• delirious_owl@discuss.online
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    10 months ago

    You’re talking about using the language and preventing errors. That’s less about security and more about preventing errors.

    I’m talking about the supply chain, watering hole attacks, etc. Crates does not cryptographically verify the authenticity or anything that it downloads.

    The only language that I’m aware of that has a dependency manager that has cryptographic auth of everything it downloads is Java’s Maven. Everything else is vulnerable, rust included.