| ▲ | kibwen an hour ago | |
> both of these are not the case in practice though No, people routinely write Rust with no third-party dependencies, and yet people do not routinely write C code that is memory-safe. Your threat model needs re-evaluating. Also keep in mind that the most common dependencies (rand, serde, regex, etc) are literally provided by the Rust project itself, and are no more susceptible to supply chain attacks than the compiler. | ||
| ▲ | pheggs an hour ago | parent | next [-] | |
I know it's a sensitive topic for a lot of people, but as I said, I love rust. I don't know a lot of rust projects though that don't use any dependencies. In my humble opinion, disregarding the risks of such supply chain attacks is at least as bad as people disregarding the risk of memory unsafe code. But keep in mind, I'm not saying don't use rust. | ||
| ▲ | mamma_mia 42 minutes ago | parent | prev [-] | |
mamma mia! one day anyhow and anyerror will be backdoored it's inevitable | ||