Rust has a HUGE supply chain security problem | Sylvain Kerkour | July 2, 2024 - eviltoast

July 2, 2024

Sylvain Kerkour writes:

Rust adoption is stagnating not because it’s missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.

… no company outside of AWS is making SDKs for Rust … it has no official HTTP library.

As a result of Rust’s lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.

  • cargo imports over 400 crates.

  • crates.io has over 500 transitive dependencies.

…the offical libsignal (from the Signal messaging app) uses 500 third-party packages.

… what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn’t even match the content of their Git repository.

…how I would do it (there may be better ways):

A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. … to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.

[stdx packages to include, among others]:

gzip, hex, http, json, net, rand

Read Rust has a HUGE supply chain security problem


Submitter’s note:

I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.

  • BB_C@programming.dev
    link
    fedilink
    arrow-up
    8
    ·
    4 months ago

    making points that aren’t even particularly that new.

    (putting my Rust historian hat on)

    Even the name stdx[1][2] is not original.

    It was one of multiple attempts to officially or semi-officially present a curated a list of crates. Thankfully, all these attempts failed, as the larger community pushed against them, and more relevantly, as the swarm refused to circle around any of them.

    This reminds of a little-known and long-forgotten demo tool named cargo-esr[1][2]. But it’s not the tool, but the events it was supposedly created as a response to that is worth a historical mention, namely these blog posts[1][2], and the commotion that followed them[1][2][3][4].

    For those who were not around back then, there was an obscure crate named mio, created by an obscure developer named Carl Lerche, that was like the libevent/libuv equivalent for Rust. mio was so obscure I actually knew it existed before Rust even hit v1.0. Carl continued to do more obscure things like tokio, whatever that is.

    So, the argument was that there was absolutely no way whatsoever that one could figure out they needed to depend on mio for a good event loop interface. It was totally an insurmountable task!

    That was the circus, and “no clown left behind” was the mindset, that gave birth to all these std-extending attempts.

    So, let’s fast forward a bit. NTPsec didn’t actually get (re)written in go, and ended up being a trimming, hardening, and improving job on the original C impl. The security improvements were a huge success! Just the odd vulnerability here and there. You know, stuff like NULL dereferences, buffer over-reads, out-of-bounds writes, the kind of semantic errors Rust famously doesn’t protect from 🙂

    To be fair, I’m not aware of any big NTP implementations written in Rust popping up around that time either. But we do finally have the now-funded ntpd-rs effort progressing nicely.

    And on the crates objective metrics front, kornel of lib.rs fame, started and continues to collect A LOT of them for his service. Although, he and lib.rs are self-admittedly NOT opinion-free.


    DISCLAIMER: I didn’t even visit OP’s link.

    • Anders429@programming.dev
      link
      fedilink
      arrow-up
      3
      ·
      4 months ago

      So, the argument was that there was absolutely no way whatsoever that one could figure out they needed to depend on mio for a good event loop interface. It was totally an insurmountable task!

      You still see this same mindset now with people making things like blessed.rs. It’s the same idea, just not wrapped into a library. I find it hilarious when it gets shared in discussions and some people go “oh wow so helpful!”, as if we all couldn’t have found serde and rand on crates.io without it.