Hi, On 11/4/25 7:32 PM, Adrian Bunk wrote:
The main selling point of Rust is that it avoids some classes of vulnerabilities at the language level, but we are not setup to automatically detect and handle it when published CVEs might affect Rust programs like sqv.
I think we need to create infrastructure for that anyway -- there's lots of C++ programs with similarly sloppy dependency management now, especially anything using dear imgui and shipping twenty copies of stb -- in that ecosystem it is completely normal to ship a library as source code that needs to be compiled with a configuration header on the include path, and Rust code is refreshingly sensible compared to that.
Simon
