|
|
|
|
|
|
by baby
1120 days ago
|
|
|
Interesting stuff! I think everyone seems to come up with their own solutions. I think security in general is a matter of who you trust, and things only work when we build a network of trust. Imagine if all companies and rust developers started sharing what crates they were confident in + what other organizations they trust as well. If you could then create your own set of such companies, and then choose a dependency depth you were willing to go down to, you might be able to quickly vet a number of crates this way, or at least see the weird crates that demand a bit more attention. If this could be added to whackadep[1] then you'd be able to monitor your Rust repo pretty solidly! [1]: https://www.cryptologie.net/article/550/supply-chain-attacks... |
|
|