Rust Without Crates.io

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com

SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured
  • cargo-crev

    A cryptographically verifiable code review system for the cargo (Rust) package manager.

    The main problem the author is talking about is actually about version updates, which in Maven as well as crates.io is up to each lib's author, and is not curated in any way.

    There's no technical solution to that, really. Do you think Nexus Firewall can pick up every exploit, or even most? How confident of that are you, and what data do you have to back that up? I don't have any myself, but would not be surprised at all if "hackers" can easily work around their scanning.

    However, I don't have a better approach than using scanning tools like Nexus, or as the author proposes, use a curated library repository like Debian is doing (which hopefully gets enough eyeballs to remain secure) or the https://github.com/crev-dev/cargo-crev project (manually reviewed code) also mentioned. It's interesting that they mention C/C++ just rely on distros providing dynamic libs instead which means you don't even control your dependencies versions, some distro does (how reliable is the distro?)... I wonder if that could work for other languages or if it's just as painful as it looks in the C world.

  • SaaSHub

    SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

    SaaSHub logo
  • crates.io

    The Rust package registry

    Your trust in crates.io extends to their authentication, which is subcontracted to GitHub (and only GitHub), so Microsoft. Debian? Microsoft? ... that's a tricky one.

    https://github.com/rust-lang/crates.io/issues/326

  • nixpkgs

    Nix Packages collection & NixOS

    #! nix-shell -I https://github.com/NixOS/nixpkgs/archive/4ecab3273592f27479a583fb6d975d4aba3486fe.tar.gz

  • packj

    Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

    Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.

    1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.

  • sandfs.github.io

    Sandboxing File System

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • A Study of Malicious Code in PyPI Ecosystem

    4 projects | news.ycombinator.com | 8 Sep 2023
  • greater supply chain attack risk due to large dependency trees?

    11 projects | /r/rust | 4 Jan 2023
  • No, you cannot trust third party code without reading it first

    2 projects | news.ycombinator.com | 11 Aug 2022
  • Rust Library Team Aspirations | Inside Rust Blog

    6 projects | /r/rust | 21 Apr 2022
  • What precautions does the crates registry have against malicious supply chain attacks?

    5 projects | /r/rust | 20 Mar 2022

Did you konow that Rust is
the 5th most popular programming language
based on number of metions?