Tech Debt: My Rust Library Is Now a CDO
Tech debt as derivative / CDO metaphor
- Many like the framing of tech debt as a derivative rather than just “debt”: its risk profile depends on layered dependencies and who “calls” it in production.
- The CDO analogy is used to illustrate systemic risk: bundling many fragile components into apparently “safe” packages can hide underlying fragility.
- Some think the analogy works only partially: unlike 2008 CDOs, maintainers who vendor or fork code can often still change the fundamentals and improve the asset.
Vendoring, forking, and dependency risk
- Vendoring abandoned dependencies is seen by some as a clear win: no surprise upstream changes, less supply-chain risk, easier to prune unused code paths.
- Others see it as “dependency theater” if you simply pin and vendor without actually reviewing or modifying the code.
- There’s debate on etiquette: report bugs and offer fixes first, then fork if maintainers are unresponsive; forks don’t need to be permanent.
YAML crates and RustSec fallout
- The specific trigger was an advisory against a widely used YAML crate and another major YAML crate being marked unmaintained.
- Tools now flag these crates, lighting up CI for thousands of dependents; some argue this correctly surfaces latent risk, others say it’s treated as overly urgent.
- Vendoring the YAML code into a consumer library removes the advisory noise but shifts maintenance burden and reduces shared visibility into future issues.
Rust ecosystem, stdlib size, and dependency explosion
- Several comments criticize Rust’s small standard library and heavy reliance on third-party crates, especially for basics like async, RNG, hashing, and YAML/JSON/SSL.
- Others defend the design: keeping std small preserves long-term maintainability and allows faster iteration out-of-tree.
- Complaints about crates.io: unmoderated growth, many small utilities, multiple versions of the same basic crates, and large transitive graphs even for small projects.
Security tooling, governance, and funding
- Security scanners and corporate policies often treat “unmaintained” as equally bad as active vulnerabilities, causing noisy alerts.
- Some want richer signals (severity, exploitability, dev-only vs runtime, feature-complete-but-stable vs truly abandoned).
- Proposals include: “blessed” crate lists, package “rating agencies,” legal mechanisms for registry takeovers of critical abandoned packages, and more direct funding of maintainers.
- Others counter that open source comes with no maintenance guarantees; expecting perpetual free support is seen as entitled.