I am odd, yes. I also care deeply about supply chain security and focused on it when I led the crates.io team as well as during my time at the Rust Foundation. You can rest assured that my occasional shitposts are not opening an attack avenue for your supply chain.
If David had come forward when everyone else did about how this situation played out, and actually spoken to JeanHeyd or apologized ever, that's exactly what would have happened.
I'm the organizer who gave the invite. It was indeed explicitly framed as "you can talk about whatever you want". In my opinion it was pretty obvious this is what JeanHeyd would talk about before the invite went out. He told us about the topic in that same call. There was a member of project leadership in the call as well, no concerns were raised about the topic. The first time JeanHeyd learned of any concerns with it was when project leadership asked me to downgrade the talk
I would just like to tack on that malicious code is against the crates.io terms of service, and something like exfiltrating secrets in a build script is something that very clearly qualifies as malicious. If you ever encounter this in the wild, please make sure you report it to the crates.io team, so it can be removed.
> Or now that I think about it, is it instead the case that a whole program including all dependencies will be compiled by the same compiler (of which newer editions will have the latest security fixes)
It's this. Rust doesn't (yet) have a stable ABI for functions that aren't marked `extern "C"`. Any security vulnerability that would affect code in rust-lang/rust would most likely be in the standard library, which doesn't change between editions. All code links to the same libstd. Only the compiler frontend changes
For purchases like the one in the article, you can absolutely purchase with stock in lieu of cash. This happens all the time, and doesn't have nearly the impact on the share price that selling for cash on the exchange does.
How much cash you could get in a vault isn't really a useful measure of wealth since cash isn't the only object of value that you can exchange for goods and services (which you even pointed out in your comment by mentioning gold)
Yeah, unfortunately there's not really much of an alternative here besides dropping libgit2 and subshelling out to git (which we honestly should consider, it just hasn't been a priority).
Often times database changes are a complex multi-stage process. Since we're still a small team, we're able to have them merged as a single PR and the author deploys each commit as needed. A complicated CD process would just add more burden on our team at this size, and is really more useful when you have enough people contributing that those sort of complex deploys block other people's work