This user wanted to audit the dependencies of cargo vet which is not shipped to an end user. It is part your toolchain in the same way your OS is. One might assume the Linux or BSD kernel has been audited; it is not reasonable to assume the UI stack has because it’s open source. It is equally unreasonable to assume the Windows anything has been audited. It is only slightly reasonable to assume parts of macOS have been audited.

You’re only partially correct. If you are not securing the environment in which you code, your code is vulnerable to supply chain attacks. The chances are incredibly low, of course, but nonzero. You also can’t get away with, say, running your editor in a read-only image that only mounts your code because that read-only image could be exfiltrating your data.

Edit: here’s a great example from this year; while the exploit came from a package the attack vector was social engineering. Job postings and related files are a common entry point outside of dev tools.

How long did it take you to audit the source code for your OS?

Please don’t take me as a GH shill because I’m not. I’m not sure we read the same email given your projects. Actions on GH runners are dropping in cost and there’s a new fractional cost for self-hosted. For the average user, especially those on GH runners, costs are going down. Looking at your repo, you haven’t run anything since July. Your workflow files use GH runners. Nothing in your history suggests you’re leaving the free tier so I don’t get this FUD at all. General Microsoft hate? Fuck yeah. Shitty GH service? Fuck yeah. Plenty of reasons to dunk but this was not one of them. M

$2/mo is pretty close to what Reddit premium was back before they turned the Reddit silver meme into a real thing! That’s a great amount to donate. Don’t sell yourself short.