cryptoquick
commented
2 years ago For an overview on Rust supply chain attacks. see: https://kerkour.com/rust-crate-backdoor/
Open cryptoquick opened 2 years ago
cryptoquick
commented
2 years ago For an overview on Rust supply chain attacks. see: https://kerkour.com/rust-crate-backdoor/
I've grown increasingly concerned with supply chain attacks, which Rust is still vulnerable to, as is pretty much any other growing software ecosystem.
For this reason, we should invest some time in adopting tools that will help us analyze and communicate supply chain issues. Fortunately, Rust provides many such tools:
Each of these tools should be integrated into our Makefile, under a directive called
make secure, and the outputs of running each of these tools be directed to a folder calledsecurity/reportsthat can be used to version the outputs of those tools. This should then be run should we choose to upgrade our dependencies, which while run manually, should still be done often to evergreen the codebase.Config files for these tools should also be kept in
security/config. Also a README.md should be added to the rootsecurityfolder, explaining the purpose of these tools and reports.Also, take care to not name the Makefile directive the same as the folder. This will result in unexpected behavior.