If you still have issues with it, Cargo (Rust's package manager) has the option to use alternative package repositories, so you can host your own repository of packages[1] if you so choose. I haven't looked too far into it, so I don't know how painless it is to replace the default one or set up a mirror for packages you trust, but someone on Reddit claims to do just that at their company [2].

I wish Rust made it easier to know who the author of a package is (i.e. namespace packages so it's clear in the Cargo.toml), but I do think they've done a better job at designing crates.io than some other package repositories (i.e. npm).

[1] https://boats.gitlab.io/blog/post/2017-10-28-alternative-reg...

[2] https://www.reddit.com/r/rust/comments/9gl8p3/host_local_rep...

You list the packages and trust their authors. That's pretty much the definition of software packages - unless you've got a sandbox for dependencies. What other model do you have in mind?

They're pulled from crates.io. I suppose it works as every other dependency manager, except that you can't have a left-pad because crates can't be removed.

In this specific case, most dependencies are authored by people well-known and trusted in the community. The Rust standard library is pretty well-rounded (not compared to Python sense, but it's not like JavaScript either), so they're not something like left-pad or is-odd.

You have there an error handling crate by the second most prolific Rust compiler contributor (if the counts are correct), an OAuth client, an HTTP one, a interactive line editor (like readline), _the_ serialization library in the ecosystem with its JSON support crate, a TOML config parser, the URL parser used by Servo and a crate for determining user paths on Unix.

With cargo (Rust build tool) you don't need to use crates.io _always_ .

For instance, you can target a repository and even a specific commit like this in gour cargo.toml file:

  [dependencies]
  package = { git = "https://github.com/...../something.git", rev = "commit_hash_like_9876541_for_instance" }

You can still have your dependencies reference the source cargo packages, but overwrite it in a patch or vendor section.

Don't specify the git repo directly in dependencies unless it's an unpublished crate.

You can even host your own package registry, but I didn't think it would be worth mentioning in the context of that question.

what universe are you living in that you don't have to trust code written by randoms? nobody has the time to evaluate every transitive dependency. you take a small risk of getting hit by a car when you cross the road, and you take a small risk of a bad dependency when you want to create substantive software

How is that different from maven, apt, rpm, pacman, ports, brew, chocolatey, pip, gem, &c?

You can look at the source yourself but yes it works like every other modern programming language.