Even normiedevs world is starting to notice the retardation and the dangers of language level package manager thanks to all the recent supply chain attacks, soon the time of flat, minimal, hand-picked, vendored dependencies will come back.Turns out Rust safety was completely useless after all and that supply chain safety and having a battery included standard library was much more important for security, how ironic.Furthermore with the dependencry-heavy style of programming becoming recognized as harmful vibecoding will also be hit because clankers can't do anything without importing a gorillion dependencies.Totla npm/pip/cargo death, long live vendoring!https://www.youtube.com/watch?v=Ws-Nc9S8i_Y
>>108830022>i do npm/cargo/pip install and i get my malware from the store seamlessly >i go to the internet and download unverified code from a github chinese person and integrate it into my slop project to get malware.yo gon get fucked either way, if you don't read every line of code of every program you use, then you are already hacked
Why the fuck rust retards thought a language level package manager would be a good idea for a low level systems language is completely beyond me. Fucking inbred tranny tards.
>>108830136There's nuances that you're missing, having a package manager integrated in your language gives convenience, that same convenience inevitable ends up breeding a culture of dependence on packages which then depends on other packages which ends with the situation we are right now where you can never be sure exactly what's hidden in the third level of transitive dependencies of that package you need, another side effect is that once you have this culture of depending on packages language developers are incentivized to ship a minimal standard library and leave the rest to third parties (see Rust).What I am proposing is not just downloading and installing manually instead of using a package manager, I am proposing that we should go back (and that with more and more supply chain attacks it will inevitable happen) to the previous culture where you have big standard libraries (or auxiliary libraries) and very few dependencies on trusted libraries which have very few or no dependencies of their own (no transitive dependencies), it's the whole culture and way of programming that has to change back to a point where you know exactly what your code does, like when I depend on sqlite library or curl library I am reasonably sure that I will have no supply chain problem, because these libraries were developed with this older more conservation approach to libraries.>>108830164Just like trannies Rust is in a constant identity crisis, one day they will tell you Rust is a system language you can make kernels with another day they will tell you Rust is all about webshit and garbage like async is absolutely needed, they have no fucking idea what they are doing.
Golang fixed that
Non exhaustive list of cases:npm>Axios (Mar 31)>North Korean state actor (Sapphire Sleet) hijacked the lead maintainer's npm account and dropped a cross-platform RAT on 100M+ weekly download installs>Live for 3 hoursAxios: https://github.com/axios/axios/issues/10636Microsoft: https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/>Mini Shai-Hulud / TanStack (May 11)>TeamPCP chained 3 GitHub Actions vulns to hijack TanStack's own CI pipeline, publish 84 malicious artifacts across 42 packages WITH VALID SLSA provenance (first time ever)>Worm spread to MistralAI, UiPath, OpenSearch, 170+ packages totalStepSecurity: https://www.stepsecurity.io/blog/mini-shai-hulud-is-back-a-self-spreading-supply-chain-attack-hits-the-npm-ecosystemSnyk: https://snyk.io/blog/tanstack-npm-packages-compromised/>SAP cloud npm packages (Apr 29)>4 official SAP packages poisoned with preinstall hook credential stealers.>~572K weekly downloads combined.The Register: https://www.theregister.com/2026/04/30/supply_chain_attacks_sap_npm_packages/PyPI>LiteLLM (Mar 24)>TeamPCP stole PyPI publish token by poisoning Trivy (the security scanner) inside LiteLLM's own CI pipeline>Credential stealer that also persisted by hooking Python interpreter startup via .pth files>95M monthly downloadsLiteLLM : https://docs.litellm.ai/blog/security-update-march-2026Cargo>5 malicious crates impersonating timeapi.io (Feb–Mar 2026)>same actor across all five, .env file exfiltration to attacker-controlled lookalike domain timeapis[.]io. chrono_anchor specifically added obfuscation layersOrange reddit: https://thehackernews.com/2026/03/five-malicious-rust-crates-and-ai-bot.html
>>108831229I mean the moment you run the things you still get owned so how does it fixes it? Noone looks at the sources anyway cause of the volume of dependencies.
