Re: The Case for Rust (in the base system)

From: Alan Somers <asomers_at_freebsd.org>
Date: Mon, 22 Jan 2024 19:03:00 UTC
On Mon, Jan 22, 2024 at 11:17 AM Matthias Andree <mandree@freebsd.org> wrote:
>
>
> Do Rust proponents audit what all the indirect dependencies' codes do
> before referencing them?  Or are there bodies that tell us what
> libraries are safe, when the base language can't dance?

Supply-chain attacks are a serious problem for any language that makes
it easy to pull in external dependencies.  Rust, Python, NPM, etc.
"Never use external dependencies", aka "Reinvent the wheel", is a
pretty poor solution.  The Rust community has come up with an
interesting solution: cargo-vet [1] (and in an earlier incarnation,
cargo-crev).  It's basically a distributed audit process.  Any
developer can audit a crate to give his personal stamp of approval.
And then any other developer can specify whose audits he is willing to
trust.  The cargo-vet tool will tell you whether your project has any
dependencies that haven't been audited by a trusted auditor.  If so,
it provides a UI that you can use to either audit it yourself, or
accept an audit from somebody you don't yet trust.

It takes some work to use, and it's still somewhat immature.  But I
think all security-conscious companies will have to move in this
direction eventually.

[1] https://mozilla.github.io/cargo-vet/index.html

-Alan