- cross-posted to:
- lobsters
- cross-posted to:
- lobsters
cross-posted from: https://lemmy.bestiver.se/post/854816
You must log in or register to comment.
Yeah unfortunately these numbers don’t really allow any conclusions to be drawn at all.
Also they’re not really related to supply chain security which is more about deliberate subterfuge. I think the interesting stat there would be how many authors are being trusted typically for each crate.
I have the feeling that this wasn’t even done properly (e.g. checking default versions only). Using downloads alone is also not a good filter.
I may give this some time tomorrow and provide my own numbers.
It would be good to know how these figures compare to e.g. pypi, npm.
Professional software development needs to include a software Bill of Materials to help track and manage things like this. https://www.cisa.gov/sbom
