How is distributing binaries via cargo (automatic, can’t opt out, not possible to audit, invisible) better than explicitly downloading them from github?
Just puzzled; I think binary distributions make any supply chain issues basically impossible to solve.
Vendoring them into the tool chain instead of distributing source code you can compile yourself seems the opposite of solving the problem you’ve posed.
Just puzzled; I think binary distributions make any supply chain issues basically impossible to solve.
Vendoring them into the tool chain instead of distributing source code you can compile yourself seems the opposite of solving the problem you’ve posed.