upvote

points

by kvuj9 hours ago |
comments
upvoteby CodesInChaos8 hours ago|
next
[-]
That's 238 dependencies (counting multiple versions of the same crate).

* Many of them are part of families of crates maintained by the same people (e.g. rust-crypto, windows, rand or regex).

* Most of them are popular crates I'm familiar with.

* Several are only needed to support old compiler versions and can be removed once the MSRV is raised

So it's not as bad as it looks at first glance.

reply
upvoteby shikon79 hours ago|
prev|
next
[-]
What would be a reasonable amount of time to audit the dependencies?
reply
upvoteby kvuj8 hours ago|
parent|
[-]
I would let them decide based on their security policy.

If Microsoft states that they don't have any for a project like this, I would be wary of taking it too seriously.

reply
upvoteby Andrex9 hours ago|
prev|
next
[-]
They ran it through Copilot which gave it the all-clear.
reply
upvoteby TheSilva8 hours ago|
parent|
[-]
[flagged]
reply
upvoteby RoyTyrell8 hours ago|
parent|
[-]
Nope, that's a very fair poke at MS. They've gone so far into AI adoption that it's become absurd.

- They have VPs posting on Linkedin about rewriting existing code using AI and adhering to arbitrary metrics of a x% rewrite and laying off y% of engineers that used to work on it.

- Renaming one of their major flagship product lines (MS Office) to (MS Copilot Apps 365).

- Forcing AI features on users despite not wanting it, and overriding OS configuration that should turn it off.

- Executives publicly shaming the general public for not wanting "all the AI all the time".

reply
upvoteby adolph9 hours ago|
prev|
next
[-]

  grep 'name = ' ms-litebox-Cargo.lock | wc -l
     238
edit:

  grep 'name = ' ms-litebox-Cargo.lock | sort -u | wc -l
     221
reply
upvoteby dizhn8 hours ago|
parent|
[-]
I've always done 'sort | uniq'. Never bothered to check for the the unique flag to sort. Although 'uniq -c' is quite nice to have.

       -c, --count
              prefix lines by the number of occurrences
reply
upvoteby adolph8 hours ago|
parent|
[-]
Yeah, to see the packages with multiple versions:

  grep 'name = ' ms-litebox-Cargo.lock | sort | uniq -c | grep -v '1 name' | sort -n
Package windows-sys has the highest number of versions included, 3: 0.59.0, 0.60.2, and 0.61.2.

Edit: Also, beware of the unsorted uniq count:

  cat <<EOF | uniq -c
  > a
  > a
  > b
  > a
  > a
  > EOF
   2 a
   1 b
   2 a
reply
upvoteby dundarious8 hours ago|
parent|
[-]
grep -v '1 name' excludes 11, 21, etc., but I take your point.
reply
upvoteby jrm48 hours ago|
prev|
[-]
Given, you know, Microsoft, I'd demand proof even if they said they did.
reply