programming languages get 0.5 a point each, even if the split is not exactly half-half.
  2. Two projects are listed under "Multi/Misc/Other" which is opinionated, and some may disagree with.
  3. Three points (5 projects) are assigned to "Unaccounted/Not Available". Two of the projects have no code at all (related to the grant, or otherwise). One project with no published code is (charitably) listed under "Python", however, since the author mentions Python+QT as the choice for implementation.

9.5 (10 projects) Rust

https://git.joyofhardware.com/Products/FastWave2.0
https://github.com/slint-ui/slint
https://github.com/stalwartlabs/mail-server
https://github.com/dimforge
https://github.com/DioxusLabs/blitz
https://github.com/fdtshim
https://github.com/trynova/nova
https://github.com/yaws-rs
https://github.com/lycheeverse/lychee
https://git.syndicate-lang.org/synit/synit
(0.5 rust, 0.5 shell)

9 Python (8 + 1 project without code)

https://github.com/owasp-dep-scan/blint
https://github.com/web-platform-tests/wpt
https://github.com/niccokunzmann/open-web-calendar
https://git.xmpp-it.net/sch/Rivista
https://github.com/DataLab-Platform/DataLab
https://codeberg.org/IzzyOnDroid/rbtlog
https://gitlab.com/py3dtiles/py3dtiles
https://codeberg.org/flohmarkt/flohmarkt
https://rackweaver.app/
(says python+qt, but no code yet)

6 (7 projects) C

https://mntre.com/sources.html
https://github.com/open-sdr/openwifi
https://wiki.musl-libc.org/
https://github.com/LekKit/RVVM
https://github.com/skarnet/s6-rc
https://git.savannah.gnu.org/git/mes
(scheme interpreter, compiler + minimal libc in C = 0.5)
https://www.gnunet.org/
(gnunet itself is C = 0.5, Anroid work would presumably use Java/Kotlin/Dart/... = 0.5 unaccounted)

3.5 (4 projects) TypeScript

https://github.com/cartesapp/cartes
https://github.com/edumeet
https://github.com/adorsys/open-banking-gateway
(0.5 Java, 0.5 TypeScript)
https://github.com/janeirodigital/sai-js
(grant is about specification work. But implementation is in TypeScript)

3.5 (4 projects) Java

https://github.com/slovensko-digital/autogram
https://github.com/igniterealtime/Openfire
https://github.com/MarginaliaSearch/MarginaliaSearch
https://github.com/adorsys/open-banking-gateway
(0.5 Java, 0.5 TypeScript)

3 Kotlin

https://github.com/florisboard/florisboard
https://github.com/EventFahrplan/EventFahrplan
https://github.com/tuskyapp/Tusky

2.5 (3 projects) Hardware/Verilog/...

https://github.com/opera-platform/opera-dsp
https://github.com/simple-crypto/SMAesH
https://github.com/IObundle/iob-versat
(hardware part = 0.5, software is C++)

2.5 (3 projects) Scheme

https://codeberg.org/spritely/goblins
https://nlnet.nl/project/SchemeTestingFramework
(no external link in grant page)
https://git.savannah.gnu.org/git/mes
(scheme interpreter, compiler + minimal libc in C = 0.5)

2.5 (3 projects) JavaScript

https://github.com/CycloneDX/cdxgen
https://github.com/overte-org/overte
(0.5 C++, 0.5 JS)
https://nlnet.nl/project/TALER-integration-Nuxt
(no external link)

2 Nix

https://nlnet.nl/project/Nix-ControlPlane
https://github.com/ibizaman/selfhostblocks
(no external link)

2 Go

https://github.com/namecoin/encaya
(namecoint-core is written in C++, but the grant is about encaya)
https://github.com/hockeypuck/hockeypuck

1.5 (3 projects) C++

https://github.com/IObundle/iob-versat
(software part = 0.5, hardware is Verilog)
https://github.com/overte-org/overte
(0.5 C++, 0.5 JS)
https://kde.org/plasma-desktop
(grant is about mobile power management improvements, no idea about the code, but KDE/Plasma is C++, so charitable 0.5 for C++, 0.5 unaccounted)

1 Clojure

https://github.com/NyanCAD/Mosaic

1 Assembly

https://lib25519.cr.yp.to/
(grant covers NEON vector implementation)

1 Haskell

https://github.com/ghc-proposals/ghc-proposals

1 Julia

https://github.com/PeaceFounder/AppBundler.jl

0.5 Shell

https://git.syndicate-lang.org/synit/synit
(0.5 rust, 0.5 shell)

2* Multi/Misc/Other

https://github.com/IObundle/iob-linux
(build project, a mix of python, Make, and C from OpenSBI)
https://unifiedpush.org/
(specification for Android and D-Bus. Implementations in Go, C, Kotlin, and Flutter)

3* (5 projects) Unaccounted/Not Available

https://www.gnunet.org/
(possible non-native Android yet to be written)
https://kde.org/plasma-desktop
(grant is about mobile power management improvements, no idea about the code but, KDE/Plasma is C++, so 0.5 for C++, 0.5 unaccounted)
https://nlnet.nl/project/LicenseCompatibilityAutomation
(no external link or specific info about the implementation)
https://librediagnostic.com/
(fully unaccounted, site pages "under construction")
https://github.com/mapterhorn
(fully unaccounted, from org readme "Coming soon...")

 

cross-posted from: https://programming.dev/post/23822190

I added this language to my watch list some time ago and forgot about it, until I got a notification about a new release (0.15) yesterday.

I'm someone who is familiar with system languages (C, Rust) and shell languages (Bash, Zsh, ..). But don't have much experience, at a proficient level, with any languages setting in between.

So I gave Koto's language guide a read, and found it to be very well-written, and the premise of the language in general to be interesting. I only got annoyed near the end when I got to @base, because I'm an anti-OOP diehard 😉

I hope this one well start to enjoy some adoption.

 

I added this language to my watch list some time ago and forgot about it, until I got a notification about a new release (0.15) yesterday.

I'm someone who is familiar with system languages (C, Rust) and shell languages (Bash, Zsh, ..). But don't have much experience, at a proficient level, with any languages setting in between.

So I gave Koto's language guide a read, and found it to be very well-written, and the premise of the language in general to be interesting. I only got annoyed near the end when I got to @base, because I'm an anti-OOP diehard 😉

I hope this one well start to enjoy some adoption.

view more: next ›