If crates.io is public infrastructure and it's chronically underfunded, then “audit your own dependencies” is the wrong takeaway. It shifts the cost from the companies that benefit most onto individual teams. A better response is collective funding for crates.io's security work, not making every team repeat the same audit work on its own.
https://purplesyringa.moe/blog/no-one-owes-you-supply-chain-security/
purplesyringa.moe
No one owes you supply-chain security
In case you’re unaware, I’m not a developer. I’m actually an autistic catgirl annoyed by suboptimal use of computing power, and fixing that happens to involve programming. Crucially, it also includes discussing foundational technology with people behind the scenes, and apparently that makes me more aware of social aspects of this sphere. So, I have opinions about criticism of crates.io for supply-chain attacks. After a dozen similar articles, I have some select words to voice about why it’s off the mark.
No one owes you supply-chain security https://lobste.rs/s/cxwidw #security
https://purplesyringa.moe/blog/no-one-owes-you-supply-chain-security/
purplesyringa.moe
No one owes you supply-chain security
In case you’re unaware, I’m not a developer. I’m actually an autistic catgirl annoyed by suboptimal use of computing power, and fixing that happens to involve programming. Crucially, it also includes discussing foundational technology with people behind the scenes, and apparently that makes me more aware of social aspects of this sphere. So, I have opinions about criticism of crates.io for supply-chain attacks. After a dozen similar articles, I have some select words to voice about why it’s off the mark.