|
|
|
|
|
|
by jcgrillo
6 days ago
|
|
|
Conceptually that makes sense, but has there been a supply chain problem lately? It's been a few years since I worked on a large rust project with tons of deps, but I don't recall there being a big problem. Especially with cargo vendor. If fully auditing a collection of deps is the goal, it seems that could be accomplished by maintaining a list of repos and trusted commit hashes? I guess I'm wondering whether there's some incremental solution that fits better with how the rest of the ecosystem works? EDIT: just saw reference to cargo-vet, very cool! Thanks Colin. |
|
|
The problem was ignored, perhaps?
Not every project is vulnerable, but many systems programming tasks are
I have encounted it