No one owes you supply-chain security
4 hours ago
- #dependency-auditing
- #supply-chain-security
- #rust-ecosystem
- Supply-chain attacks in Rust can occur through methods like typo-squatting, where malicious libraries mimic legitimate ones, and solutions like direct URLs or namespacing can be ineffective due to difficulty in remembering or verifying correct sources.
- Rust's build scripts and procedural macros pose security risks, such as potential remote code execution, and while sandboxing efforts exist, they are limited because tools like cargo test or cargo run cannot be easily sandboxed, requiring system-level isolation.
- Crates.io faces challenges in ensuring code consistency between its registry and Git repositories, with issues like deletion prevention (inspired by left-pad incident) and potential discrepancies, making it hard to enforce strict security measures without breaking existing workflows.
- There is a misconception that preventing malicious code on crates.io is solely Rust's responsibility, but Rust is largely volunteer-driven with limited resources, and users share accountability for auditing dependencies they use.
- Rust provides tools for users to enhance security, such as lockfiles, version pinning, cargo-vet, download plots on crates.io, source code inspection, and dry-run updates, along with sandboxing options like cargo-chef or firejail for build isolation.