Programs in Rust (or almost every other language) normally have fewer dependencies by 2 or 3 orders of magnitude.
replyAnd that number tends to reduce even more when the ecosystem matures.
Supply chain attacks are available to every language and framework that uses dependencies or modules you don’t control.
replyRust doesn’t have post install scripts
replyThere is build.rs, proc macros are unsandboxed, and lastly you install the binary so that you can run it. Even if the build and install were fully sandboxed, the binary could still do malicious stuff if ran.
replyEven without post-install script, a malicious payload could be hiding in some function and just wait until the developer invokes `cargo run`. Not that many people audit the crates they pull into their projects.
replyYeah no shit, if you download malicious code from the internet and run it on your computer you will get pwned. No matter if it’s from a package manager a zip file or a submodule.
replyHowever the current npm vulns used a post install script.
It has build.rs that will run as soon as you compile the dependency. That's not the same thing but pretty close to a post install script: it's very likely to run.
replyThey have build.rs (https://doc.rust-lang.org/cargo/reference/build-scripts.html)
replyIt has build.rs, which has essentially the same problems.
reply