Miss Dada  🏳️‍⚧️

I agree with your general take, but trusting people to do the right thing still doesn't mean I'm going to leave them unattended with my laptop signed in with a terminal to my production database open. (But cargo-crev is still not a solution)

I really should have put a disclaimer here with a big asterisk "for deps" Really it's more like you inviting someone to hang out at your house and not fuck things up, not locking your car.

Well, a crate can execute arbitrary code at build time: with a lot of tools and CLIs storing authentication keys or other sensitive data in home directories by default, the amount of bad stuff a rogue dependency could do is huge.

I'm not saying it won't. I am saying that in the grand scheme of things it's lower on my priority list of security threats. My deps are not as likely to cause security issues in a service I write. It's my own code.

If your company's net worth is in the tens or hundreds of millions and you're processing sensitive information you should absolutely be investing in auditing your dependencies. For most shops this isn't worth the time, but it's unfortunate that bigcos don't invest in it either

It's frustrating for me to see both sides of this argument, because IMO the people who don't need to care over-estimate the threat and the people who *do* need to care under-estimate it

Where I work I absolutely need to care, but in my own code outside of work it's about your threat model. It's highly contextual. Just for the most part it's not to me as big of an issue and tools like cargo crev are just reactionary. It doesn't solve a problem.

I agree on all points