Public
- Public
- Network
- Groups
- Popular
- People

Conversation

Notices

Ludovic Courtès (civodul@toot.aquilenet.fr)'s status on Sunday, 19-Jun-2022 15:16:06 CEST Ludovic Courtès

“Vetting the cargo”
https://lwn.net/SubscriberLink/897435/397298883e41ef8d/
“There are many ways to improve confidence in the security of a chunk of code. Writing that code in a memory-safe language is one such way […] But more than that is required and, in the end, there is no substitute for simply looking at the code and understanding what it does. […]
The cargo vet mechanism, built into Rust's Cargo dependency manager and build system, is meant to help with the task.”
#SupplyChainSecurity #Rust
🧵
In conversation Sunday, 19-Jun-2022 15:16:06 CEST from toot.aquilenet.fr permalink
Attachments
1. Vetting the cargo
  
  Modern language environments make it easy to discover and incorporate externally written libraries into a program. These same mechanisms can also make it easy to inadvertently incorporate security vulnerabilities or overtly malicious code, which is rather less gratifying. The stream of resulting vulnerabilities seems like it will never end, and it afflicts relatively safe languages like Rust just as much as any other language. In an effort to avoid the embarrassment that comes with shipping vulnerabilities (or worse) by way of its dependencies, the Mozilla project has come up with a new supply-chain management tool known as "cargo vet".

Feeds

tiflolinux.org - GNU Social is a social network, courtesy of tiflolinux.org. It runs on GNU social, version 2.0.1-beta0, available under the GNU Affero General Public License.

All tiflolinux.org - GNU Social content and data are available under the Creative Commons Attribution 3.0 license.