← Back to context

Comment by lesuorac

7 days ago

I mean somebody could make a singular rust dependency that re-packages all of the language team's packages.

But what's the threat model here. Does it matter that the Rust STD library doesn't expose say "Regex" functionality forcing you to depend on Regex [1] which is also written by the same people who write the STD library [2]? Like if they wanted to add a back-door in to Regex they could add a backdoor into Vec. Personally I like the idea of having a very small STD library so that it's focused (as well as if they need to do something then it has to be allowed by the language unlike say Go Generics or ELM).

Personally I think there's just some willful blindness going on here. You should never have been blindly trusting a giant binary blob from the std library. Instead you should have been vendoring your dependencies and at that point it doesn't matter if its 100 crates totaling 100k LOC or a singular STD library totaling 100k LOC; its the same amount to review (if not less because the crates can only interact along `pub` boundaries). [1]: https://docs.rs/regex/latest/regex/

[2]: https://github.com/rust-lang/regex

5 comments

lesuorac

Reply
ajross  7 days ago

> I mean somebody could make a singular rust dependency that re-packages all of the language team's packages.

That's not the requirement though! Curation isn't about packaging, it's about independent (!) audit/test/integration/validation paths that provide a backstop to the upstream maintainers going bonkers.

> But what's the threat model here.

A repeat of the xz-utils fiasco, more or less precisely. This was a successful supply chain attack that was stopped because the downstream Debian folks noticed some odd performance numbers and started digging.

There's no Debian equivalent in the soup of Cargo dependencies. That mistake has bitten NPM repeatedly already, and the reckoning is coming for Rust too.

  • Ygg2  6 days ago

    > A repeat of the xz-utils fiasco

    Wasn't that a suspected state actor? Against that threat model your best course of action is a prayer and some incense.

    Notably, xz utils didn't use any package manager ala NPM and it relied on package management by hand.

    > because the downstream Debian folks

    Not sure what you mean by this, but this was discovered by a Postgres dev running bleeding edge Debian. No Debian package maintainer noticed this.

    > There's no Debian equivalent

    How would Debian approach help? Not even their maintainers could sniff this one.

    There exists a sort of extended std library of Rust dep. But no one is using it.

    • ajross  6 days ago

      > Wasn't that a suspected state actor? Against that threat model your best course of action is a prayer and some incense.

      No? They caught it! But they did so because the software had extensive downstream (!) integration and validation sitting between the users and authors. xz-utils pushed backdoored software, but Fedora and Debian picked it up only in rawhide/testing and found the issue.

      > Notably, xz utils didn't use any package manager ala NPM and it relied on package management by hand.

      With all respect, this is an awfully obtuse take. The problem isn't the "package manager", it's (and I was explicit about this) it's the lack of curation.

      It's true that xz-utils didn't use NPM. The point is that NPM's lack of curation is, from a security standpoint, isomorphic to not having any packaging regime at all, and equally dangerous.

      > a Postgres dev running bleeding edge Debian

      Exactly. Not sure how you think this makes the point different. Everything in Debian is volunteer, the fact that people do other stuff is a bonus. Point is the debian community is immunized against malicious software because everyone is working on validation downstream of the authors.

      No one does that for NPM. There is no Cargo Rawhide or NPM Testing operated by attested organizations where new software gets quarantined and validated. If the malicious authors of your upstream dependencies want you to run backdoored software, then that's what you're going to run.

      1 reply →

  • lesuorac  6 days ago

    Isn't xz-utils exactly why you would want a lot of dependencies over a singular one?

    If say Serde gets compromised then only the projects depending on that version of Serde are as opposed to if Serde was part of the std library then every rust program is compromised.

    > That mistake has bitten NPM repeatedly already, and the reckoning is coming for Rust too.

    Eh, the only things that coming is using software expressly without a warranty (expectantly) will mean that software will cause you problems at an unknown time.