• 2 Posts
  • 4 Comments
Joined 1 year ago
cake
Cake day: July 20th, 2023

help-circle
  • I maintain a long-term Rust + Node.js project, and the Node side is the painful one.

    Node makes backwards-incompatible changes, and doesn’t have anything like the editions to keep old packages working. I can end up with some dependencies working only up to Node vX, and some other deps needing at least Node v(X+1).



  • To generate the LLVM code correctly you need to run build.rs if there is any, and run proc macros which are natively compiled compiler plugins, currently running without any sandbox.

    The final code isn’t run, but the build process of Cargo crates can involve running of arbitrary code.

    The compilation process can be sandboxed as a whole, but if it runs arbitrary code, a malicious crate could take over the build process and falsify the LLVM output.


  • Because it works everywhere, because it’s so old.

    The next best option, a decade old WebP, is a mixed bag. In its best-compressing mode it will lower color resolution and add fringing like a JPEG. In its lossless mode it may be bigger than GIF.

    If you have an option to use a proper video format, go for it. But often sites just allow upload of GIFs. If you send a newsletter you never know how primitive (Outlook) the client will be.