The Kernel and say Chromium, don't use crates.io. They (will) vendor what they need, which they can update when they need to and when they've reviewed the dependencies.
Unless that 0-day comes from some other software, it seems unlikely that we'll get such a worldwide supply chain issue.
Firefox, on the other hand, seems to download a ton of Rust packages during the build as opposed to vendoring. (Debian maintains a bunch of hacks to allow vendoring all the Rust components, but this isn't the default or the approach taken by other distros, e.g. Arch Linux.)
No, Firefox vendors everything it uses. Debian has no patches wrt vendoring of Rust code in Firefox. Source: I work for Mozilla and maintain the Debian Firefox package.
Thank you, I appreciate the correction. Did this change at some point in the past? I seem to remember the Arch Linux package downloading a ton of Rust stuff at one point.
No, it has always used vendored crates. Well, technically, it wasn't using vendored crates until https://bugzilla.mozilla.org/show_bug.cgi?id=1298422 , but before that, there were only a limited number of crates in use, and their only dependencies were local, so practically, that's the same thing.
Unless that 0-day comes from some other software, it seems unlikely that we'll get such a worldwide supply chain issue.