Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Go is another example of a fat std lib causing issues specifics with their crypto code.

I think in general the things people are worried about are

1. Maintainer quits 2. Bad actor becomes new maintainer 3. Bad pr 4. Account compromise

When I say I want the rust foundation to take them under their wing what I really mean is I want the foundation to provide funding and have packages undergo the same procedure as the main language.

If there’s a cve the foundation should orchestrate reporting and standardize it.

If it becomes abandoned the foundation should handle that.

Basically I want it to be an extension of the standard but not in a way that actually requires it to be so. I just want these packages to have the seal of approval of the foundation so I know that they have a minimum amount of quality and are vetted on the regular by a trusted entity



> If there’s a CVE the foundation should orchestrate reporting and standardize it.

to some degree that is the case.

There is rustsec CVE numbering agency, and crates.io on their website list CVEs reported to it under the `Security` tab.

In combination with cargo-audit, cargo-deny and co this is already quite useful. But IMHO as of now things don't yet fully "click together"/"work out of the box" and many IMHO needed parts are still missing.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: