Maybe if we work hard enough, we can have a big “can I use” table of rust dependencies which shows which versions of everything are available in which operating systems and what the package has been renamed to in each case. “Oh I could use rand but the latest version isn’t in gentoo so that would knock out 5% of my users.” Maintaining and stressing over that sounds like greeeaaaat fun. “Oh cool! An important new feature landed in rust stable. I can’t wait for 6 months to pass before the new rust compiler comes to Debian. Then another 6 months for my dependencies to use it. Then another 6 months before I can use it! Isn’t software great?”
I think that there is a real point in talking about the security risk from having it too easy to fetch tons of dependencies. That's literally code that gets downloaded and run on the user's machine, I would always feel safer if the dev had at least an idea about the dependencies they pull.
You can also have a mixed approach, where you depend on the system libraries for those that are maintained by the distro, and build/handle the remaining dependencies manually. That is an incentive to actually use the libraries that are maintained by the distro, which is a good thing IMO: not every library gets to be distributed by Debian, there is some level of quality control there.
