> the code written by AI is more robust than by humans because more edge cases are tested.
This is at least a mildly concerning take to see in a blog post announcing a solution to supply chain security.
It seems like this boils down to: don’t trust the original authors to maintain the packages they wrote, trust me and my LLM instead.
Also, it’s a loooong way from the self-contained goal—- there are a lot of third-party crates as dependencies still.
Yikes.
- No mention of what specifically it does
- No mention of the advantages and stated reasons for having small std and core libs
- Libs mentioned as being "shipped" by the author have no commits by him or her.
- No comparison in the specifics to how it's handling
- Uses phrasing which might (IMO deliberately) confuse people into thinking this is official.> But, cryptography also has something that you likely won't find in any other domain: an extensive public collection of test vectors, particularly for edge cases. Every algorithm specification come with a basic suite of test vectors, but there are also community-built wonders such as Wycheproof.
> These test vectors, combined with the official specification documents of the crypto algorithms were rather effective to guide the coding agents and avoid the worst hallucinations.
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
The first rule about implementing in crypto is don't roll your own. But if you do, the second rule is that you have to actually deeply understand every algorithm you implement, and every interaction between every system they touch. The appropriate ratio between time spent reading research papers and time spent writing production code is well north of 100:1. You cannot get crypto right by doing it one small piece at a time. You cannot black box it by using tests. There is not a test for every corner case, the corner cases are lethal, and if your library is ever actually used for anything even remotely important, there absolutely will be attackers constructing those corner cases to attack your system.
The short version is that absolutely no-one should ever use this.
The short version is that absolutely no-one should ever use this.
Ditto.
Seriously, this needs some more justification:
> Only big and well-funded organization are able to build the internal tooling and libraries requireed to securely ship large Rust projects.
Leaving aside the (real!) problems other commenters have highlighted, before even getting to those issues I have a small foundational question:
Is this actually a real problem?
The author is an individual claiming the ability to author and maintain a standard library
… to be used by small orgs who do not have the resources to author and maintain a standard library.
[1]: https://github.com/rust-stdx/stdx/commit/550c11b75804392e366...
If you're building a dashboard for visualizing something fun (hot dog sales in sport games) then the corner case error has low cost. I'm happy having this vibe coded dashboard that works 99/100 and my world is better with it existing.
Crypto is on the opposite scale (and I'm surprised this blog doesn't realize it): 9999/10000 isn't good enough because the corner cases have dire consequences. So, yeah, bad example for vibe coding
steveklabnik•2h ago
While many people say they want something like this, in practice, most people prefer the status quo. Maybe this time will be different, we’ll see!