>>108830136>trust pedophilesvs>the chinese peoplesorry but first worlders lost my trust, I pick the chinese
>>108831334>sorry but first worlders lost my trust, I pick the chinesebased
>>108830022cargo supports version locking and vendoring out of the box.there has been ZERO supply chain attacks that actually affected anyone in the rust ecosystem.>>108830753>where you can never be sure exactly what's hidden in the third level of transitive dependencies of that package you need.... (see rust).you can see all code with literally one comamand `cargo vendor` dumb retard. what are we supposed to "see"?>we should go back>weyou're a nocoder dumb retard. go cry in the corner, or rather, wait for /g/eets to wake up and cry with you....oh wait, that will be shabbat. you will not be here.
>>108831319>Orange reddit: https://thehackernews.com/2026/03/five-malicious-rust-crates-and-ai-bot.htmlshit. we are talking to a bot
>>108831361>>108831371Fuming rustard.
>>108831361>cargo supports version locking and vendoring out of the boxso does microshart's vcpkg, so what? its still shit
>>108831416last time i touched a winshit system was XP SP2.cargo just works.
>>108831614>cargo just worksThat's the problem though.
>>108831681it shouldn't work?i like where this cope is going. expand as much as possible. and let's make it hard mode. no waffling allowed. concrete technical info and examples only.
>>108831845I've already made my argument >>108830753
>>108830022Only read the title and just dropping by to say BASEDRetvrn to VendorKill docker
>>108831860see >>108831361and prove your points with *specifics*
>>108830164Why the fuck do you keep crying about it when it never had any fucking problems?
>>108831319>rust>typosquatting>everything else>actual malware spreading to actual users through the ecosystem
Yet another low IQ trash thread. Just kill yourself already. I guarantee more people have written trivial exploitable code more often than they got hacked by meme "supply chain" bullshit.
rust fags can't stop losing kek
>>108830022That, or the code will be signed with your biometric ID.
>>108832872no ecosystem is immune from "muh supply chain" attacks.but there has been ZERO malicious crates published on crates.io with REAL dependants. a certain jew is trying to push the narrative that rust had actual supply chain incidents, deliberately lying about certain events, and conflating incidents from other ecosystems with the rust one.i guess he will have to take a break from that in a few hours.
>>108832301>prove your points with *specifics*Go prompt a clanker if you're too dumb to understand my post.>>108832899Not an argument, reality doesn't care about your feeling, supply chain attacks are here to stay.>>108832941The only reason why we haven't seen many attacks on crates is because Rust is a much more irrelevant language than what people on tech forum might make you think, by itself is as vulnerable as JS or Python, it has the same packaging problems and culture.tl;dr your meme lang is not worth the hackers time and money but your lang is still a harmful supply chain disaster
>>108833522>nocoder>starts thread kvetching about rust specifically for some reason, referencing hallucinated events, and providing ZERO specific correct info>asked for specific info><crying> "your" language is irrelevant. "your" language is a meme..OKAY!</crying>lmaoi love pre-shabbat threads. this is why i participate in them.
>>108831334The age of consent in China is 14 bro
>>108830022odin niggas eating good
>>108833815it should go down to ZERO
>>108835709
>>108830753>we are right now where you can never be sure exactly what's hidden in the third level of transitive dependencies>what is version pinning>What I am proposing is not just downloading and installing manuallyhahahaha
Sophie thread!
>>108835748Version pinning is a meme because the move fast and break things movement means that everything is permanently pwnd so you have to always update to the latest garbage. Dependabot anybody? And if you have 30 transitive dependency levels then anything in the stack propagate requirements to update all the way up.
>>108835983"move fast and break things" is about you, not your dependencies. version pinning actually helps with it since you don't have to waste time syncing your external calls with updated dependency APIs.your retarded thought shows the same level of fundamental misunderstanding as the retarded op who didn't realize that tools like cargo are the best vendor facilitators, and that cargo+vendoring go more together rather than being mutually exclusive.
>>108833839>my meme lang is good because it has no ecosystemkeep spamming your meme bro. i'm sure it's gonna happen one day. lol
>>108836215No, it is about dependencies and not about you. The dependencies are developed by pajeets and are full of hole. Thus, unless you constantly update, you constantly get security vulnerabilities and other issues across your project.You have never programmed. You probably asked chatgpt to answer for you since you clearly have 0 clue about the topic at hands at even the most basic level.
>>108836239maybe your ecosystem looks like that. where i am, there are no retarded jeets (zero jeets actually from jeetland) and vulnerabilities are rare.and in your scenario, it's the jeets who are moving fast and breaking things, you're just the retard depending on them.you should also stop deflecting about how people are using LLM's to answer you. you're not that smart to manage your clinical retardation from anyone.
>>108831319>Orange reddit>thehackernews.comthe retard didn't delete this lmao
>>108835983>Version pinning is a meme because the move fast and break things movement means that everything is permanently pwnd so you have to always update to the latest garbageNo? When you use dependency managers like cargo or npm you dependencies do not change versions unless you explicitly instruct it to do so. You can audit everything and make sure that no malicious code will be injected later on.This is not true for C/C++ style of managing dependencies which is to rely on random distro's dependency management which offers no pinning and give you no means of auditing your dependencies. You have no idea if a library you are using won't get compromised next week.That's literally what happened with XZ utils. There was nothing anyone could do to prevent it, no amount of auditing your dependencies would have prevented it.
>>108836358Are you illiterate? Try reading the post you're responding to again before your next self-own.
>>108836416Not an argument.
>>108836320So you don't use a language with a package manager? What's even the point of your post?
>>108831361Rust is young. Supply chain attacks are only just starting to pick up. That they haven't affected Rust yet is mostly luck.
>>108836436i do use a language with a package manager. there are no jeets in my ecosystem (except a small number of 2nd+ gen westernized ones). and vulnerabilities are rare (when one is found, it becomes news).what you described is not a universal experience.and you had a fundamental understanding of what "move fast and break things" means, and where it actually happened in your supposed development chain.
>>108836470>That they haven't affected Rust yet is mostly luck.[citation needed]
>>108836492Underage retard
>>108836521Not an argument.
>>108830753Rust is clearly a very unsafe language, be careful out there anons!
>>108836477Name one language that has a package manager and isn't jeet central
>>108836561Rust
>>108836564Nice self-own.
>>108836470>Rust is young.we can't say that forever. and age is not as relevant as impact. and anyone arguing that successfully attacking the rust ecosystem wouldn't be impactful would be a retard of the highest order.>they haven't affected Rust yet is mostly luck.it's not, for the following reasons:1. the people involved in foundational crates are not that many. and all of them are well known (someone actually looked into this).2. there are a lot of eyes and processes in place watching the ecosystem closely. and where there are weaknesses, people complain, sometimes in creative ways, as the serde dev did once.3. applications (anything with an executable binary) are all encouraged to include Cargo.lock in their repos and packages, for both security and reliability reasons. and since dynamic linking is mostly not a thing. the way 99% of people consume rust software already relies on version-pinned statically-linked dependencies out of the bat. it's also trivial to pin the build toolchain itself (that's where the integration between cargo and rustup comes in).still, the human element will make it impossible to guarantee that it will never happen. and the chain itself is not "pure", with the presence of "build.rs" and non-rust dependencies. but to attribute the lack of successful attacks to pure luck is cope thinking.and if you looked closer at the above points, you may have noticed that some of the aspects /g/eets complain about, and sometimes claim are attack vectors, are actually the exact same that protect rust from these attacks lol.
>>108836576man, /g/eets like you are too retarded to even circlejerk properly. i almost prefer native zoggies at this point.
>>108836576Not an argument.
