top | item 41299265

(no title)

cfreksen | 1 year ago

It seems like that will change in the (near) future according to the following github issue[0]. A quote from one of the developers, rami3l, in that thread[1]:

> My current plan is indeed to remove implicit installations entirely.

[0]: https://github.com/rust-lang/rustup/issues/3635

[1]: https://github.com/rust-lang/rustup/issues/3635#issuecomment...

discuss

sestep|1 year ago

Oh sad! Dang I actually really liked the feature, it's super convenient for keeping developer environments in sync. I left a comment in that thread asking for clarification.

thesuperbigfrog|1 year ago

>> Oh sad! Dang I actually really liked the feature, it's super convenient for keeping developer environments in sync. I left a comment in that thread asking for clarification.

Here is a slightly contrived, but realistic example of why it is a bad idea:

   1) Attacker discovers vulnerability in an older version of the Rust toolchain
   2) Attacker creates useful crate and helps it to get widely adopted or becomes trusted contributor to a crate that is already popular
   3) Attacker creates and publishes crate changes with exploit code and rust-toolchain.toml to trigger use of older, vulnerable Rust toolchain
   4) Unsuspecting developers build the trapped crate or something that depends on it and get owned

Installing toolchains automatically without the user's consent or permission is a supply chain attack in waiting for both Rust and Go.

Perhaps they could make it a configuration setting that developers could opt-in? That would let developers who want automatic toolchain installs to have it and others who do not want it (or whose employers will not allow it) to not have it.