alt Hacker News> Let me rephrase this, 17% of the most popular Rust packages contain code that virtually nobody knows what it does (I can't imagine about the long tail which receives less attention).
I think this post has some good information in it, but this is essentially overstated: I look at crate discrepancies pretty often as part of reviewing dependency updates, and >90% of the time it's a single line difference (like a timestamp, hash, or some other shudder between the state of the tree at tag-time and the state at release-time). These are non-ideal from a consistency perspective, but they aren't cause for this degree of alarm -- we do know what the code does, because the discrepancies are often trivial.
Replies
Isn't the point that unless actually audited each time, the code could still be effectively anything?
I specifically don't update the version in Cargo.toml in the codebase. I patch it in just before cargo publish, otherwise all other PRs now need to change.
> we do know what the code does
You know if you check. Hardly anyone checks. It's just normalization of deviance and will eventually end up with someone exploiting it.
Not only this, but the reason we can check what the discrepancy is is because crates.io distributes source code, not binaries, so they can always be inspected. In the end, whats in crates.io is the source of truth.