Hey!

I’m a professional software engineer with several years of experience using Rust. Unfortunately I don’t really have the time to contribute to Lemmy directly myself, but I love teaching other people Rust so if:

  • You are curious about Rust and why you should even learn it
  • You are trying to learn Rust but maybe having a hard time
  • You are wondering where to start
  • You ran into some specific issue

… or anything to do with Rust really, then feel free to ask in the comments or shoot me a PM 🙂

  • thericcer@reddthat.com
    link
    fedilink
    English
    arrow-up
    3
    ·
    7 months ago

    I’ve been wanting to write rust for quite some time, but I can’t get over crates. The system just seems insecure to me. What happens in 10 years when the servers go down? Is there any sort of mitigation for supply chain attacks? As I understand it anyone can submit code; what’s stopping someone from putting malicious code into a crate I’ve been using?

    I suppose these are risks for any third party package system though.

    I’ve used Flutter infrequently and have experienced things like this with their package system.

    • SorteKaninOPA
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      I’ve been wanting to write rust for quite some time, but I can’t get over crates. The system just seems insecure to me.

      You’re not the only one with this concern but it is essentially how modern package management works, not just for Rust but all modern programming languages.

      What happens in 10 years when the servers go down?

      While I don’t think that would happen, there are ways to avoid this. You can host your own registry and mirror the crates.io crates, if you want.

      Is there any sort of mitigation for supply chain attacks?

      Whenever you have dependencies, you obviously need to either trust them or vet them. If the package is popular enough and the author is reliable enough, then you can choose to trust it. It really depends on what kind of risk you’re willing to take on.

      As I understand it anyone can submit code; what’s stopping someone from putting malicious code into a crate I’ve been using?

      In principal nothing. Again, if you have dependencies, you need to vet them. This isn’t really a Rust problem, it’s just a general problem with depending on other people’s code. You would still have this problem even if you manually downloaded external pieces of code from other people instead of via cargo.

      In practice, there is a team managing crates.io and I believe they do look for malware or malicious crates (like crates with names very similar to popular crates that attempt to trick people into downloading due to a typo in the name).

      But yes, this isn’t really a problem with Rust specifically. I will say that the popular crates in the Rust ecosystem are generally very high quality and I have a fair bit of trust for them myself. Unless you are a big company that needs to carefully vet your dependencies, I wouldn’t worry too much.

      • thericcer@reddthat.com
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        Thanks for your detailed input, I’m glad to hear that there is a team that does look out for things at crates.io, and that I can host my own registry.