| 1 |
On Thu, Jun 22, 2017 at 11:30 AM, Nils Freydank <nils.freydank@××××××.de> wrote: |
| 2 |
> Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1: |
| 3 |
>> [other quote] |
| 4 |
>> This is kind of troubling because much like Cabal it seems like the |
| 5 |
>> Rust package management system is insecure. Does the Firefox build |
| 6 |
>> process make use of it? |
| 7 |
> |
| 8 |
> Could you please specify what in your eyes is insecure in rust’s pm? |
| 9 |
> -- |
| 10 |
> GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' |
| 11 |
> Nils Freydank |
| 12 |
|
| 13 |
I spent the most time looking at Cabal (Haskell's package manager) and |
| 14 |
so as far as code-related specifics go I have the best references in |
| 15 |
relation to it. I admit Rust may be different and that I haven't had a |
| 16 |
great deal of time to look at it, but I have seen this pattern in a |
| 17 |
few language-specific package managers to date. |
| 18 |
|
| 19 |
The gist of it is that the package managers are typically designed to |
| 20 |
download and run unsigned code as root. Releases are not signed and |
| 21 |
code may be fetched over plain HTTP. This is something even Windows |
| 22 |
doesn't let you do by default now. |
| 23 |
|
| 24 |
My research on Rust's crate system reached a point a while ago where I |
| 25 |
think I need a developer to chime in on it. |
Archives