1 |
On Thu, Jun 22, 2017 at 11:30 AM, Nils Freydank <nils.freydank@××××××.de> wrote: |
2 |
> Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1: |
3 |
>> [other quote] |
4 |
>> This is kind of troubling because much like Cabal it seems like the |
5 |
>> Rust package management system is insecure. Does the Firefox build |
6 |
>> process make use of it? |
7 |
> |
8 |
> Could you please specify what in your eyes is insecure in rust’s pm? |
9 |
> -- |
10 |
> GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' |
11 |
> Nils Freydank |
12 |
|
13 |
I spent the most time looking at Cabal (Haskell's package manager) and |
14 |
so as far as code-related specifics go I have the best references in |
15 |
relation to it. I admit Rust may be different and that I haven't had a |
16 |
great deal of time to look at it, but I have seen this pattern in a |
17 |
few language-specific package managers to date. |
18 |
|
19 |
The gist of it is that the package managers are typically designed to |
20 |
download and run unsigned code as root. Releases are not signed and |
21 |
code may be fetched over plain HTTP. This is something even Windows |
22 |
doesn't let you do by default now. |
23 |
|
24 |
My research on Rust's crate system reached a point a while ago where I |
25 |
think I need a developer to chime in on it. |