Re: The Case for Rust (in the base system)
- In reply to: Matthias Andree : "Re: The Case for Rust (in the base system)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 22 Jan 2024 19:03:00 UTC
On Mon, Jan 22, 2024 at 11:17 AM Matthias Andree <mandree@freebsd.org> wrote: > > > Do Rust proponents audit what all the indirect dependencies' codes do > before referencing them? Or are there bodies that tell us what > libraries are safe, when the base language can't dance? Supply-chain attacks are a serious problem for any language that makes it easy to pull in external dependencies. Rust, Python, NPM, etc. "Never use external dependencies", aka "Reinvent the wheel", is a pretty poor solution. The Rust community has come up with an interesting solution: cargo-vet [1] (and in an earlier incarnation, cargo-crev). It's basically a distributed audit process. Any developer can audit a crate to give his personal stamp of approval. And then any other developer can specify whose audits he is willing to trust. The cargo-vet tool will tell you whether your project has any dependencies that haven't been audited by a trusted auditor. If so, it provides a UI that you can use to either audit it yourself, or accept an audit from somebody you don't yet trust. It takes some work to use, and it's still somewhat immature. But I think all security-conscious companies will have to move in this direction eventually. [1] https://mozilla.github.io/cargo-vet/index.html -Alan