49
submitted 5 months ago by thomask to c/rust@programming.dev
top 3 comments
sorted by: hot top controversial new old
[-] ericjmorey@programming.dev 9 points 5 months ago

I’ve been comparing crates on crates.io against their upstream repositories in an effect to detect (and, ultimately, help prevent) supply chain attacks like the xz backdoor1, where the code published in a package doesn’t match the code in its repository.

The results of these comparisons for the most popular 9992 crates by download count are now available. These come with a bunch of caveats that I’ll get into below, but I hope it’s a useful starting point for discussing code provenance in the Rust ecosystem.

No evidence of malicious activity was detected as part of this work, and approximately 83% of the current versions of these popular crates match their upstream repositories exactly.

[-] BB_C@programming.dev 6 points 5 months ago* (last edited 5 months ago)

Good work.
I don't know if kornel* still lurks here, but I think he did/does related/similar analysis for https://lib.rs.

* @kornel@programming.dev / @kornel@mastodon.social

this post was submitted on 11 Jun 2024
49 points (100.0% liked)

Rust

6046 readers
64 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago
MODERATORS