| ▲ | cedws 5 days ago |
| Yes but it's the fact that cargo can pull a massive unreviewed dependency tree and then immediately execute code from those dependencies that's the problem. If you have a repo with a Makefile you have the opportunity to review it first at least. |
|
| ▲ | duped 5 days ago | parent | next [-] |
| Do you review the 10k+ lines of generated bash in ./configure, too? |
| |
| ▲ | cozzyd 5 days ago | parent [-] | | ./configure shouldn't be in your repo unless it's handwritten | | |
| ▲ | johnisgood 5 days ago | parent [-] | | Pretty much. It is called "autotools" for a reason. Theoretically you should be able to generate the configuration scripts through "autoconf" (or autoreconf), or generate Makefile.in for configure from Makefile.am using "automake", etc. |
|
|
|
| ▲ | pharrington 5 days ago | parent | prev [-] |
| You are allowed to read Cargo.toml. |
| |
| ▲ | cedws 5 days ago | parent [-] | | Cargo.toml does not contain the source code of dependencies nor transient dependencies. | | |
| ▲ | magackame 5 days ago | parent [-] | | Welp, `cargo tree`, 100 nights and 100 coffees then it is | | |
| ▲ | marshray 5 days ago | parent | next [-] | | Yes! I sometimes set up a script that runs several variations on 'cargo tree', as well as collects various stats on output binary sizes, lines of code, licenses, etc. The output is written to a .txt file that gets checked-in. This allows me to easily observe the 'weight' of adding any new feature or dependency, and to keep an eye on the creep over time as the project evolves. | |
| ▲ | johnisgood 5 days ago | parent | prev [-] | | You will need something stronger than caffeine. |
|
|
|
