Comment by kvuj
8 hours ago
The cargo.lock file is 2200+ lines long. Did they spend a reasonable amount of time auditing these dependencies?
8 hours ago
The cargo.lock file is 2200+ lines long. Did they spend a reasonable amount of time auditing these dependencies?
That's 238 dependencies (counting multiple versions of the same crate).
* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).
* Most of them are popular crates I'm familiar with.
* Several are only needed to support old compiler versions and can be removed once the MSRV is raised
So it's not as bad as it looks at first glance.
What would be a reasonable amount of time to audit the dependencies?
I would let them decide based on their security policy.
If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.
They ran it through Copilot which gave it the all-clear.
[flagged]
Nope, that's a very fair poke at MS. They've gone so far into AI adoption that it's become absurd.
- They have VPs posting on Linkedin about rewriting existing code using AI and adhering to arbitrary metrics of a x% rewrite and laying off y% of engineers that used to work on it.
- Renaming one of their major flagship product lines (MS Office) to (MS Copilot Apps 365).
- Forcing AI features on users despite not wanting it, and overriding OS configuration that should turn it off.
- Executives publicly shaming the general public for not wanting "all the AI all the time".
edit:
I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have.
Yeah, to see the packages with multiple versions:
Package windows-sys has the highest number of versions included, 3: 0.59.0, 0.60.2, and 0.61.2.
Edit: Also, beware of the unsorted uniq count:
1 reply →
Given, you know, Microsoft, I'd demand proof even if they said they did.