Go is another example of a fat std lib causing issues specifics with their crypto code.

I think in general the things people are worried about are

1. Maintainer quits 2. Bad actor becomes new maintainer 3. Bad pr 4. Account compromise

When I say I want the rust foundation to take them under their wing what I really mean is I want the foundation to provide funding and have packages undergo the same procedure as the main language.

If there’s a cve the foundation should orchestrate reporting and standardize it.

If it becomes abandoned the foundation should handle that.

Basically I want it to be an extension of the standard but not in a way that actually requires it to be so. I just want these packages to have the seal of approval of the foundation so I know that they have a minimum amount of quality and are vetted on the regular by a trusted entity