Rust makes it easy to add dependencies to your project: edit your Cargo.toml (or use cargo add to have it changed for you from the command line), and

Comparing Rust supply chain safety tools

submited by
Style Pass
2022-05-14 20:00:05

Rust makes it easy to add dependencies to your project: edit your Cargo.toml (or use cargo add to have it changed for you from the command line), and you get to use the crate. But do you know what you’ve added to your project? Are you sure you can trust those lines of code?

Of course, some developers won’t bother to find out. After all, if a crate is in wide use, what are the chances it’s doing something fishy? As it turns out, there’s ample precedent for that.

In the JavaScript world, a popular npm library was hijacked from the original maintainer and subverted for presumably criminal purposes. Nowadays, researchers count the number of compromised or otherwise malicious packages in the thousands.

Even when there’s no ill will, libraries can contain weaknesses — the recent Log4Shell debacle gave many Java system maintainers sleepless nights.

But what can we do as developers? Sticking our collective heads in the sand is a recipe for disaster. Checking your entire dependency with your own eyes is too costly for all but the most security-sensitive projects.

Leave a Comment