Is the culture of Rust/Cargo getting as bad as JS/NPM these days or is this developer just using an insane amount of dependencies?
From a quick glance through the files, I see maybe a couple dozen direct dependencies. That’s not what I would call conservative (especially for a privileged daemon) but the bulk of those hundreds seem to be sub-dependencies.
I’ve seen similar in the other Rust projects that caught my attention. I suppose this is a predictable result of Rust’s Cargo culture: When pulling in other people’s code is convenient, automated, and normalized, it tends to happen a lot, and the transitive nature of dependencies amplifies the effect.
So even a small project can easily include code from hundreds of random people other than the author, with practically no accountability, as we see here. And since it’s a long tail of small and often obscure projects, rather than a handful of well-known ones like a standard library, there is little hope of meaningful auditing.
There also seems to be a culture of statically linking all those dependencies. That means security patches will never reach a user through OS updates, and with so many dependencies involved, chances are slim that every upstream vulnerability will be patched on the user’s machine soon after it’s discovered (if ever).
I would find Rust more appealing if it had a standard library (and maybe a few high-profile well-maintained external libs) comprehensive enough to cover most needs, and if the tooling and culture encouraged minimizing dependencies. I think the former might develop with time. I fear the latter might not ever appear.