Weird how this random thread came back to life, just to rehash some talking points.
See my comments here and here.
In a recent analysis, Adam Harvey found that among the 999 most popular crates on crates.io, around 17% contained code that do not match their code repository.
If you followed the link, you would have seen that nothing actually fishy was found, unlike the implication.
Cargo and crates are basically just as bad as npm, just less popular, which is why they haven’t been hit yet… And it’s currently very difficult to build rust programs without cargo.
The number of actual supply chain attacks actually effecting anybody in the crates.io ecosystem is ZERO. In npm, it’s a weekly occurrence.
less popular
Rust cleared the critical mass and critical relevance milestone years ago. Most people can run desktops without npm or local js code. This is increasingly unfeasible for rust components. And yet, nothing happened. And that’s not a coincidence (read linked threads). That doesn’t mean nothing will ever happen. Nothing is fully fail-safe. But the talking points themselves are completely false.
Also, I would like to see you explain how cargo itself is a problem. It’s a build tool that is not tied to crates.io. You can use different registries, repos, and even full vendoring with it (which you can switch to with one command, and it will just work). But I can’t wait to hear your explanation 🙂. Examples of tools that do it better, with an explanation why would also be appreciated 🙂.
Stable linux distributions have extremely strong supply chain security in comparison to language specific package managers.
This myth is discussed extensively in the linked threads at the start of this comment, especially the second one.
Debian, for example, was not affected by the xz utils backdoor, due to it’s policy of only doing cherry picked security patches, and ignoring feature or bugfixes for the most part.
Also covered in the linked threads. But let’s address specifics.
- Debian unstable/sid (the rolling branch) was affected. Debian is not special.
- Debian stable was unaffected because it runs multi-year old packages. This specific attack was discovered early, so they were spared. Other upstream-controlled attacks could target projected-to-be-stable upstream versions, and remove the compromised part later, reversing that effect (depending on who would discover the malicious code, and what are they testing looking at).
- The stable distro model is broken. Distro developers are not better than upstreams at judging upstream code. Many non-security tagged bugs can become security ones. And out-of-date(ness) itself can have adverse affects in other ways. This was always been known/realized by people who know the reality of the situation. But nowadays, “AI” security scanners had a complete mockery of the stable distro model “security” claims.
- Debian’s willy-nilly “security” patching in particular, lead to multiple scandals in the past. This is not all theoretical. One day half the internet had to re-issue SSL certs/keys because of the mythical Debian super security. And on that subject, do you know what distro wasn’t affected by the specific xz attack, despite actually shipping the compromised xz version? It’s Arch. Why? Because they didn’t patch systemd with xz support thinking they can outsmart an upstream.
- Distros pull from upstreams anyway (code has to exist somewhere),
crates.ioincluded. So they inherently can’t have better supply chain security than upstreams at the code level, unless you’re also a believer in the popular myth "they review and vet everything ". Some distros may have good/better build security practices. But that’s about it.
I would prefer Java if you cared strongly about supply chain security
What makes you think JAVA or its ecosystem(s) are unique or immune from any of this?
And here the myth shows its head. No one is actually “vetting” 10s of thousand of packages, to a meaningful degree.
And all distros have rolling channels and testing channels, so the every X years part is mythical itself.
In the case of Debian, when is the mythical vetting taking place exactly? Whenever a Debian unstable/sid package gets updated? That’s a rolling repo.
Or is it when world is frozen, and the unvetted packages which lived happily in “unstable” and “testing” will now magically get vetted on their way to “stable”, in a few months (not six years as you imagined).
You clearly lack basic knowledge about what actually goes on in a distro release cycle.
You missed the point.
crates.iois a source registry. Debian ships binary packages (yes, including rust ones).Where do you think Debian gets source packages for C or C++ from? Did you think they get them in the (physical) mailbox? 🎅
As for dynamic linking, the “security” argument for it has been discussed and debunked. You can search the web for discussions regarding that. Most arguments for
.sohas been debunked, in fact.Nothing is “automatic” when it comes to distro maintenance. Much more so when an upstream doesn’t give a f*** about helping you patch your X years old version. If Red Hat, Canonical, …etc wasn’t actively paying developers to do maintenance, Debian wouldn’t exist as it is. But even then, that only covers a very small fraction of core packages.
Pinning and vendoring are orthogonal.
The original talking points were about source supply chains. But people like you seem to confuse concerns across multiple chains from the individual upstream dev to the binary distro repo mirror.
Pinning is actually the only way to actually (almost*) guarantee that built code would work correctly. What distros sell you is “should work” and “API looks compatible” and “this patch hopefully doesn’t break the interface”.
And more ironically, why distros do is global pinning, so the problem is apparently not pinning itself, but upstreams choosing the pinning themselves, right? right?
“But they don’t fully pin… security updates smth smth”
Good. Let’s continue…
Good.
The next best thing to pinning is semver-compatible updates.
Now you have an example where you will see that to “fix all CVEs”, you need to run the total of TWO whopping commands.
You ran the first command already. The second is
cargo update(orcargo update <only_audit_mentioned_packages>if you want to be more precise.cargo updateonly does semver-compatible updates, as released, authorized, and supported by the upstreams, whose knowledge of the code and its interfaces infinitely trumps your random distro maintainer doing raw patching. This is how a coherent competent ecosystem operates.Some of what the distros do is actually not far away from this. If you looked close enough, you will find that it’s not rare for a stated “frozen” version to be a complete lie, with distro patches effectively updating the distro source package to a later patch, or sometimes even minor version, without changing the version number.
But of course, they wouldn’t tell you about any of that, because the myths must live on 😉.
While not completely misplaced, your confidence is inspiring 🙂.