A large number of security issues in the supply chain are found in the weeks or ... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		echelon 7 days ago \| parent \| context \| favorite \| on: Supply chain nightmare: How Rust will be attacked ... A large number of security issues in the supply chain are found in the weeks or months after library version bumps. Simply waiting six months to update dependency versions can skip these. It allows time to pass and for the dependency changes to receive more eyeballs. Vendoring buys and additional layer of security. When everyone has Claude Mythos, we can self-audit our supply chain in an automated fashion.

		help

kpcyrd 5 days ago [–]

You don't need vendoring for this, Cargo.lock already gives you locked-dependencies until you run `cargo update`. There is an ongoing RFC to support having cargo intentionally only use library versions that are least X days old:

https://github.com/rust-lang/rfcs/pull/3923

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact