submitted 1 week ago by [email protected] to c/rust
top 3 comments
sorted by: hot top controversial new old
[-] ericjmorey 7 points 1 week ago

I’ve been comparing crates on crates.io against their upstream repositories in an effect to detect (and, ultimately, help prevent) supply chain attacks like the xz backdoor1, where the code published in a package doesn’t match the code in its repository.

The results of these comparisons for the most popular 9992 crates by download count are now available. These come with a bunch of caveats that I’ll get into below, but I hope it’s a useful starting point for discussing code provenance in the Rust ecosystem.

No evidence of malicious activity was detected as part of this work, and approximately 83% of the current versions of these popular crates match their upstream repositories exactly.

[-] BB_C 6 points 1 week ago* (last edited 1 week ago)

Good work.
I don't know if kornel* still lurks here, but I think he did/does related/similar analysis for https://lib.rs.

* @[email protected] / @[email protected]

this post was submitted on 11 Jun 2024
47 points (100.0% liked)


5353 readers
108 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.


[email protected]


  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago