upvote

points

by skydhash6 hours ago |
comments
upvoteby bigfatkitten5 hours ago|
next
[-]
You also won’t typically find C/C++ developers blinding yolo’ing the latest version of a dependency from the Internet into their CI/CD pipeline.

They’ll stick with a stable version that has the features they need until they have a good reason to move. That version will be one they’ve decided to ship themselves, or it’ll be provided by someone like Debian or Red Hat.

reply
upvoteby pjmlp4 hours ago|
parent|
[-]
Unless of course they are using vcpkg, conan or FetchContent.

Most corporations are already using the likes of Nexus or JFrog Artifactory, regardless of the programming language.

reply
upvoteby pheggs5 hours ago|
prev|
[-]
yes, the average amount of dependencies used per dependency appears to be much larger in rust and thats what I meant and is worrying me. In theory C can be written in a memory safe manner, and in theory rust can be used without large junks of supply vulnerabilities. both of these are not the case in practice though
reply
upvoteby kibwen4 hours ago|
parent|
next
[-]
> both of these are not the case in practice though

No, people routinely write Rust with no third-party dependencies, and yet people do not routinely write C code that is memory-safe. Your threat model needs re-evaluating. Also keep in mind that the most common dependencies (rand, serde, regex, etc) are literally provided by the Rust project itself, and are no more susceptible to supply chain attacks than the compiler.

reply
upvoteby pheggs3 hours ago|
parent|
next
[-]
I know it's a sensitive topic for a lot of people, but as I said, I love rust. I don't know a lot of rust projects though that don't use any dependencies. In my humble opinion, disregarding the risks of such supply chain attacks is at least as bad as people disregarding the risk of memory unsafe code. But keep in mind, I'm not saying don't use rust.
reply
upvoteby mamma_mia3 hours ago|
parent|
prev|
[-]
mamma mia! one day anyhow and anyerror will be backdoored it's inevitable
reply
upvoteby dbdr4 hours ago|
parent|
prev|
[-]
One difference is that it's an incredibly hard problem to check whether your C code is memory safe since every single line of your code is a risk. On the other hand, it's easy to at least assess where your supply vulnerabilities lie (read Cargo.toml), and you can enforce your policy of choice (e.g. whitelist a few specific dependencies only, vendor them, etc).
reply
upvoteby pheggs3 hours ago|
parent|
[-]
I would argue that almost all major rust projects use dependencies. Checking the dependencies for vulnerabilities might be just as difficult as checking C code for memory safety, maybe even worse, because dependencies have dependencies and the amount of code to be checked can easily sky rocket. The problem gets even worse if you consider that not all rust code is safe, and that C libraries can be included and so on
reply