←back to thread

6 points bflesch | 1 comments | | HN request time: 0.206s | source
1. bflesch ◴[] No.42314400[source]
I think rust security posture can be improved and made more resilient against supply chain attacks.

Currently, random dependencies can do many bad things to your machine, even when just parsing documentation from your source code with `rustdoc`/`cargo doc`.

The rust project states "The threat model of the Rust compiler assumes that the source code of the project and all the dependencies being built is fully trusted".

By simply defining third-party modules as "trusted", they don't reflect realities and risks associated with modern development. This triggered my bs radar, so started collecting more evidence of "weird" rust behavior which has potential security risks for me as a rust user.