crates.io Postmortem: User Uploaded Malware
crates.io Postmortem: User Uploaded Malware
Want to follow along with Rust development? Curious how you might get involved? Take a look!
This could be improved by follow what
nixdoes: pull all dependencies first and then execute the build in a container or namespace without any access to the network.That can be done. But how do you trust a software at runtime if it can't be trusted at build time?
This is more of a supply chain issue. Users are likely to build only reputed crates. However, their dependencies may not be that reputed. For example, malicious actors may buy out a common and deeply buried dependency and use that to propagate malware (this regularly happens with browser extensions - even open source ones). How do we ensure that this doesn't happen?
That's a big question and would require more effort than the maintainers of crates.io could probably muster. Also, do you know anybody who has solved it in opensource? How would you enforce the solution on some dude writing code in his basement to "just make it work" on his 1 day off from an otherwise busy life?
This had to happen. Most build-scripts could run on wasm, and the others should have to be manually approved before being executed
Misuse/Overuse of the word "federated" is apparently all the rage in 2023.