|
|
|
|
|
|
by 778464636
415 days ago
|
|
|
Supply chain attacks is a big downside no one ever mentions. Even sudo-rs drags dependencies in from Github at build time instead of being self-contained, which is just an absurd thing to do for such an essential tool, especially in the current political climate. |
|
|
2) the dependency list is tiny
3) it uses a cargo lock, so even if it were using a GitHub dependency, that file keeps a hash of the dependency and points at the specific commit, so if the dependency were to introduce a backdoor it wouldn't be automatically picked up and a commit history rewrite would also fail
https://github.com/trifectatechfoundation/sudo-rs/blob/main/...