Comment by weinzierl
2 months ago
In Rust we have cargo vet, where we share these audits and use them in an automated fashion. Companies like Google and Mozilla contribute their audits.
2 months ago
In Rust we have cargo vet, where we share these audits and use them in an automated fashion. Companies like Google and Mozilla contribute their audits.
I wish cargo went with crev instead, that has a much better model for distributed code audits.
https://github.com/crev-dev/
It's too bad MS doesn't own npm, and/or GitHub repositories. Wait
Nuget, Powershell gallery, the marketplaces for VSCode/VS/AZDo and the Microsoft Store too. Probably another twenty.
They collect package managers like funko pops.
I'm not quite sure about the goal. Maybe some more C# dev kit style rug-pulls where the ecosystem is nominally open-source but MS own the development and distribution so nobody would bother to compete.
I took those acquisitions and a few others like LinkedIn and all the visual studio versions as a sign that Microsoft is trying to own the software engineer career as a domain.
And it's a great idea, similar thematically to certificate transparency
How to backport security fixes to vetted packages?