Comment 2 for bug 2048781

We have many projects using Go (and another one with Rust) vendoring.

On Go, we are fully equipped on our vendoring: we are using heavy testing, use govulncheck in our upstream CI, which reports and ensure any disclosed CVE are checked. Also, this tools tell us if we are using or not the vulnerable code.

The Rust part is unfortunately less mature: it doesn’t have, as you says, the tooling for it, and `cargo vendor` is causing unnecessary vendoring as ``./vendor_rust/win*`. We are eager for Rust maintainer on the foundation team to provide a generic patches for it, so that it can spread out to any Rust packages that enters ubuntu.