In a world that’s more and more worrying about the supply chain, companies like to pay someone to cover their back. One such offering is Redhat Quarkus Build. I’m wondering whether that’s more of a placebo. Or does it have any tangible advantage compared to a cargo deny and (overwhelmed) cargo vet guided consumption of “major crates” from crates.io?

Slight tangent: I’m also not clear whether cargo deny check advisories even can and actually does take into account target and features. We don’t care if there’s a vulnerability on Windows or in a feature we don’t use.

If there is any benefit to be had, does something similar exist for Rust? Looking at Ferrous Systems’ Ferrocene, that is maybe the only one that comes close. But their website is not quite clear whether they offer off-the-shelf safe crates, or whether it’s more consulting based. Does anybody have experience with them or any other solution?

I’m asking from the perspective of being one of quite a few Rust proponents at my $work, in a sea of increasingly beleaguered C++ guys (who get their libs maintained throught the Linux distro) and a big rush towards Java & Quarkus.

2 posts - 2 participants

Read full topic