← Back to context

Comment by dijit

8 hours ago

Why are you talking about compile times in a thread about supply chain security.

326 packages is approximately 326 more packages than I will ever fully audit to a point where my employer would be comfortable with me making that decision (I do it because many eyes make bugs shallow).

It's also approximately 300 more than the community will audit, because it will only be "the big ones" that get audited, like serde and tokio.

I don't see people rushing to audit `zmij` (v1.0.19), despite it having just as much potential to backdoor my systems as tokio does.

0 comments

dijit

Reply