I’ve been comparing crates on crates.io against their upstream repositories in an effect to detect (and, ultimately, help prevent) supply chain attacks like the xz backdoor1, where the code published in a package doesn’t match the code in its repository.
The results of these comparisons for the most popular 9992 crates by download count are now available. These come with a bunch of caveats that I’ll get into below, but I hope it’s a useful starting point for discussing code provenance in the Rust ecosystem.
No evidence of malicious activity was detected as part of this work, and approximately 83% of the current versions of these popular crates match their upstream repositories exactly.
this post was submitted on 11 Jun 2024
49 points (100.0% liked)
Rust
5989 readers
52 users here now
Welcome to the Rust community! This is a place to discuss about the Rust programming language.
Wormhole
Credits
- The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)
founded 1 year ago
MODERATORS
Good work.
I don't know if kornel* still lurks here, but I think he did/does related/similar analysis for https://lib.rs.
@BB_C Yes, implemented here: https://gitlab.com/lib.rs/main/-/blob/main/tarball/src/comparator.rs?ref_type=heads