Remix clone Hacker News

new | show | ask | jobs Github

▲

staticassertion 4 hours ago

Google already uses `cargo-vet` for rust dependencies.

▲

pheggs 3 hours ago | parent [-]

thats good, but it wont eliminate the risk

▲

staticassertion 3 hours ago | parent [-]

Nothing eliminates the risk but it is basically a best-in-class solution. If your primary concern is supply chain risk, there you go, best in class defense against it.

If anything, what are you doing about supply chain for the existing code base? How is cargo worse here when cargo-vet exists and is actively maintained by Google, Mozilla, and others?

	▲	pheggs 2 hours ago \| parent [-]
		true, but rusts success in creating an easy to use dependency manager is the curse. In general rust software seems to use a larger amount of dependencies than c/c++ due to that, where each is at risk of becoming an attack vector. my prediction is that we will see some abuse of this in future, similar to what npm experienced