Tech Debt: My Rust Library Is Now a CDO

Tech debt as derivative / CDO metaphor

  • Many like the framing of tech debt as a derivative rather than just “debt”: its risk profile depends on layered dependencies and who “calls” it in production.
  • The CDO analogy is used to illustrate systemic risk: bundling many fragile components into apparently “safe” packages can hide underlying fragility.
  • Some think the analogy works only partially: unlike 2008 CDOs, maintainers who vendor or fork code can often still change the fundamentals and improve the asset.

Vendoring, forking, and dependency risk

  • Vendoring abandoned dependencies is seen by some as a clear win: no surprise upstream changes, less supply-chain risk, easier to prune unused code paths.
  • Others see it as “dependency theater” if you simply pin and vendor without actually reviewing or modifying the code.
  • There’s debate on etiquette: report bugs and offer fixes first, then fork if maintainers are unresponsive; forks don’t need to be permanent.

YAML crates and RustSec fallout

  • The specific trigger was an advisory against a widely used YAML crate and another major YAML crate being marked unmaintained.
  • Tools now flag these crates, lighting up CI for thousands of dependents; some argue this correctly surfaces latent risk, others say it’s treated as overly urgent.
  • Vendoring the YAML code into a consumer library removes the advisory noise but shifts maintenance burden and reduces shared visibility into future issues.

Rust ecosystem, stdlib size, and dependency explosion

  • Several comments criticize Rust’s small standard library and heavy reliance on third-party crates, especially for basics like async, RNG, hashing, and YAML/JSON/SSL.
  • Others defend the design: keeping std small preserves long-term maintainability and allows faster iteration out-of-tree.
  • Complaints about crates.io: unmoderated growth, many small utilities, multiple versions of the same basic crates, and large transitive graphs even for small projects.

Security tooling, governance, and funding

  • Security scanners and corporate policies often treat “unmaintained” as equally bad as active vulnerabilities, causing noisy alerts.
  • Some want richer signals (severity, exploitability, dev-only vs runtime, feature-complete-but-stable vs truly abandoned).
  • Proposals include: “blessed” crate lists, package “rating agencies,” legal mechanisms for registry takeovers of critical abandoned packages, and more direct funding of maintainers.
  • Others counter that open source comes with no maintenance guarantees; expecting perpetual free support is seen as entitled.