> Please take a few days to review John Regehr’s excellent blog.
Haven't heard of him but will certainly give a read. Thanks for the heads up.
> Npm is the poster child for supply chain attacks.
The only reason C doesn't (often) have similar supply chain attacks is because pulling in dependencies is so hard that you aren't likely to end up with a 10k dependency project.
Hard to say that's really a plus.
Other ecosystems have their own problems and certainly aren't perfect. However, the toolchains are generally leaps and bounds ahead of what C currently has.
> you aren't likely to end up with a 10k dependency project.
> Hard to say that's really a plus.
I'll definitely call that a plus. All dependencies introduce risk. Sure, we can't avoid all dependencies, but carefully evaluating them and keeping the list small is a big win for maintainability and security.
If a random library has a 0.1% chance of having malicious code (I'd say it's more like 1%, but let's be generous), a 10K-dependency program is guaranteed to be pulling in at least something malicious.
>The only reason C doesn't (often) have similar supply chain attacks is because pulling in dependencies is so hard that you aren't likely to end up with a 10k dependency project.
Or the lack of canonical package manager means the developer has to actually spend time to inspect the quality of each dependency instead of `npm install is-odd`ing like there is no tomorrow.
It also acts as a "filter" to prevent adding complexity to the dependency tree.
I do most of my heavy lifting with Git commit hashes via FetchContent and it's been pretty good to be fair, surprising number of well written CMakeLists in popular lib repos.
Haven't heard of him but will certainly give a read. Thanks for the heads up.
> Npm is the poster child for supply chain attacks.
The only reason C doesn't (often) have similar supply chain attacks is because pulling in dependencies is so hard that you aren't likely to end up with a 10k dependency project.
Hard to say that's really a plus.
Other ecosystems have their own problems and certainly aren't perfect. However, the toolchains are generally leaps and bounds ahead of what C currently has.