[IshKebab]

Are you worried about supply chain attacks? Because those are still extremely rare.

Or are you worried about bugs in dependencies? Because it's not like C sudo doesn't have dependencies.

Would you prefer that they implemented SHA2 themselves rather than using the battle tested crate that everyone else uses?

[int_19h]

For something like this, I think I would actually prefer that they copied existing code for hashing. It's simple and stable enough to avoid taking a dependency.

[IshKebab]

Existing code like the code in the sha2 crate??

[int_19h]

Sure. Or rather the parts of it that they're actually using.

[IshKebab]

What would be the point of that?

[int_19h]

A single bundle of code is easier to audit and easier to package.

[IshKebab]

It's harder to package if you're using Cargo. Using the sha2 crate is one line. Copying the code into your project is a ton more work.

Ease of auditing is debatable. Using shared popular libraries gives the benefit of lots of people using them.

Plus actual code audits are very rare and of dubious value. They're mostly useful for finding out how well written the code is rather than finding bugs. For that your basically want fuzzing.