estimated audit backlog: 67560 lines

I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on “rand” to get random numbers, which requires 8 different libraries), I installed “cargo vet” so that I’d at least know about it if I accidentally added things that haven’t been vetted by anyone at all.

Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding “rand” have not been vetted by anyone.

Anyway, I’m learning rust.

  • thesmokingman@programming.dev
    3·
    10 hours ago

    This user wanted to audit the dependencies of cargo vet which is not shipped to an end user. It is part your toolchain in the same way your OS is. One might assume the Linux or BSD kernel has been audited; it is not reasonable to assume the UI stack has because it’s open source. It is equally unreasonable to assume the Windows anything has been audited. It is only slightly reasonable to assume parts of macOS have been audited.

    You’re only partially correct. If you are not securing the environment in which you code, your code is vulnerable to supply chain attacks. The chances are incredibly low, of course, but nonzero. You also can’t get away with, say, running your editor in a read-only image that only mounts your code because that read-only image could be exfiltrating your data.

    Edit: here’s a great example from this year; while the exploit came from a package the attack vector was social engineering. Job postings and related files are a common entry point outside of dev tools.