this post was submitted on 17 Dec 2025
21 points (95.7% liked)

Rust

7651 readers
21 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 2 years ago
MODERATORS
snowe@programming.dev
Ategon@programming.dev
EdTheLegendary@programming.dev
kahnclusions@programming.dev
torcherist@programming.dev
21
estimated audit backlog: 67560 lines (fedia.io)
submitted 3 weeks ago by kbal@fedia.io to c/rust@programming.dev
19 comments fedilink hide all child comments
 

estimated audit backlog: 67560 lines

I started learning rust. Worried about trusting all the various code that gets pulled in from the interwebs to compile the first example project in the book (which depends only on "rand" to get random numbers, which requires 8 different libraries), I installed "cargo vet" so that I'd at least know about it if I accidentally added things that haven't been vetted by anyone at all.

Doing this installed a further 200 crates, with no indication as to whether they have themselves been vetted by anyone or not, and tells me that half the ones I already had just from adding "rand" have not been vetted by anyone.

Anyway, I'm learning rust.

you are viewing a single comment's thread
view the rest of the comments
[–] communism@lemmy.ml 2 points 3 weeks ago (1 children)

That's different to developing software. As a developer you are in large part responsible for ensuring that your software doesn't compromise your users' security. It's reasonable to not want to distribute software that may contain malware or just shitty code that is full of vulnerabilities or bugs.

[–] thesmokingman@programming.dev 3 points 3 weeks ago* (last edited 3 weeks ago)

This user wanted to audit the dependencies of cargo vet which is not shipped to an end user. It is part your toolchain in the same way your OS is. One might assume the Linux or BSD kernel has been audited; it is not reasonable to assume the UI stack has because it’s open source. It is equally unreasonable to assume the Windows anything has been audited. It is only slightly reasonable to assume parts of macOS have been audited.

You’re only partially correct. If you are not securing the environment in which you code, your code is vulnerable to supply chain attacks. The chances are incredibly low, of course, but nonzero. You also can’t get away with, say, running your editor in a read-only image that only mounts your code because that read-only image could be exfiltrating your data.

Edit: here’s a great example from this year; while the exploit came from a package the attack vector was social engineering. Job postings and related files are a common entry point outside of dev tools.