I don’t think cargo-deny alone is enough. And many from Rust ecosystem thinks that if I specified version “1”, it will be enough forever. Many tools nowadays are installed by binstall, so binary will be older and older and won’t receive any updates.
Professional software development needs to include a software Bill of Materials to help track and manage things like this. https://www.cisa.gov/sbom
Yeah unfortunately these numbers don’t really allow any conclusions to be drawn at all.
Also they’re not really related to supply chain security which is more about deliberate subterfuge. I think the interesting stat there would be how many authors are being trusted typically for each crate.
I have the feeling that this wasn’t even done properly (e.g. checking default versions only). Using downloads alone is also not a good filter.
I may give this some time tomorrow and provide my own numbers.
It would be good to know how these figures compare to e.g. pypi, npm.
