Conceptually that makes sense, but has there been a supply chain problem lately?... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		jcgrillo 7 days ago \| parent \| context \| favorite \| on: Why stdx is not on crates.io Conceptually that makes sense, but has there been a supply chain problem lately? It's been a few years since I worked on a large rust project with tons of deps, but I don't recall there being a big problem. Especially with cargo vendor. If fully auditing a collection of deps is the goal, it seems that could be accomplished by maintaining a list of repos and trusted commit hashes? I guess I'm wondering whether there's some incremental solution that fits better with how the rest of the ecosystem works? EDIT: just saw reference to cargo-vet, very cool! Thanks Colin.
		help

worik 7 days ago [–]

> It's been a few years since I worked on a large rust project with tons of deps, but I don't recall there being a big problem.

The problem was ignored, perhaps?

Not every project is vulnerable, but many systems programming tasks are

I have encounted it

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact