Seconded, having to grab 9 crates just to get random numbers in rust is my least favorite thing about the language. As adacore and ferrous systems work on the safety critical rust (ferrocene), I'm hoping they create a vetted and well tested subset of crates.io that I can just install from a tgz.
The fine granularity of dependencies that package managers have facilitated has made air-gapped devlopment logistically very difficult. And it makes safety or security certifications impossible.
> Seconded, having to grab 9 crates just to get random numbers in rust is my least favorite thing about the language.
I've noticed that crates can often include default features I don't want or need. If you don't include the default features ('cargo add --no-default-features rand' is what I did) then the only other crate pulled in is rand_core. I've gotten into the habit of reviewing the features and only including the ones I need. I don't know if there's a better solution that could be implemented somewhere upstream but this works for me.
If you don't like rand, don't use it. Frankly, if your goal is "just to get random numbers" rand is a wrong crate. Use fastrand instead, it has zero dependencies.
> The fine granularity of dependencies that package managers have facilitated has made air-gapped devlopment logistically very difficult. And it makes safety or security certifications impossible.
Vendoring is kind of a pain. You start with a tomlnthat has everything you think you'll need then you grab all that, run it by legal and the it team and copy it over. You find a new dependency and start again.
Before package managers you ended up with giant pseudo stdlib libraries like boost or eigen and you only needed a tiny piece but once you brought it over you had it all, and it had no sub dependencies to worry about. Monolithic was easier from a lot of standpoints. Crates.io is exactly what I'd want if I wasnttroo worried about safety or security. It is far more productive. But if you make software that other companies use to help make themselves secure, then you are wearing a bullseye these days and it is kind of your job to be paranoid about deep dependency trees.
Maven and NuGET, specially the ability to ship binary libraries (including C and C++ ones), and have internal company repos where only IT and Legal vetted libraries are made available.
The fine granularity of dependencies that package managers have facilitated has made air-gapped devlopment logistically very difficult. And it makes safety or security certifications impossible.