zlacker

>>MrBudd+(OP)
I would rather check urls with the following method:

  echo -e -n "https://іnstall.example-clі.dev" | python -c 'exec("""import sys, unicodedata\nfor ch in sys.stdin.read():\n  try:\n    print (ch, " ", unicodedata.name(ch))\n  except ValueError:\n    print ("codepoint ", ord(ch))\n""")'

instead of putting my trust in the hundreds of crates in this tool's Cargo.lock not having a supply chain attack.

>>nullif+Uha
How on Earth did something like this become the norm? I don't work with software like most here, but just opening the Cargo.lock file sets off an alarm in my brain.

After seeing how much stuff was pulled when I once installed a couple programs with cargo, I added it to the "don't touch a project if it's made with this language" pile, alongside NIM and Python (though Python I can't quite avoid).

>>whatis+FKa
Go write a floating point package, by yourself (no AI assistance), from scratch. Then you will understand.

>>mayhem+rbb
Sure, the decision to "offload" some components is understandable, and sometimes preferred (crypto libs, etc). We're not all masters of every field. But if you do it 200+ times I'll question what you're even trying to do.

>>whatis+mdb
You don't; you import 3-4 libraries that do what you need, each of them imports 10-30 libraries they need, next thing you know, you've got 100 dependencies.

I don't really see the big deal--for as long as I've been using Linux, which is over 20 years now, installing many packages requires pulling in dozens of other packages, themselves perhaps composed of multiple libraries... The problem is they come from cargo and not a distro? I get the problem with the language repos being more prone to supply chain attack than distro repos, but i don't really get the impression it was ever normal to build complete apps without dependencies.