estimated audit backlog: 67560 lines

I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on “rand” to get random numbers, which requires 8 different libraries), I installed “cargo vet” so that I’d at least know about it if I accidentally added things that haven’t been vetted by anyone at all.

Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding “rand” have not been vetted by anyone.

Anyway, I’m learning rust.

  • SorteKanin@feddit.dk
    2·
    8 hours ago

    This is the way with modern software engineering, especially in the industry. It comes from the basic fact that:

    1. Companies want to get code for free from the internet - someone else already wrote that code, let’s use it for free and have better profit margins!
    2. Companies do not want to spend time and effort vetting that free code, as that would make it… well, not free. That would require manpower (perhaps unless you trust AI to do it these days…) and that’s money.

    Basically they want to eat their cake and have it too. This applies to all modern package managers for modern languages that make it easy to distribute your own code and consume free online code.

    I doubt the industry will ever mature to a point where this will stop, as the tradeoff of getting free code with no work is just too good for most companies, especially the smaller ones.