I guess one benefit is rust development often doesn't use bleeding edge version for everything, where you pull the entirety of crates.io through your machine when you open your IDE. From what I've seen most projects use == versions and lock files.

I don't know enough about rust though. Could an attacker change historical crate versions to a payload and then cargo pulls them because they changed? Or will cargo only pull an update if you change to a different version on your machine?

[–] Technus@lemmy.zip 5 points 2 days ago

You can't overwrite previously published versions.

Application projects are recommended to check-in the Cargo.lock which pins dependency versions but you can always just run cargo update at any time which automatically upgrades all dependencies to the newest version allowed by the Cargo.toml.

Some projects get around this by pinning the dependency in the Cargo.toml (using =) or by vendoring all their dependencies, which is a huge pain in the ass.

[–] Miaou@jlai.lu 2 points 2 days ago (1 children)

Cargo does not respect lockfiles by default, AFAIK. You need to explicitly pass the --locked flag.

[–] Technus@lemmy.zip 1 points 2 days ago

When you cargo install a binary, it ignores lockfiles. If you clone a project and build it, it respects the Cargo.lock that was checked in.

[–] brucethemoose@lemmy.world 2 points 2 days ago

That sounds better and worse. An attack could persist past one specific version without anyone noticing for a bit.