[jcgrillo]

I don't get it, maybe my brain isn't wrinkly enough. Two things:

1. What problem does stdx actually solve?

2. Ok, it's a git dep, seems fine? Why is the choice to publish or not publish in crates.io a big deal either way?

[worik]

> What problem does stdx actually solve?

Even a small rust programme can end up importing hundreds of crates. For many applications you need to investigate and verify your dependencies.

A substantialstandard library, the hypothesis is, will vastly reduce the number of sources you need to trust

It is early days for this, it is not to be trusted yet.

2. It is not crates.io specifically that is the problem. It is the concept of using many imports that all need verifying (my original statement here)

[jcgrillo]

Conceptually that makes sense, but has there been a supply chain problem lately? It's been a few years since I worked on a large rust project with tons of deps, but I don't recall there being a big problem. Especially with cargo vendor.

If fully auditing a collection of deps is the goal, it seems that could be accomplished by maintaining a list of repos and trusted commit hashes?

I guess I'm wondering whether there's some incremental solution that fits better with how the rest of the ecosystem works?

EDIT: just saw reference to cargo-vet, very cool! Thanks Colin.

[worik]

> It's been a few years since I worked on a large rust project with tons of deps, but I don't recall there being a big problem.

The problem was ignored, perhaps?

Not every project is vulnerable, but many systems programming tasks are

I have encounted it

[sshine]

> Why is the choice to publish or not publish in crates.io a big deal either way?

The aspiration is to distribute stdx in a way similar to libc and never rely on crates.io, bypassing supply-chain problems altogether.