top | item 37263668

(no title)

People like to key on proc macros specifically as scary, but this is basically true of any dependency you take. In fact, run time dependencies will often have _higher_ levels of privilege (e.g. access to production data sets). If you can't trust the dependency at build time, you sure as hell shouldn't trust it at run time.

I think the right thing happened here - the community audited for malicious crates, and action was taken to remove them. I do wish crates.io would be more aggressive about proactively removing instances of typo-squatting, though.

discuss

littlestymaar|2 years ago

> In fact, run time dependencies will often have _higher_ levels of privilege (e.g. access to production data sets). If you can't trust the dependency at build time, you sure as hell shouldn't trust it at run time.

The threat model with build-time exploitation and run-time exploitation is different, but in the general case, I'd rate build-time higher than run-time, because at build time you have access to the entire developer machine, including the ability to have run-time impacts on every projets the dev has access to (including ones that are more critical than the first one to be corrupted) or allows to impersonate the developer themselves in social engineering attacks against the company's management for instance.

estebank|2 years ago

`cargo test` and `cargo run` are just as scary as proc-macros and build.rs files. The only difference is that these two last ones can be executed automatically by rust-analyzer when opening a project, but that should be something to be tackled by the UI (VSCode should ask on first load "these are the set of proc-macros/build files that will be executed, do you want to proceed?").