I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on "rand" to get random numbers, which requires 8 different libraries), I installed "cargo vet" so that I'd at least know about it if I accidentally added things that haven't been vetted by anyone at all.

Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding "rand" have not been vetted by anyone.

Anyway, I'm learning rust.

you are viewing a single comment's thread
view the rest of the comments

[–] BB_C@programming.dev 8 points 1 day ago (8 children)

fastrand has zero dependencies.

And all external dependencies are "pulled from the interwebs" nowadays (in source and/or binary form), irrespective of language. This includes core, alloc, and std, which are crates that came with your compiler, which you pulled from the interwebs.

[–] kbal@fedia.io 5 points 1 day ago (7 children)

I got the compiler and whatever comes with it from the debian package manager, which has existed for much longer than has crates.io and has had fewer malicious packages get into it.

[–] TehPers@beehaw.org 2 points 1 day ago

which has existed for much longer than has crates.io

The Rust compiler has not existed for as long as the debian package manager has. You're still trusting it and its standard library even if your reason for trusting it is that Debian's maintainers trust it. This is also true of any vetted dependencies you download. You're trusting others at the end of the day, whether they are the package developers or the auditors. Only by auditing your dependencies yourself can you avoid trusting anyone else.

With that being said, you are also able to contribute here. Someone has to do the auditing. Go audit some packages!

load more comments (6 replies)