estimated audit backlog: 67560 lines
I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on “rand” to get random numbers, which requires 8 different libraries), I installed “cargo vet” so that I’d at least know about it if I accidentally added things that haven’t been vetted by anyone at all.
Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding “rand” have not been vetted by anyone.
Anyway, I’m learning rust.
It’s definitely a growing problem with Rust. I have noticed my dependency trees growing from 20-50 a few years ago to usually 200-500 now.
It’s not quite as bad as NPM yet, where it can easily get into the low thousands. Also the Rust projects I have tend to have justifiably large dependencies, e.g. wasmtime or Slint. I don’t think it’s unreasonable to expect a whole GUI toolkit to have quite a few dependencies. I have yet to find any dependencies that I thought were ridiculous like leftpad.
We could definitely do with better tooling to handle supply chain attacks. Maybe even a way of (voluntarily) tying crate authors to verified real identities.
But I also wouldn’t worry about it too much. If you a really worried, develop in a docker container, use a dependency cooldown, and whatever you do don’t use cryptocurrencies on your dev machine.
Yeah, the personal risk doesn’t worry me as much as the idea that it might eventually get to be as bad as npm.