[throwaway_3850]

Standards and requirements will change, bits will rot, and im not expecting any ecosystem, to keep up with comming and going demands.

A better solution imho would be project level capabilities, so you can pull in a dependency but restrict its lib/syscall access, so it would not compile when it turns malicious.

Maybe it will solve at least something, maybe some day.

[gumboza]

Agree. I'd like to see an OpenBSD pledge(2) type system for libraries. So you can mask individual library capabilities rather than just programs. I don't want a web server that can write to the file system and I don't want a CSV reader that can talk to the network.

[saagarjha]

Doing this kind of thing at the library level is generally not very useful, because security protections between things running in the same process are hard to make very strong.

[LadyCailin]

This is a limitation of the particular language/ecosystem though, it feasible in a new language that has this security baked in to the language primitives.