Comment by alextingle

2 days ago

Well, yes I do know when a C project only depends on my system libraries, because otherwise it won't compile. That's the point.

Furthermore, for the purposes of this discussion, it really doesn't matter what code there is in the C project. What's there has been put there by the people who run the project. If they are malicious, then at least I know who they are. With Rust, I'm downloading and compiling code from many, many third parties. I have no idea who they are. The potential for one of them to be malicious is much, much higher.

1 comment

alextingle

timeon 7 hours ago

You do not know if developers are malicious when there are many contributors.

Now we are talking about NPM other time about: https://en.wikipedia.org/wiki/XZ_Utils_backdoor