from Hacker News

On C popularity vs. Python, size of stdlib, package managers in languages

by urlwolf on 12/6/23, 11:23 PM with 18 comments

  • by weinzierl on 12/7/23, 11:26 AM

    "1. It complies on lots of architectures. Behold what Justine Tuney is doing :) Portable C is actually real!@

    There is no other language that runs on as many platforms as C, that much is true. If Justine Tunney's Portable C, as much as an accomplished as it is, is a practical solution is a different question.

    "2. You don't have to audit code from a lib, nor trust it by default"

    Now you have to audit the LLM generated code - all of it - and you have gained exactly nothing. It's even worse, because you can assume your library code has been tried and tested by others even if you don't trust them whereas you LLM generated code is fresh and new and probably full of quirks and missing corner cases.

    "3. You don't have to fear that updating packages in your system (or virtual env, or container) would break your 'batteries included' code"

    True, but you don't benefit from updates that fix bugs and security vulnerabilities that others have found for you.

    "4. You can do formal verification (this I know nothing about, just learning now on your prompting!)"

    You can, but how practical is it? Have you ever done it?

    "5. It's far easier to deploy"

    This is a valid point but I also think it depends a lot on your environment.

  • by gemstones on 12/7/23, 11:55 AM

    Aren’t most security vulnerabilities in C or C++ code? Seems a bit rich to point to C’s write-your-own approach as being a security benefit. I’d want to see some data on that before I arrive at that conclusion.

  • by mlsu on 12/7/23, 8:55 AM

    The "C is a shark" is really apt, I like it. Keeping that one for future use.

    "Write it yourself" ... I'm not so sure. It will come back in a limited way; stuff like leftpad is obviously stupid. But chatGPT is not good at tackling very large problems.

    I think GPT require both breadth (large context size) and depth (smarts) to create good programs, organized well, with consistent behavior. Some code is very local. It's easy to write yourself because it touches only a small bit around it. Competitive programming problems are like this. GPT is good at those. The jury is still out on its ability to do anything further.

    But a lot of code is far more global. It takes the work of a skilled programmer to take all of the small local pieces under an API and organize them to produce a cohesive whole. This large-scale organization of software is and always will be excruciating in a language like C.

    C is a shark, yes. A shark is a hundred million years old; it's fast, stealthy, and sleeps with one eye open. But try getting 20 sharks to collaborate in a hunt, like orcas do. It's simply impossible.

  • by habitue on 12/7/23, 3:36 PM

    I think the author is right that if writing small pieces of straightforward functionality is easier with coding assistants, then on the margin, people will use less dependencies.

    I definitely think C is the wrong language to do it in. A strong type system is an amazing counterbalance to LLM generated mistakes.

  • by maegul on 12/7/23, 1:58 PM

    The idea of GPT or code generators supplanting the need for libraries and languages with large standard libraries is likely jumping ahead with optimism.

    But … I think the idea is relevant and, security/QA issues aside, this is a real hard-to-see shift that might be brought on by AI: shifting of the equilibria and practicalities around what parts of the craft and profession are worth caring about and which are best left to the computer/AI.

    Dependencies vs “write it yourself” (with an AI). Syntax/API design for readability/comprehension vs for computer/AI parse-ability and thoroughness. Rewrite something to be better vs train an AI on its usage and move on.

  • by eqvinox on 12/7/23, 2:44 PM

    > [Packages] Then the cracks started to show. A security vulnerability here. […]

    > But C? You can actually perhaps write a solution in C as fast as one in python 'batteries included' now just because of those code generators.

    … sure, it might be fast and easy to pull some code out of <AI/ML of the day>. But the AI doesn't do security fixes for you. And it's trained on people's imperfect code, potentially including vulnerabilities.

    Whether this is a winning trade…

  • by cxr on 12/7/23, 2:19 PM

    On modern "language package managers": it's better to think of them in terms of what they are—orthogonal version control systems. You start with your main, base-level VCS (most commonly Git these days, and therefore not just a VCS, but a DVCS), and then you have this secondary hack of a version control system layered on top—or rather, interwoven directly into the source tree itself. With these secondary SCMs, you're manually writing the VCS metadata (version strings) using your text editor into a file or files that live right beside your source code (instead of a hidden directory that your project is completely agnostic to, like .git). This only exists because people don't really want to completely buy in to distributed version control after all (they still prefer to defer to the network for things they think "shouldn't be in version control[sic]") and in some instances they also don't think the base-level VCS has a rich enough (i.e. semantic) understanding of the objects it's managing.

    One of the interesting and unfortunate effects of this is that people don't notice it; because they think of these as package managers first (and as version control systems not at all), it means they're not graded against the standards that a version control system ought to be.

    (Additionally, if you start talking about disregarding conventional wisdom and checking your dependencies into version control[1][2], people become totally irrational and respond as if you're insisting they stop using package managers. You can keep using your current package manager and still check the dependencies in. The only thing you're changing is that when you run `npm update` or whatever, there's no entry in .gitignore that stops Git from picking up the changes. Again, people begin responding totally irrationally if you suggest that they should just let their primary VCS track the changes, as if you've instead just told them to untether themselves from the ISS and go out on their own. Nothing about "check your dependencies into version control" requires you stop tracking upstream, or anything else—it just means to check your dependencies into version control!)

    1. <https://www.forrestthewoods.com/blog/dependencies-belong-in-...>

    2. <https://news.ycombinator.com/item?id=38425042>

  • by rvz on 12/7/23, 11:40 AM

    > It will be abused by junior programmers and probably the code quality of humanity on average WILL go down. But that doesn't mean that you (as someone who has written code for decades) cannot use it as an extra pair of hands, knowing full well of the limitations.

    Not just juniors, but anyone who just want less programmers in general; seniors included. If you just hit generate in the prompt and still don't understand the code yourself,

    > 1. It complies on lots of architectures. Behold what Justine Tuney is doing :) Portable C is actually real!

    Very portable C/C++ level security vulnerabilities all in a single binary and executed on any platform. Fantastic! /s