9 comments

[ 4.5 ms ] story [ 28.9 ms ] thread
This is not even the first project like this named stdx.

While many people say they want something like this, in practice, most people prefer the status quo. Maybe this time will be different, we’ll see!

A single guy vibecoded a “stdlib” with Deepseek?
This is a collection of forked open source crates bundled together with open model vibe coding?

> the code written by AI is more robust than by humans because more edge cases are tested.

This is at least a mildly concerning take to see in a blog post announcing a solution to supply chain security.

It seems like this boils down to: don’t trust the original authors to maintain the packages they wrote, trust me and my LLM instead.

Personally I think this is the wrong solution. I want crowd-sourced auditing for the existing ecosystem, not forked/vibecoded alternatives.
> Cryptographic code is famously hard, with many, many footguns haunting unsuspecting developers (and even experts!).

> But, cryptography also has something that you likely won't find in any other domain: an extensive public collection of test vectors, particularly for edge cases. Every algorithm specification come with a basic suite of test vectors, but there are also community-built wonders such as Wycheproof.

> These test vectors, combined with the official specification documents of the crypto algorithms were rather effective to guide the coding agents and avoid the worst hallucinations.

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

The first rule about implementing in crypto is don't roll your own. But if you do, the second rule is that you have to actually deeply understand every algorithm you implement, and every interaction between every system they touch. The appropriate ratio between time spent reading research papers and time spent writing production code is well north of 100:1. You cannot get crypto right by doing it one small piece at a time. You cannot black box it by using tests. There is not a test for every corner case, the corner cases are lethal, and if your library is ever actually used for anything even remotely important, there absolutely will be attackers constructing those corner cases to attack your system.

The short version is that absolutely no-one should ever use this.

...but why?

Seriously, this needs some more justification:

> Only big and well-funded organization are able to build the internal tooling and libraries requireed to securely ship large Rust projects.

Leaving aside the (real!) problems other commenters have highlighted, before even getting to those issues I have a small foundational question:

Is this actually a real problem?

I like the idea of an extended standard lib for Rust, but coding was never the hard part. The hard part is getting everyone to agree what should be in it. If you can get everyone to agree to an api then the rest can easily be filled in (with or without vibe coding).
IIUC this just pulls in various other crates with some vibe-coding on top. I'm not familiar with the Rust dependency system, but what is the need to have copies of the code? Would it not suffice to just have an "empty" crate that just depends on the original crates?