I’d love static analysis that finds which functions may panic, which are guaranteed not to. On a related note, it’d be nice to be able to hoist panics out of loops and coalesce multiple consecutive assertions into one (llvm can’t do it, because partially done work is a side effect).
To generate the LLVM code correctly you need to run build.rs if there is any, and run proc macros which are natively compiled compiler plugins, currently running without any sandbox.
The final code isn’t run, but the build process of Cargo crates can involve running of arbitrary code.
The compilation process can be sandboxed as a whole, but if it runs arbitrary code, a malicious crate could take over the build process and falsify the LLVM output.
Yes, it’s Blink without the bits that Google doesn’t share (I wanted to be precise that nobody can compile actual Chrome from public sources, they can build Chromium which is almost but not quite the same)
Vivaldi uses the same engine as Chromium, and the company has been founded by ex Opera developers.
Plus you can make certain sites always automatically open in their designated container, even if you followed a link. You can keep sites know for spying away from your logged in identity. You can have your banking and other important sites in another container for extra defense in depth.
lib.rs author here.
The visible deprecation label was unintentional. I agree that labelling an actively maintained crate as unmaintained is wrong, regardless of what the crate is for. If I wanted to mess with the bitcoin page, there are plenty of true negative things that I could have said about bitcoin, and you know I wouldn’t be shy about it.
I do think that use of bitcoin during a climate crisis and an energy crisis is immoral. Bitcoin is like a button that gives you $1000 now, but kills someone else in the future. This is not something that deserves polite acceptance. Seriously, I beg you at least switch to proof-of-stake schemes if you must.
However, in this particular case I did not mean to label it as unmaintained, since that’s plainly incorrect. You’re right to be upset, and right to be suspicious about the incorrect label given my reputation as cryptocurrency hater. However, I’m still disappointed that the community reaction was immediate pitchforks and burn-the-site-down pile-on, followed by even more scrutiny and viewing my smallest actions in the worst possible light. Couldn’t you first ask if it was meant like this and wait for my response?
I’ve meant to downrank all crates using the bitcoin crate. Downranking of them is IMHO a fair game, since bitcoin-dependent crates are not relevant to my intended target audience.
Apart from that, I’ve also got some feedback that it’s not acceptable to change or augment any crate metadata at all. The site does change crate data en masse, but when it works right this is a feature. For example, it guesses categories when they’re missing or are likely invalid (everyone gets the “parsing” category wrong). The site has a ranking algorithm, which IMHO makes its search really helpful, noticeably better than crates.io’s. But by necessity it includes many ranking signals, which are imperfect, and the choice of the signals is inherently subjective (e.g. just sorting by downloads would be more transparent, but it’s still just a different subjective choice, and has its own downsides).
I’m open to feedback how to make it clearer that the site is unofficial, opinionated, and a mashup of data sources and heuristics. I don’t think there’s a point of running lib.rs without the data cleanups or ranking. This would reduce it to only mere redundant duplicate of crates.io. I want to make something clearly better, beyond what pure crates.io can do.
But there are 120K crates and growing, so this is a hard task. If I’m going to get a load crap for every buggy boolean, I don’t want to run the site. It exists for the community, and if the community thinks I’m a villain, then why should I bother.
https://crates.io/search?q=git (finds dead placeholder, no git2 in sight) vs https://lib.rs/search?q=git (finds git2 first)
https://crates.io/search?q=option (dead placeholder again, and every crate that contains “at your option” in license) vs https://lib.rs/search?q=option (finds Option helpers and cli parsers)
https://crates.io/search?q=database vs https://lib.rs/search?q=database
https://crates.io/search?q=error (7-year-old crate, podcast-api!?) vs https://lib.rs/search?q=error (anyhow + thiserror first)
https://crates.io/search?q=sedre (typo) vs https://lib.rs/search?q=sedre (did you mean serde?)
crates.io is fine when you know the name of the crate you want (navigation searches), but is full of noise for broader queries. It doesn’t eliminate namesquatted garbage nor obsolete crates. It searches all text including tangential boilerplate. It shows fewer results per page. OTOH lib.rs filters out the noise. It also understands words with multiple meanings and ensures all meanings are included (e.g. search for “http” knows to include “http client” and “http server” and asks you to clarify which meaning you wanted).
I maintain a long-term Rust + Node.js project, and the Node side is the painful one.
Node makes backwards-incompatible changes, and doesn’t have anything like the editions to keep old packages working. I can end up with some dependencies working only up to Node vX, and some other deps needing at least Node v(X+1).