rust-guide icon indicating copy to clipboard operation
rust-guide copied to clipboard

Published 20 hours ago verified publisher icon ANSSI-FR

03 Libraries other crate sources

Open xd009642 opened this issue 5 years ago • 1 comments
trafficstars

The libraries, known as crates in the Rust ecosystem, are imported from the open-source components central repository crates.io.

This isn't always true, alternate registries can be set up https://doc.rust-lang.org/cargo/reference/registries.html as well as git urls or relative paths to dependencies in workspaces. When using Rust in industry I've personally prohibited using git urls as dependencies and any libraries not created internally need to use crates.io as the registry. I don't know if you want to adopt those same rules or something else but it's probably worth deciding

xd009642 avatar Aug 06 '20 13:08 xd009642

We're definitely missing something there. But I am not sure a general ban of Git is the way. One could argue that pointing to a Git commit is more secure than pointing to a vague version in a crate registry. See the recent "attack" on NPM & Pypi.

I think the rule should read something like every crate included in a secure development must be identified with the complete and precise version.

polazarus avatar May 07 '21 07:05 polazarus