>>108836358>>108836592>there is version pinning>there are checksNone of thise solves the problem.How many dependencies and transitive dependencies do you need again to do anything useful with Rust like a graphical application? Hundreds? Thousands?It only takes one to get owned.Furthermore the hostility of Rust towards system-level package managers and dynamic linking makes things worse.The way you solve this problem is by adopting a radically different developing culture and by relying on system mantainers through dynamic linking.These are the real reasons why Rust is extremely problematic, it's only a matter of time until hackers put effort into attacking Rust ecosystem (scales with adoption.Any complex Rust application is a ticking time bomb.
>>108836727>None of thise solves the problem.The only thing that solves this problem is auditing code of your dependencies. If you can pin your dependency versions then you can make sure vulnerabilities can't be introduced later on. However if you rely on your operating system's package manager then you have no control over what specific version of a dependency will be used.>How many dependencies and transitive dependencies do you need again to do anything useful with Rust like a graphical application?0 if you are not a retard>it's only a matter of timeTwo more weeks and XZ will happen to Rust.
>>108836222gingerbill has long argued package managers are outright evil and will never add one https://www.gingerbill.org/article/2025/09/08/package-managers-are-evil/
there is no problem, those who drag retarded unchecked deps in - pay the price. they dont even look what they drag. that will be forever.install Go and get pwnd by Google instead. who cares, nobody.
>>108836986>ackthually we never cared about security>being hacked is ok!lmao at the absolute state of nulang fanboysAt least js webshitters and python baby ducks admit that there is a problem.You deserver everything you're going to get in the next 4-5 years.
>>108830022>soon the time of flat, minimal, hand-picked, vendored dependencies will come back.You can do that with Rust.Are you saying that the language actually has to not have a package manager at all, so that you can feel better about it or something? It doesn't make any sense. Literally just don't add dependencies for no reason, or just pin your versions, or just run cargo vendor
>>108836905Every time one of those Odin fags or C fags try to make a GUI program, the same thing happens: text is completely nonfunctional for anything beyond ASCII. Even the much-shilled filepilot proudly says it in its web page: no usecase for Unicode. if any of your files have Japanese characters in the name, either wait 5 more years, or fuck you. That will be 40$ for the preorder btw.And this is despite it being a windows-only program!Sounds like rather than collecting screenshots of twitter subhumans calling it a "BASED file manager", maybe you should have added a dependency on a text library.
>>108836727>tech illiterate, not just nocoder>never ran pactree or anything equivalent>probably a wintard>zero concrete knowledge on show, just non-stop waffling and incoherent regurgitations of 3rd hand talking points>feels the need to kvetch about rust for some reasonevery single time.it looks like zogs hired a jeet PR firm to save money lol
>>108837083Nobody does that because the Rust culture says to use cargo for everything and that having six gorillion depencies is completely ok.You realize that you can vendor everything with node and python too? And that you can pin versions with npm and pip too?But again nobody does that, because again package manager exists and are "the way" you use the language.This is why Rust is no better than Python or Node in this context.
>>108837235You realize that your constant use of (false) ad-hominem attacks only makes you ridiculous?Dumb fanboy.
>>108837238Why do you give a shit about what other people think is the best way to use it?What's stopping you from using it in the way that (you) think it's best?If this is a general argument and you're saying that languages shouldn't have package managers so that everyone using it is nudged towards using minimal dependencies, that obviously doesn't work. People will just make a package manager on top, then abuse that one instead of the builtin one. Or they will just use another language that has it instead of yours.
>>108837083You can't really do that in rust because none of the packages in the ecosystem do that so even if you want to pick one dep, you are really picking 120.
>>108837298>I fucking hate dependencies>the problem with rust is that when I try to add dependencies, the number that it shows is too bigIf you hate dependencies so much just don't add them???
>>108837311Do you have severe brain problems? If you want to depend on library X, and library X depends on libraries A1 through A12321 you better package both or you're not vendoring shit.
>>108837292>If this is a general argumentIt was a general argument from the OP, it's just the usual Rustfags that got extremely triggered (as always) and thought it was about them.>Why do you give a shit>What's stopping you from using it in the way that (you) think it's bestI'd rather use a language that is designed to be used without a package manager, like C or Odin or Lua or whatnot, Python works fine too ironically cause it has a great standard library and it makes it easy to vendor libraries, specifically C libraries.But this doesn't change the fact that any software I might install that is developed with the package-manager-fueled dependency-heavy style might get owned and I might end up being the one that gets hacked.In supply chain attacks everyone loses downstream or even in adjacent libraries cause it can spread as a worm.This is not on of those problems I can just ignore.>People will just make a package manager on topChange the developement culture so those people get bullied the fuck out of a community.
i'd actually prefer we were completely airgapped from anyone who didn't speak english, I don't want them to use anything I write. I consider the fact I even have to see other languages completely intolerable.
>>108837359meant to >>108837153
>>108837317The original point of this thread is about wanting>flat, minimal, hand-picked, vendored dependenciesEvidently library X is not minimal.So the correct course of action is to not add X as a dependency. Which you can do in any language.If you're saying that even MINIMAL Rust libraries bring in 120 transitive dependencies for absolutely no reason, then you should show some examples, because I don't think that's true.
>>108837250>falsepostlsof -p `pidof -S',' firefox` -Fn | rg -r '$1' 'n(.*\.so)(\b.*|$)'|sort -ureplace firefox with any QT or GTK based app of your choosing if you wish to.
lsof -p `pidof -S',' firefox` -Fn | rg -r '$1' 'n(.*\.so)(\b.*|$)'|sort -u
>>108837351That's what I'm saying. Any individual programmer can choose to use Rust or any other language responsively if he wants. Everyone else will keep making the same slop, either by building a package manager on top, or by migrating to another language that has it.Ironically, you're making the same argument that Rust did for the borrow checker: you want to remove a tool that's potentially useful when used correctly, in an attempt to get the average unskilled programmer to stop abusing it.>>108837359>usecase for Japanese characters on a Japanese culture imageboard?Nice cope
>>108837417i would take the hit of never seeing japanese again if it meant I never had to see hindi or arabic again.
>>108837366The point is that in jeetlangs like rust, THERE IS NO MINIMAL DEPENDENCY retard. Unironically learn to read.
>>108837532See >>108837250
>>108837238Rust soft-vendors psckages by default
>>108837407it's hilarious how this always works lmao
>>108837407>rgWe don't use trannylang software here, we don't like getting RATs from supply chain attacks.
>>108838142lsof -p `pidof -S',' mate-terminal` -Fn | grep -E '\.so(\b.*|$)'| while read l; do expr "$l" : "n\(.*\.so\).*"; done | sort -u
lsof -p `pidof -S',' mate-terminal` -Fn | grep -E '\.so(\b.*|$)'| while read l; do expr "$l" : "n\(.*\.so\).*"; done | sort -u
>>108838407replace mate-terminal with firefox or any GTK or QT app of your choosing.
>>108836754> if you rely on your operating system's package manager then you have no control over what specific version of a dependency will be usedTo an extent, but system packagers are responsible for sensibly auditing and maintaining the security of the version they do publish, along with the audit power of everyone doing the same thing in the same ecosystem who can either get involved in the process, or notice and report problems. Part of the reason many of the package vulnerabilities even get discovered is because of this. The power of this scales exponentially as more and more people use system packaging as their dependency solution. Dynamic linking makes it possible to drop in hotfixes as well (provided your binaries have stable ABI)
>>108838497>To an extent, but system packagers are responsible for sensibly auditing and maintaining the security of the version they do publish, along with the audit power of everyone doing the same thing in the same ecosystem who can either get involved in the process, or notice and report problemsWhich doesn't work as proven by XZ fiasco.
>>108837026in actuality ive compiled most of the libs im going to use in a runtime, i also modified some of them (like libressl that doesnt compile on windows) and put into the barrels/ directory.ama software mastermind and runtime enlightened, so with this authority i conculde that there is no problem - what is called a problem will exist forever and will never be solved. this is just a chewgum for retards.
@108836358braindead post, not giving a (You)
>>108837407>>108838407this continues to work without fail against /g/eet wafflers lmao
