Sos Sosowski

5 days ago

Sos Sosowski
5 days ago

Just tried building a rust project using cargo and it started pulling and building 385 dependency packages without any confirmation prompt. This is insane and super not secure. How are rust devs ok with this?

EDIT: to make it clear, my problem is that it didn't stop for confirmation. This is not ok. I thought NPM was bad but this is insane.

#rust #rustlang

This entry was edited (5 days ago)

in reply to Sos Sosowski

Bubu

in reply to Sos Sosowski 5 days ago

Lot's of discussion about this here: users.rust-lang.org/t/yet-anot…

I didn't know it was so bad 😔.

Yet another npm supply-chain attack. Is Cargo any safer?

Yet another npm account has been compromised with malicious code. Sadly, it isn't the first time. So far I've never heard of a similar attack against crates.io . But is that because crates.

^{The Rust Programming Language Forum}

in reply to Bubu

Sos Sosowski

in reply to Bubu 5 days ago

@Bubu These guys will come up with anything before letting cargo ask for consent.

@Bubu

in reply to Sos Sosowski

Bubu

in reply to Sos Sosowski 5 days ago

I don't see how you could meaningfully consent to this though?

You either just blanket accept "yes, do your thing, trust all these 400 external packages" or you are back to reviewing them one-by-one. Am I missing something?