Sam James <sam@xxxxxxxxxx> writes: >> Further, I'd like to comment a bit on the support of our users from >> another angle. We're also responsible for security for our users > > Supply-chain issues become more of a problem with Rust if we end up > making heavy use of crates. A policy moderating their use is something > we should talk about. +1. I find it a bit worrying when I see 500+ dependencies (mostly transitive) being downloaded when running 'cargo build'. Not saying we should go to the extreme of Not Invented Here syndrome [1], since easy use of packages via 'cargo' is a major reason why people enjoy Rust. But we should consider whether they provide enough value to be included. Collin [1] https://en.wikipedia.org/wiki/Not_invented_here
