For those in the know about such matters, where is the secret, community audited Rust supply chain?
Let's say I want to start a new project in Rust that needs to touch web services for some reason. The standard answer today is "just use crate <X>." But lets say that I'm security sensitive and spooked by how easy it appears to compromise open source dependencies in 2025.
So I thought, "well, Signal is the gold standard for security and open source - let's see what they do". Libsignal's 'Cargo.lock' has 599 packages in it. Is someone at Signal auditing all of those (and monitoring them for updates)? I see many well established shops using Rust with dependencies - I assume they're vendoring them internally and running them through their own reviews. Is that what everyone does? Or am I just being overly paranoid about the breadth of the dependency chain for what everyone relies on for being one of the most secure messaging clients?
For those in the know about such matters, where is the secret, community audited Rust supply chain?
Let's say I want to start a new project in Rust that needs to touch web services for some reason. The standard answer today is "just use crate <X>." But lets say that I'm security sensitive and spooked by how easy it appears to compromise open source dependencies in 2025.
So I thought, "well, Signal is the gold standard for security and open source - let's see what they do". Libsignal's 'Cargo.lock' has 599 packages in it. Is someone at Signal auditing all of those (and monitoring them for updates)? I see many well established shops using Rust with dependencies - I assume they're vendoring them internally and running them through their own reviews. Is that what everyone does? Or am I just being overly paranoid about the breadth of the dependency chain for what everyone relies on for being one of the most secure messaging clients?