carnet
A Tool for Sandboxing Cargo and Buildscripts (by kutometa)
carnet | bad_actor_poc | |
---|---|---|
7 | 12 | |
78 | 324 | |
- | - | |
1.0 | 0.0 | |
over 3 years ago | over 3 years ago | |
Shell | Rust | |
- | MIT License |
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
carnet
Posts with mentions or reviews of carnet.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-03-18.
-
C Isn't A Programming Language Anymore - Faultlore
These kinds of problems affect all software in all programming languages. At the end of the day, you have to have your build process and testing sandboxed if you can't afford to review every dependency update. Companies who have strict policies about this can host their own internal Crates.io mirror so internal projects can only rely on audited crates. For Rust, Carnet is a wrapper for Cargo which sandboxes builds with bubblewrap on Linux.
-
todo-or-die!
(Shameless plug) I wrote carnet exactly for this reason. It's a small bash script that isolates cargo using namespaces/cgroups. It can't normalize system time (yet?) but I always use it when I work with Rust.
- Carnet: A tool for sandboxing Rust's cargo and buildscripts
- Carnet: A Tool for Sandboxing Cargo and Buildscripts
- كارنيه: أداة لتطبيق إجراءات أمنية مشددة على مدير حزم رست
bad_actor_poc
Posts with mentions or reviews of bad_actor_poc.
We have used some of these posts to build our list of alternatives
and similar projects. The last one was on 2022-07-06.
-
Why is `const fn` different from other “const” things?
I'm not suggesting people in this thread are wrong, but working for a security company gives a slightly different perspective. For example, there's really nothing stopping a rogue crate from exporting your private keys, just by using VS code. I wasn't thinking about this when I helped write that proposal, though.
- Did somebody play around with macros yet?
-
todo-or-die!
Having less tools that can do things like https://github.com/lucky/bad_actor_poc is a relief.
-
Workspace Trust in VS Code
Code execution that may not be so obvious could be the preLaunchTask that runs before starting the app and can run a build that has an extra task executing arbitrary code unrelated to the build. What about the npm module that steals your crypto wallet private keys? Make a simple edit and a malicious linter is loaded from the node_modules folder, instead of the one that is installed globally. Even reading the code can be deceptive, attackers can use Unicode hacks to hide malicious code in plain sight. Heck, you don't even have to open any source code to be owned.
- lucky/bad_actor_poc - Stealing secrets with Rust Macros proof-of-concept via VSCode: This shows a trivial example of exfiltrating secrets just by the developer opening up the source
- Visual Studio Code May 2021
-
Carnet: A Tool for Sandboxing Cargo and Buildscripts
https://github.com/lucky/bad_actor_poc is one example
-
Fixated on end-user security, FOSS developers neglect their own...
It turns out that because Rust can execute code at compile time, simply opening a Rust source file in an editor with code completion support can cause a virus to be installed on my computer. Apparently I can't trust anything but basic text editors anymore...
- Using Rust Macros to exfiltrate secrets
What are some alternatives?
When comparing carnet and bad_actor_poc you can also consider the following projects:
moveit
language - Design of the Dart language
todo_or_die - Write TODOs in code that ensure you actually do them
code-it-later-rs - Filter crumbs you left in comments of code to remind where you were
seed7 - Source code of Seed7
xous-core - The Xous microkernel
macro_prototype - A very basic prototype of macros using build_runner
rust-template - A project template for setting up new Rust 2021 Edition projects with cargo-make/rustfmt/rust-clippy.
security - Embargoed security issues that will be made public after a fix is made available. Use https://github.com/nim-lang/security/security
const-eval - home for proposals in and around compile-time function evaluation
carnet vs moveit
bad_actor_poc vs language
carnet vs todo_or_die
bad_actor_poc vs code-it-later-rs
carnet vs seed7
bad_actor_poc vs todo_or_die
carnet vs xous-core
bad_actor_poc vs macro_prototype
carnet vs rust-template
bad_actor_poc vs security
carnet vs code-it-later-rs
bad_actor_poc vs const-eval