• 2 Posts
  • 15 Comments
Joined 1 year ago
cake
Cake day: July 20th, 2023

help-circle
  • I maintain a long-term Rust + Node.js project, and the Node side is the painful one.

    Node makes backwards-incompatible changes, and doesn’t have anything like the editions to keep old packages working. I can end up with some dependencies working only up to Node vX, and some other deps needing at least Node v(X+1).






  • To generate the LLVM code correctly you need to run build.rs if there is any, and run proc macros which are natively compiled compiler plugins, currently running without any sandbox.

    The final code isn’t run, but the build process of Cargo crates can involve running of arbitrary code.

    The compilation process can be sandboxed as a whole, but if it runs arbitrary code, a malicious crate could take over the build process and falsify the LLVM output.






  • I prefer data as is rather than having to double guess every search result

    What’s the bad scenario you’re worried about here? What type of data you’re specifically worried about? Do you expect me to maliciously manipulate the data, or is even well-intentioned curation and use of heuristics somehow not acceptable?

    My view on data cleanup is probably very different than other people’s, because I’ve spent a lot (likely too much) time with the crates’ data. The pure unadulterated source data is… bad. It’s very sparse (most crates don’t fill it in). It’s full of outdated information (set once and forgotten, wrong for forks). Some crates-io category slugs are pretty misleading, so tons of crates are miscategorized by their own authors: parsing is not for file parsers, database is not for databases. accessibility …I can’t even. Who put ogg parsers, gRPC, garrysmod, RFID readers in there?

    There are tons of name-squatted crates, ferris guessing games, or just people’s baby steps in Rust. If you search on crates.io you often get the pure data of someone publishing a crate years ago and forgetting about it. This is pure, this is ranked objectively, this is curated and subjective.

    crates-io shows you plainly only the license of the crate you’re looking at. lib.rs goes further and checks if the crate has any dependencies which are GPL, because if a crate says it’s MIT but has GPL deps, it actually is GPL.

    crates-io shows you repository URL exactly as-is specified in the metadata, which could be inaccurate (in case of forks) or outright fake (someone else’s repo). lib.rs checks if the repository URL actually contains the crate or has the same owner as the crate, and will add a link to the true source code if the repo url is suspicious.

    crates-io shows owners’ names from the free-form name field, so somebody malicious could pretend to be a well-known trusted user. lib.rs only allows display names for established/reputable accounts, and uses login name for new/untrusted accounts.



  • The context here is that it was after I had a heated megathread in the bugtracker where multiple people were defending cryptocurrencies on their merits as money, decentralization tool, or an ideal to aspire to.

    Burntsushi’s objection was different form these, in a subtle way, and I needed more explanation to understand the difference. His phrasing with “sneering” — to me — was not clear (I understood it as “don’t sneer at cryptocurrencies, because they don’t deserve to be sneered at” rather than “cryptocurrencies are bullshit, but you can’t say it so directly and rudely”).

    Additionally, I did not want to invite another bugtracker megathread about cryptocurrencies, which is why I tested his patience asking for a statement, rather than merely linking to the bugtracker like he asked. I see it as an ask, perhaps negotiation. I don’t think that exchange deserves to be summed up as “crap”.

    Anyway, I’m probably testing your patience too, so have a nice day!


  • (you’re replying to the guy who runs lib.rs and responded to burntshushi in that thread)

    The initial request was just a question about removal, without getting into why, so it had no stance to misrepresent. The text I proposed was prefaced with “how about: …?”, and based on reasons I’ve been given previously by other people. That was a question whether that’s the right representation, not a statement. I made a wrong assumption, the text wasn’t right, so we found a different one that satisfied him.


  • Why do you say like crap? I took time to understand his position and reasons (which was helpful, because they were different reasons than requests before that). We’ve agreed on a way forward, and I have fulfilled his wish. It has been a bit frustrating for both of us, because it was in essence a conflict, but I think it’s been resolved in a civil way.


  • lib.rs author here.

    The visible deprecation label was unintentional. I agree that labelling an actively maintained crate as unmaintained is wrong, regardless of what the crate is for. If I wanted to mess with the bitcoin page, there are plenty of true negative things that I could have said about bitcoin, and you know I wouldn’t be shy about it.

    I do think that use of bitcoin during a climate crisis and an energy crisis is immoral. Bitcoin is like a button that gives you $1000 now, but kills someone else in the future. This is not something that deserves polite acceptance. Seriously, I beg you at least switch to proof-of-stake schemes if you must.

    However, in this particular case I did not mean to label it as unmaintained, since that’s plainly incorrect. You’re right to be upset, and right to be suspicious about the incorrect label given my reputation as cryptocurrency hater. However, I’m still disappointed that the community reaction was immediate pitchforks and burn-the-site-down pile-on, followed by even more scrutiny and viewing my smallest actions in the worst possible light. Couldn’t you first ask if it was meant like this and wait for my response?

    I’ve meant to downrank all crates using the bitcoin crate. Downranking of them is IMHO a fair game, since bitcoin-dependent crates are not relevant to my intended target audience.

    Apart from that, I’ve also got some feedback that it’s not acceptable to change or augment any crate metadata at all. The site does change crate data en masse, but when it works right this is a feature. For example, it guesses categories when they’re missing or are likely invalid (everyone gets the “parsing” category wrong). The site has a ranking algorithm, which IMHO makes its search really helpful, noticeably better than crates.io’s. But by necessity it includes many ranking signals, which are imperfect, and the choice of the signals is inherently subjective (e.g. just sorting by downloads would be more transparent, but it’s still just a different subjective choice, and has its own downsides).

    I’m open to feedback how to make it clearer that the site is unofficial, opinionated, and a mashup of data sources and heuristics. I don’t think there’s a point of running lib.rs without the data cleanups or ranking. This would reduce it to only mere redundant duplicate of crates.io. I want to make something clearly better, beyond what pure crates.io can do.

    But there are 120K crates and growing, so this is a hard task. If I’m going to get a load crap for every buggy boolean, I don’t want to run the site. It exists for the community, and if the community thinks I’m a villain, then why should I bother.