code often contains backticks

I’ve never seen code contain three backticks though.

I guess your heading logic kind of makes sense but tbh I still hate it.

Very weird style. Inconsistent heading styles. Four tilde code blocks? That’s totally nonstandard. Why?

Yeah unfortunately these numbers don’t really allow any conclusions to be drawn at all.

Also they’re not really related to supply chain security which is more about deliberate subterfuge. I think the interesting stat there would be how many authors are being trusted typically for each crate.

It’s just not a very good name. Awkward even without the mpreg/preg thing. Steps on ffmpeg’s toes too much. Just pick something unique. Videoh. Muxy. Movrify. Flippityflop, whatever. I thought about those names for literally 10 seconds. You can definitely do better than ffmpreg if you think harder!

I mean, it would be great if this succeeded… ffmpeg is nice and all but its interface is clearly terrible and there’s absolutely no way it is remotely secure. Anyone that uses it on a server basically has to run it in its own VM, or a severely locked down sandbox.

But good luck supporting all the codecs people expect. I’m not even talking the obscure ones ffmpeg supports; just the ones “normal” people use will be a life’s work.

Also you have to change the name!

That is not actually a “data race”. It is a race condition for sure, but a data race is a very specific thing - where two threads access the same location at the same time and at least one is a write.

That could be unsafe in Rust because it might lead to reading “impossible values” like an enum that isn’t equal to any of its variants. Therefore safe Rust must prevent it or there’s a soundness hole.

Doesn’t say anything you didn’t already know. Probably written with AI.

Also the conclusion is wrong:

Neither approach is universally superior.

The Rust approach is obviously superior.

it has modules for everything

Not everything. PyYAML, Pydantic and Typer are things I commonly want in scripts that aren’t in the standard library.

Simply do pip install anything. But best practice is to use a python virtual environment and install packages into that one.

It’s more than “best practice”. It’s mandatory on many recent Linux distros. And yeah setting up a venv and installing dependencies is not something you want to have to do for each script you run.

Its one of the slowest to write code in.

It depends what your goal is. If you want robust code that works reliably then I would say Rust has the edge still. Yes it will take longer to write but you’ll spend way less time debugging it and writing tests.

That’s kind of the point. You can do it in most languages, so why use a shitty one like Bash? Use a good language like Rust!

Also there are aspects of languages that make many languages less suitable for this application though. For example Python, because you can’t use third party dependencies (or at least you couldn’t; I think uv has an equivalent of cargo script now). Java would be a pretty awful choice for example.

Yeah it’s great for little scripts. There’s even a cargo script feature that’s being worked on so you can compile & run them using a shebang.

I’d use a shell script if it is literally just a list of commands with no control logic or piping. Anything more than that and you’re pointing a loaded gun at your face, and should switch to a proper language, of which Rust is a great choice.

It’s definitely a growing problem with Rust. I have noticed my dependency trees growing from 20-50 a few years ago to usually 200-500 now.

It’s not quite as bad as NPM yet, where it can easily get into the low thousands. Also the Rust projects I have tend to have justifiably large dependencies, e.g. wasmtime or Slint. I don’t think it’s unreasonable to expect a whole GUI toolkit to have quite a few dependencies. I have yet to find any dependencies that I thought were ridiculous like leftpad.

We could definitely do with better tooling to handle supply chain attacks. Maybe even a way of (voluntarily) tying crate authors to verified real identities.

But I also wouldn’t worry about it too much. If you a really worried, develop in a docker container, use a dependency cooldown, and whatever you do don’t use cryptocurrencies on your dev machine.

Bun uses JavaScriptCore. Deno uses V8.

But yes it would be good to see a comparison to JavascriptCore and V8.

I’m not sure that’s a factor here because Google doesn’t use CMake or Cargo (at least not the way we all use it).

Yeah but one is using Tk and the other doesn’t look any better than git log --graph. I think the point of this is that it looks okish and is in the terminal.

It’s not actually incremental yet.

Doesn’t look like it.

It must be python3 then.

Except on Windows! Actually it depends on if you installed Python from the Microsoft store or the official download. What a mess.

They don’t want to fix it because it might be confusing temporarily, so instead they’re going to leave it broken forever.

IMO it’s completely insane that they’re doing this. Same with Python packages.

Yes that’s true, but the point is you should have to opt in to surprising or risky behaviour.

The non-strict versions also panic by default, but only in debug mode. So if you were willing to use abs() you should be willing to use strict_abs().

Arguably a bit of a mistake to have the “obvious” function names be surprisingly unsafe, but I guess it’s too late to fix that.