Yeah unfortunately these numbers don’t really allow any conclusions to be drawn at all.
Also they’re not really related to supply chain security which is more about deliberate subterfuge. I think the interesting stat there would be how many authors are being trusted typically for each crate.
Yeah unfortunately these numbers don’t really allow any conclusions to be drawn at all.
Also they’re not really related to supply chain security which is more about deliberate subterfuge. I think the interesting stat there would be how many authors are being trusted typically for each crate.
I have the feeling that this wasn’t even done properly (e.g. checking default versions only). Using downloads alone is also not a good filter.
I may give this some time tomorrow and provide my own numbers.