The Kernel and say Chromium, don't use crates.io. They (will) vendor what they need, which they can update when they need to and when they've reviewed the dependencies.
Unless that 0-day comes from some other software, it seems unlikely that we'll get such a worldwide supply chain issue.
Firefox, on the other hand, seems to download a ton of Rust packages during the build as opposed to vendoring. (Debian maintains a bunch of hacks to allow vendoring all the Rust components, but this isn't the default or the approach taken by other distros, e.g. Arch Linux.)
nevi-me|3 years ago
Unless that 0-day comes from some other software, it seems unlikely that we'll get such a worldwide supply chain issue.
bscphil|3 years ago
unknown|3 years ago
[deleted]