out of curiosity, what makes it unacceptable?
-
It is unacceptable to say that "every language community can accept this risk" as a justification for putting billions of private lives at risk. Also, FTR, I used to vendor all my ruby deps, and read them all. Hell I patched most of them. Check the author list on the top 1000.
I would expect that Google of all places has the resources to audit it's dependencies. Either way, I don't see how this makes cargo unsuitable as a build tool. You can leave the dependencies section blank.
-
-
We do read all dependencies, see commentary about the common rust ssh stack. Some things are changing - e.g. the new offline stuff, but there are more challenges. As Ben said, http://build.rs remains a complicated concern...
-
.. for example, repeatability and isolation are also important concerns, along with performance and scalability. It's not "cargo is bad", it's "cargo does not fit some use cases"
- 3 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.