[simonask]

Maintainers of all open source standard libraries are effectively "random third parties". With heavily used ecosystem dependencies (such as Tokio, but also swaths of small libraries, such as `futures` or `regex`), the number of people who have looked at the code and battle-tested it is also huge.

On crates.io, a good heuristic is to look at two numbers: the number of dependents and the number of downloads. If both are high, it's _probably_ fine. Otherwise, I'll manually audit the code.

That's not a complete solution, especially not if you're worried about this from a security perspective, but it's a good approximation if you're worried about the general quality of your dependencies.

[blub]

People are paid to work on standard libraries and there’s a whole process behind developing and releasing this software.

Tokio on the other hand is the library whose maintainer decided to download a binary blob during build: https://github.com/tokio-rs/prost/issues/562 https://github.com/tokio-rs/prost/issues/575

Good luck catching such issues across dozens of crates.

[simonask]

The issue you linked is a perfect example in support of my argument. Lots of people noticed the problem, and it was quickly rectified.

[shwouchk]

what other “quality” is there to worry about besides security?

[simonask]

Stability, correctness, test coverage, performance.

You can lump anything under "security" for particular use cases, but what's the point of words then.