Vetting the Cargo

This sounds a lot like cargo-crev but without off-line cryptographic signatures, a significant downgrade in my view.<p>Edit: Yep: <a href="https:&#x2F;&#x2F;mozilla.github.io&#x2F;cargo-vet&#x2F;design-choice-faq.html#how-does-this-relate-to-cargo-crev" rel="nofollow">https:&#x2F;&#x2F;mozilla.github.io&#x2F;cargo-vet&#x2F;design-choice-faq.html#h...</a><p>None of the reasons given by Mozilla seem to justify the downgrade in security, especially since most can be worked around with crev which already employs secure and well-tested authentication schemes.<p>What also makes this situation peculiar to me is that it&#x27;s being immediately rushed into Cargo proper instead of the usual way these tools are handled by the Cargo team (i.e. allowing multiple ideas to compete as third-party tools and maybe choosing one once a winner is clear). I understand the recent string of security issues might have played a role here, but I wouldn&#x27;t expect their reaction to be steamrolling an inferior version of crev as a builtin tool.<p>I would really like to know what happened here.<p>Disclosure: I use neither tool, but I&#x27;m very interested in the security and health of the Rust ecosystem.

&gt; Each new participant automatically contributes its audits back to the commons, making it progressively less work for everyone to secure their dependencies.<p>This is really exciting and I hope it gets adopted by all package ecosystems.<p>Of course audits can&#x27;t guarantee to find the most underhanded &quot;bugdoors&quot;, but it will still be a huge step forwards if third parties can vouch for various properties of the code you are about to install, such as it being reproducibly built from a tagged release on a public repository, with no Unicode homoglyphs or unexplained high-entropy strings in the code, and the unit tests all passing.<p>This will naturally lead to the question of who can be trusted to provide these audits, but such automatable checks could be done by almost anyone and their reputation could grow with time (which might lead to second-layer systems which track which auditors make the most accurate claims). Perhaps there will be companies that offer cyber-insurance against these specific threats, and use the premiums from that to fund the audit checks.

Alternatives to cargo-vet that has been mentioned before here on HN:<p>- <a href="https:&#x2F;&#x2F;github.com&#x2F;crev-dev&#x2F;crev" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;crev-dev&#x2F;crev</a><p>- <a href="https:&#x2F;&#x2F;github.com&#x2F;vouch-dev&#x2F;vouch" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;vouch-dev&#x2F;vouch</a><p>Anyone know of any more alternatives or similar tools already available?

I’m hesitant about this effort too, but for different reasons than the ones mentioned already. “Vetting” code for the kernel means something very different than vetting code for a normal application. I mean sure, you want to make sure that the code is functional and free of bad practices that may hide bugs or vulnerabilities, but that’s kind of where the mutual needs end. Kernel code in some cases may not allocate, or may have to avoid the use of certain vector registers. Locking and synchronization in the kernel usually looks pretty different from what you’d want to do in userspace. I’m not entirely against the idea of using third party crates in the kernel but it seems to me that you’d want something better than just “Mozilla ships this in Firefox and they got one of their security engineers to look at it so it’s probably good” that this vetting process seems to provide.

Having heard about this for the first time, I think it&#x27;s a great initiative. However, I&#x27;m concerned about the liabilities of having vetted a crate only to accidentally (ie non-maliciously) miss some kind of vulnerability.<p>Could this lead to the auditor getting sued?<p>I wouldn&#x27;t mind getting a legal take on cargo-vet and similar tools.

Does anyone have a link to Mozilla&#x27;s audits.toml?<p>I found one in Mozilla&#x27;s GitHub[1], but it only has five entries. Moreover all of the crates in the file were audited by their respective authors - which kind of goes against the whole idea of this thing.<p>Overall GitHub seems to only have six audits.toml files[1], two of which are the Mozilla one mentioned above, the other four are empty.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;gecko-dev&#x2F;blob&#x2F;64f3b7d019700f4fe3e5c033986bf7d20b49ba1c&#x2F;supply-chain&#x2F;audits.toml" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;mozilla&#x2F;gecko-dev&#x2F;blob&#x2F;64f3b7d019700f4fe3...</a><p>[2] <a href="https:&#x2F;&#x2F;github.com&#x2F;search?q=filename%3Aaudits.toml&amp;type=code" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;search?q=filename%3Aaudits.toml&amp;type=code</a>

The snide&#x2F;sarcastic tone is surprising and unbecoming for what&#x27;s normally a source of high-quality articles

Has there been any study of the effectiveness of code audits? Sensitivity and specificity in trying to find security problems, unintentional or intentional.

With out mandatory user fields optional or signed audits I wasn&#x27;t convinced how useful this was. I originally read the post viewing this as a way of sharing audits amongst the general public, in similar fashion to how the packages themselves are distributed. However, once I RTFM[1] (well some of it at least) I realized that is not the intended use case and that I was mistaken.<p>tl&#x27;dr<p>* internal management of audits.<p>* reading audits in from trusted third parties.<p>I&#x27;m glad that someone is starting to tackle this terrifying problem.<p>[1] <a href="https:&#x2F;&#x2F;mozilla.github.io&#x2F;cargo-vet&#x2F;importing-audits.html" rel="nofollow">https:&#x2F;&#x2F;mozilla.github.io&#x2F;cargo-vet&#x2F;importing-audits.html</a>

If this does not have a way to track and filter based on who did the audit then it will wind up like the semantic web where anyone can tag a page with safeGoodQuality.

&gt; A developer working on a function may suddenly discover the need to, say, left-pad a string with blanks. Rather than go though the pain of implementing this challenging functionality ...<p>The irony is palpable.

This feels like the equivalent of AdressSanitizer and similar tools for C. They fix a problem that shouldn&#x27;t exist. At least not this extreme. C has the excuse of being old, Rust does not have that excuse. Using npm as an inspiration for cargo is just really sad.

&gt; Our dependency tree has steadily grown to almost four hundred third-party crates, and we have thus far lacked a mechanism to efficiently audit this code and ensure that we do so systematically. (-Firefox)<p>Wow. This makes me feel like I have to stop using Firefox.<p>I wonder if others feel the same, or have a different analysis. For example, is the situation with Chrome better?