Skip to content

Vetting 3rd party crates for supply-chain-security issues #128047

New issue
New issue
Open
Open
Vetting 3rd party crates for supply-chain-security issues#128047
Labels
A-securityArea: Security (example: address space layout randomization).C-enhancementCategory: An issue proposing an enhancement or a PR with one.T-bootstrapRelevant to the bootstrap subteam: Rust's build system (x.py and src/bootstrap)T-infraRelevant to the infrastructure team, which will review and decide on the PR/issue.
@kornelski

Description

@kornelski
kornelski
opened on Jul 22, 2024

The Cargo.lock file is updated by many contributors, sometimes a bot?, and there's no record of the 3rd party dependencies having their code reviewed.

This seems risky to me, given how big impact the 3rd party code could have on the compiler and all downstream Rust users. The crates in the lockfile have many owners, some which are not members of rust-lang org. If any of the crates had malware, it could attack rust-lang org infrastructure, computers of core developers, etc. This doesn't require malice from any of the people involved — it could also happen due other security issues like leak of an auth token, or one of crate owners having their machine infected with malware.

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-securityArea: Security (example: address space layout randomization).C-enhancementCategory: An issue proposing an enhancement or a PR with one.T-bootstrapRelevant to the bootstrap subteam: Rust's build system (x.py and src/bootstrap)T-infraRelevant to the infrastructure team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions