Comment by cedws
3 months ago
Yes but it's the fact that cargo can pull a massive unreviewed dependency tree and then immediately execute code from those dependencies that's the problem. If you have a repo with a Makefile you have the opportunity to review it first at least.
Do you review the 10k+ lines of generated bash in ./configure, too?
./configure shouldn't be in your repo unless it's handwritten
Pretty much. It is called "autotools" for a reason.
Theoretically you should be able to generate the configuration scripts through "autoconf" (or autoreconf), or generate Makefile.in for configure from Makefile.am using "automake", etc.
You are allowed to read Cargo.toml.
Cargo.toml does not contain the source code of dependencies nor transient dependencies.
Welp, `cargo tree`, 100 nights and 100 coffees then it is
2 replies →