|
|
|
|
|
|
by estebank
415 days ago
|
|
|
1) every dependency comes from crates.io, not straight from GitHub 2) the dependency list is tiny 3) it uses a cargo lock, so even if it were using a GitHub dependency, that file keeps a hash of the dependency and points at the specific commit, so if the dependency were to introduce a backdoor it wouldn't be automatically picked up and a commit history rewrite would also fail https://github.com/trifectatechfoundation/sudo-rs/blob/main/... |
|
|