this post was submitted on 17 Dec 2025
21 points (95.7% liked)

Rust

7643 readers
47 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
EdTheLegendary@programming.dev
kahnclusions@programming.dev
torcherist@programming.dev
21
estimated audit backlog: 67560 lines (fedia.io)
submitted 2 weeks ago by kbal@fedia.io to c/rust@programming.dev
19 comments fedilink hide all child comments
 

estimated audit backlog: 67560 lines

I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on "rand" to get random numbers, which requires 8 different libraries), I installed "cargo vet" so that I'd at least know about it if I accidentally added things that haven't been vetted by anyone at all.

Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding "rand" have not been vetted by anyone.

Anyway, I'm learning rust.

you are viewing a single comment's thread
view the rest of the comments
[–] CameronDev@programming.dev 12 points 2 weeks ago

They may not have been formally vetted, but they are in the sense that the majority of those 200 crates are used widely in everyone else's projects.

But yeah, this is definitely a blind spot, not just for rust, but all modern build systems that accept code from various sources. At least cargo vet is a step in the right direction.