estimated audit backlog: 67560 lines
I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on “rand” to get random numbers, which requires 8 different libraries), I installed “cargo vet” so that I’d at least know about it if I accidentally added things that haven’t been vetted by anyone at all.
Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding “rand” have not been vetted by anyone.
Anyway, I’m learning rust.
You’re correct in your assessment of the worst-case of distro maintainers, however many distro developers/maintainers do contribute to the upstream ( Debian policy explicitly encourages it, I only speak for Debian because that’s the only project I’ve worked in) and do vet and understand the software.
“It can’t be better”. Except distro maintainers can block it from being included if they find errors. As noted above they also often file pull requests against the upstream. This happens a fair amount actually.