Supply chain incidents suck and we need to do better. Personally for rust I’m a proponent of the foundation supporting a few core crates that go under the same audit procedure as the main rust language and give funding to the project to limit supply chain vulns. I don’t think the right answer is to remove systems like crates or npm. Crate and npm are a boon for many developers.
vsgherzi•30m ago
Crates has also been making efforts to include rust sec, but in addition to the above I would like the community to shy away from many small dependencies to a few larger ones just as tokio has
fleventynine•13m ago
Many small crates published by large, trustworthy projects are fine and preferable to one large crate that "does everything".
suprfsat•28m ago
do we really need both npm and nmp though
PunchyHamster•23m ago
nah, remove NPM, nothing good comes out of that.
hacker_homie•13m ago
Move high value crates into the standard library?
orf•10m ago
Please no, that’s a terrible outcome.
red_admiral•5m ago
This is the most SCP thing I've read in a while that's not actually an SCP.
nikanj•5m ago
Customers give us heat for not shipping the latest vulpine-lz4. Their AI-based heuristic antivirus total defence solution automatically flags all software not running latest versions of everything
Kindly advice
lynndotpy•4m ago
For anyone confused, this is (very good imo) fiction about supply-chain incidents. It had me very worried during a brief scan that it was real though, which made me read it more attentively :)
vsgherzi•31m ago
vsgherzi•30m ago
fleventynine•13m ago
suprfsat•28m ago
PunchyHamster•23m ago
hacker_homie•13m ago
orf•10m ago