Rust

5888 readers

88 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

[email protected]

Credits

The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago

MODERATORS

[email protected]

crates.io Postmortem: User Uploaded Malware (blog.rust-lang.org)

submitted 1 year ago by [email protected] to c/[email protected]

8 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 1 points 1 year ago (1 children)

Also, do you know anybody who has solved it in opensource?

I forgot to mention that this is a problem on every major language registry - especially PyPI and NPM.

How would you enforce the solution on some dude writing code in his basement to "just make it work" on his 1 day off from an otherwise busy life?

There are two things to consider. The first is that all major open source languages are run by foundations with big players and a lot of funding and donations. It's probably a good idea to invest in a paid team dedicated to security. I'm sure everyone's thought about it already but hasn't done enough so far.

The second fact is that professionals - especially security companies - do occasionally report them. Like this story, for instance. So they are doing something right and it's possible. It's a good idea to fund them and increase their scope (hopefully, they won't introduce any malware just to claim the prize).

[–] [email protected] 2 points 1 year ago (1 children)

I’m sure everyone’s thought about it already but hasn’t done enough so far.

Note though that the rust foundation has established a security initiative (see e.g. here), which does include the supply chain via crates.io.

[–] [email protected] 1 points 1 year ago

Thanks! I missed that one. They are awesome!