HACKER Q&A
📣 scrubs

Go vs. Rust Dependency Management


The purpose of this question is assess Rust's cargo feature relative to GO insofar as build dependency management goes. At my employer where C++ is heavily used, there might be an in for Rust development by arguing it's substantially easier to build, plus memory safety.

Here's a first cut on dependency management comparison:

Feature: GO tells me what modules by version are in a build (go mod list -a)

         Rust: ?
Feature: GO is able to retrieve dependent code from GIT preferring but not insisting on SemVer GIT tags.

         Rust: ?
Feature: GO MVS resolution is able compute module versions for a logically empty go.mod requires section, including dealing with dependency diamonds. For example, https://research.swtch.com/vgo-mvs gives a diamond where B 1.2 and C 1.2 depend on different versions of D. MVS has to choose one version for a build. Programmers don't have to hand list dependencies, because dependencies are found through imports when compiling code, and further resolved through MVS.

         Rust: ?
Feature: GO MVS resolution can find upgrades of dependent modules. There are two ways at least to do this. GO doesn't guarantee the resulting code plus updated go.mod builds after upgrade, but it can at least find modules with higher versions without crossing major version boundaries.

         Rust: ?
Feature: GO allows me to vendorize 3rd party code so that builds can be done inside one's company without making build machines open up ports to access the internet. Here GO's default behavior comes with some security risk. Vendor libraries are a workaround.

         Rust: ?
Feature: GO allows me to hand enter a indirect dependency in go.mod so I can workaround dependency/build problems without modifying the called code. This may not always work in all situations but it gives me a way to keep things local, targeted.

         Rust: ?
Feature: GO allows me to share library code through GIT URLs on imports. There is no need make archive or shared libraries, headers which must be staged somewhere as with C/C++.

         Rust: ?

  👤 steveklabnik Accepted Answer ✓
1. cargo tree

2. same, though most people depend on versions from crates.io (or another registry) rather than git

3. you list your dependencies in Cargo.toml, and it will figure out all of the needed transitive dependencies and versions

4. same, via cargo update

5. same, via 'cargo vendor'

6. same, via the 'patch' section in cargo.toml