top | item 46914235 (no title) kvuj | 25 days ago The cargo.lock file is 2200+ lines long. Did they spend a reasonable amount of time auditing these dependencies? discuss order hn newest CodesInChaos|25 days ago That's 238 dependencies (counting multiple versions of the same crate).* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).* Most of them are popular crates I'm familiar with.* Several are only needed to support old compiler versions and can be removed once the MSRV is raisedSo it's not as bad as it looks at first glance. shikon7|25 days ago What would be a reasonable amount of time to audit the dependencies? kvuj|25 days ago I would let them decide based on their security policy.If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously. Andrex|25 days ago They ran it through Copilot which gave it the all-clear. TheSilva|25 days ago [deleted] load replies (1) adolph|25 days ago grep 'name = ' ms-litebox-Cargo.lock | wc -l 238 edit: grep 'name = ' ms-litebox-Cargo.lock | sort -u | wc -l 221 dizhn|25 days ago I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have. -c, --count prefix lines by the number of occurrences load replies (1) jrm4|25 days ago Given, you know, Microsoft, I'd demand proof even if they said they did.
CodesInChaos|25 days ago That's 238 dependencies (counting multiple versions of the same crate).* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).* Most of them are popular crates I'm familiar with.* Several are only needed to support old compiler versions and can be removed once the MSRV is raisedSo it's not as bad as it looks at first glance.
shikon7|25 days ago What would be a reasonable amount of time to audit the dependencies? kvuj|25 days ago I would let them decide based on their security policy.If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.
kvuj|25 days ago I would let them decide based on their security policy.If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.
Andrex|25 days ago They ran it through Copilot which gave it the all-clear. TheSilva|25 days ago [deleted] load replies (1)
adolph|25 days ago grep 'name = ' ms-litebox-Cargo.lock | wc -l 238 edit: grep 'name = ' ms-litebox-Cargo.lock | sort -u | wc -l 221 dizhn|25 days ago I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have. -c, --count prefix lines by the number of occurrences load replies (1)
dizhn|25 days ago I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have. -c, --count prefix lines by the number of occurrences load replies (1)
CodesInChaos|25 days ago
* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).
* Most of them are popular crates I'm familiar with.
* Several are only needed to support old compiler versions and can be removed once the MSRV is raised
So it's not as bad as it looks at first glance.
shikon7|25 days ago
kvuj|25 days ago
If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.
Andrex|25 days ago
TheSilva|25 days ago
[deleted]
adolph|25 days ago
dizhn|25 days ago
jrm4|25 days ago