This is a collection of forked open source crates bundled together with open model vibe coding?<p>> the code written by AI is more robust than by humans because more edge cases are tested.<p>This is at least a mildly concerning take to see in a blog post announcing a solution to supply chain security.<p>It seems like this boils down to: don’t trust the original authors to maintain the packages they wrote, trust me and my LLM instead.
And just decided to relicense those forks with no real regard.<p>Also, it’s a loooong way from the self-contained goal—- there are a lot of third-party crates as dependencies still.<p>Yikes.
This whole article is red flags. (Mental health issues including narcissism?)<p><pre><code> - No mention of what specifically it does
- No mention of the advantages and stated reasons for having small std and core libs
- Libs mentioned as being "shipped" by the author have no commits by him or her.
- No comparison in the specifics to how it's handling
- Uses phrasing which might (IMO deliberately) confuse people into thinking this is official.</code></pre>
My personal preference would be to avoid a project whose maintainers push vibe-coded commits with one-line messages like "crypto: accelerate aes256" [1], especially when said commits introduce large blocks of unreadable inline assembly!<p>[1]: <a href="https://github.com/rust-stdx/stdx/commit/550c11b75804392e3661ab3de636b0c43d4ec940" rel="nofollow">https://github.com/rust-stdx/stdx/commit/550c11b75804392e366...</a>
This is not even the first project like this named stdx.<p>While many people say they want something like this, in practice, most people prefer the status quo. Maybe this time will be different, we’ll see!
> Cryptographic code is famously hard, with many, many footguns haunting unsuspecting developers (and even experts!).<p>> But, cryptography also has something that you likely won't find in any other domain: an extensive public collection of test vectors, particularly for edge cases. Every algorithm specification come with a basic suite of test vectors, but there are also community-built wonders such as Wycheproof.<p>> These test vectors, combined with the official specification documents of the crypto algorithms were rather effective to guide the coding agents and avoid the worst hallucinations.<p>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA<p>The first rule about implementing in crypto is don't roll your own. But if you do, the second rule is that you have to actually deeply understand every algorithm you implement, and every interaction between every system they touch. The appropriate ratio between time spent reading research papers and time spent writing production code is well north of 100:1. You cannot get crypto right by doing it one small piece at a time. You cannot black box it by using tests. There is not a test for every corner case, the corner cases are lethal, and if your library is ever actually used for anything even remotely important, there absolutely will be attackers constructing those corner cases to attack your system.<p>The short version is that absolutely no-one should ever use this.
Here it's important to take into account the consequences / cost of false positive vs false negatives.<p>If you're building a dashboard for visualizing something fun (hot dog sales in sport games) then the corner case error has low cost. I'm happy having this vibe coded dashboard that works 99/100 and my world is better with it existing.<p>Crypto is on the opposite scale (and I'm surprised this blog doesn't realize it): 9999/10000 isn't good enough because the corner cases have dire consequences. So, yeah, bad example for vibe coding
With crypto publicly available tests come in form of KATs (Known Answer Tests), it ensures that the implementation works for certain inputs and thus it'll probably work for the whole domain, but it does not protect from subtle forms of weaknesses such as side channels.<p><i>The short version is that absolutely no-one should ever use this.</i><p>Ditto.
Test vectors won't protect you against side-channels. This guy is a walking illustration of Dunning-Kruger, and calling it "Rust's extended standard library" as if it has any kind of official status is just deranged.
Personally I think this is the wrong solution. I want crowd-sourced auditing for the existing ecosystem, not forked/vibecoded alternatives.
A single guy vibecoded a “stdlib” with Deepseek?
...but why?<p>Seriously, this needs some
more justification:<p>> Only big and well-funded organization are able to build the internal tooling and libraries requireed to securely ship large Rust projects.<p>Leaving aside the (real!) problems other commenters have highlighted, before even getting to those issues I have a small foundational question:<p>Is this actually a real problem?