Supply chain nightmare: How Rust will be attacked and what we can do to mitigate the inevitable
An essential part of being able to say "I told you so" is in fact having told you so. Well, here we are.
β by @pingooio
π₯ https://kerkour.com/rust-supply-chain-nightmare
#hacking #rust #rustlang #nightmare #attack #inevitable #coding #axios #supplychain
I've long touted the opinion that I like Rust as a language, but absolutely loathe Cargo for its supply chain implications.
Adding dependencies should be an inconvenient process, to make people reluctant pulling in half the universe.
My wish would be that crates.io gets namespaces. As in: <pubkeyfingerprint>/cratename
Crates must be signed with the respective key to become accepted. That wont initially help against compromised keys but it would be a base to build upon:
* A Web of Trust, ideally active so keys can be revoked/untrusted pretty fast.
* a resolver which maps 'nicks', 'domain.names' and `email@addresses` to keys: 'cehteh/unsynn' maps to `<bas64fingerprint>/unsynn`
πππππβππ‘ππ
datenwolf
Christian ThΓ€ter