|
|
|
|
|
|
by timschmidt
648 days ago
|
|
|
> If I pin dependencies, I am susceptible to not getting security updates. True in every language. > If I do not pin dependencies, then I am susceptible to crates.io shenanigans I do think it would be nice to have a chain of trust associated with crates.io. Nothing precludes doing that, as far as I know. There's probably already a cargo plugin for it. > One of the 100 owners of my mini-dependencies will bump up their minor version by 0.0.1, push a rootkit/backdoor to crates.io This is a situation Cargo.lock can prevent. Thankfully crates.io is much easier to audit than millions of lines of decentralized [c/q/]make files, bash/zsh/csh scripts, etc. |
|
|