No announcement yet.

Rust is not a panacea against vulnerabilities

  • Filter
  • Time
  • Show
Clear All
new posts

  • Rust is not a panacea against vulnerabilities

    As a reminder that just using rust will not solve all problems, a report on the oss-security list led me to

    What I found particularly concerning was the following part of the description:
    When Rust 1.25.0 and prior is used Cargo may download the wrong dependency, which could be squatted on to be a malicious package. This not only affects manifests that you write locally yourself, but also manifests published to
    I find the idea of malicious crates being able to squat on surprising, but overall it's no different from vulnerabilities in other languages which can by default pull in external code over the internet. Fortunately most people will have long ago stopped using that version, so I'm just mentioning this for the next time someone posts "use rust" in a thread.