Y
Hacker News
new
|
ask
|
show
|
jobs
by
meragrin_
839 days ago
So what in there guarantees I can get the same thing they audited?
1 comments
GrumpySloth
839 days ago
Version numbers. You can’t modify an already-published version of a Rust crate on crates.io.
link
palata
838 days ago
Who in practice pins their dependencies (transitive included) on audited versions?
link
rockdoe
838 days ago
Small companies with little development experience like Google and Mozilla.
(You can check the files I linked and see audits between deltas for minor version updates)
link
palata
838 days ago
I guess my point was: "because [some teams at] Google/Mozilla do it right does not mean that everybody does it right".
link