Comment by rectang

1 year ago

I suppose you could say that the audit burden scales linearly with the number of module publishers, with a small additional amount on every release point to confirm that the publisher is still who they purport to be and hasn't been compromised.

This is assuming that the audit consists of validating dependency authorship, and not the more labor-intensive approach of reviewing dependency code.

7 comments

rectang

0x457 1 year ago

Hard no. Burden scales with number of lines. Lines being split into smaller chunks (crates) only speed up the process in long run.

orf 1 year ago
Hard yes, burden scales with number of authors and not number of lines.
That’s… the whole rationale about not liking lots of small packages.
- 0x457 1 year ago
  
  Are you reviewing code you're pulling into your code base (that is usually organized and counted in lines, smartass) or authors?
  Either way, with rust it's a handful of authors, but just because they are proven to be good faith actors, doesn't mean trust in their code is implied when we're talking about supply chain hardening.
  
  2 replies →
- rcxdude 1 year ago
  
  That depends on whether you want to vet the authors or the code itself.
  
  1 reply →