Re: Git haas gone wild (Rust)
- Reply: Poul-Henning Kamp: "Re: Git haas gone wild (Rust)"
- In reply to: Poul-Henning Kamp: "Re: Git haas gone wild (Rust)"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 08 Sep 2025 14:40:55 UTC
On Mon, Sep 8, 2025 at 7:57 AM Poul-Henning Kamp <phk@phk.freebsd.dk> wrote: > Chris Torek writes: > > > > > ... some projects are composed of 100 different components downloaded > live > > > from god knows which mitm'ed mirror and compromised repo with no sha512 > > > taken of anything > > > > > > js seems to be king in that. but also go > > > > > > > Both Go and Rust have mechanisms to deal with security issues here. > > They only protect (somewhat) against the security issues that can > arise during transmission. > > They provide no protection against the far more common risk, that > one or more dependencies amongst the far too many, are supplied by > hostile entities who are more than capable of decorating their > malware with the cryptographic stickers required to pass the > mechanisms you mention. > You should check out cargo-vet. It's designed to solve just that problem. It's basically a platform for people to collaboratively audit their dependencies for security risks. The great part is that it's got an easy adoption path. When you turn it on for a repository, it only requires you to audit new dependencies (the adoption burden would be just too high if you had to audit old ones too). And you can elect to trust other peoples' audits to a greater or lesser degree, depending on your personal level of paranoia. I've already found one bug with this tool. https://mozilla.github.io/cargo-vet/