For those in the know about such matters, where is the secret, community audited Rust supply chain?
Let's say I want to start a new project in Rust that needs to touch web services for some reason. The standard answer today is "just use crate <X>." But lets say that I'm security sensitive and spooked by how easy it appears to compromise open source dependencies in 2025.
So I thought, "well, Signal is the gold standard for security and open source - let's see what they do". Libsignal's 'Cargo.lock' has 599 packages in it. Is someone at Signal auditing all of those (and monitoring them for updates)? I see many well established shops using Rust with dependencies - I assume they're vendoring them internally and running them through their own reviews. Is that what everyone does? Or am I just being overly paranoid about the breadth of the dependency chain for what everyone relies on for being one of the most secure messaging clients?
> One compromise was due to a vulnerability that was already fixed, but had persisted on an old branch. Any time we make a security improvement (including patching a vulnerable Action) on a GitHub Actions workflow, we need to remember to cherry-pick it to all branches, including stale ones.
Let's say I want to start a new project in Rust that needs to touch web services for some reason. The standard answer today is "just use crate <X>." But lets say that I'm security sensitive and spooked by how easy it appears to compromise open source dependencies in 2025.
So I thought, "well, Signal is the gold standard for security and open source - let's see what they do". Libsignal's 'Cargo.lock' has 599 packages in it. Is someone at Signal auditing all of those (and monitoring them for updates)? I see many well established shops using Rust with dependencies - I assume they're vendoring them internally and running them through their own reviews. Is that what everyone does? Or am I just being overly paranoid about the breadth of the dependency chain for what everyone relies on for being one of the most secure messaging clients?