Re: Git haas gone wild (Rust)

Reply: Alan Somers : "Re: Git haas gone wild (Rust)"
Reply: Sulev-Madis Silber : "Re: Git haas gone wild (Rust)"
In reply to: Chris Torek : "Re: Git haas gone wild (Rust)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Poul-Henning Kamp <phk_at_phk.freebsd.dk>
Date: Mon, 08 Sep 2025 13:57:34 UTC

Chris Torek writes:

> > ... some projects are composed of 100 different components downloaded live
> > from god knows which mitm'ed mirror and compromised repo with no sha512
> > taken of anything
> >
> > js seems to be king in that. but also go
> >
>
> Both Go and Rust have mechanisms to deal with security issues here.

They only protect (somewhat) against the security issues that can
arise during transmission.

They provide no protection against the far more common risk, that
one or more dependencies amongst the far too many, are supplied by
hostile entities who are more than capable of decorating their
malware with the cryptographic stickers required to pass the
mechanisms you mention.

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.