-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pretty Good Supply Chain Security #100597
Comments
Crates can be divided into three categories:
This distinction replicates capability-based security in Rust, within Rust's model. As I understand it, the only ways to do "impure" things are:
There's room for more nuance here:
But I think, as a first attempt:
|
I think this also must impact dependency resolution. Let's say we have 2 crates: Crate [dependencies]
B = "1.0" If crate Now let's say, none of What if A possible solution would be for Cargo to issue a warning to the one pulling the crates:
|
If you want to allow B to talk to the network, you do this:
And if you don't want B to talk to the network, you do this:
And perhaps if you want B to be able to run unsafe code and talk to the network, you do this:
|
What about: [capabilities]
unsafe = true
network = false This way, this would apply to indirect dependencies as well. |
I think something like this would be more desirable:
This would behave somewhat like app permissions on your phone. Note that I am thinking that unsafe probably should be a capability for a crate. If tokio contained code which tried to access your disk, those disk access attempts would simply trigger a capability error in the above Cargo.toml. If you wanted to allow tokio to access both network and disk, you could do this:
The lowest level of capability would bubble up through crates. |
For checking crates on crates.io (the "server-side", doesn't-modify-cargo approach), we could check all compatible dependency versions and consider the inherited capabilities to be the union of all of those dependency capability sets. That'd defend against this attack. |
Do note however that if the intention here is that "Crate doesn't have capabilities by default", this will be a gigantic breaking change, one which would be non-trivial to be cargo-fix'd. Although I do like the idea, I guess something similar to Deno's runtime capabilities system made granular to crate level could prevent a load of supply chain security attacks. This might even make finding malicious crates much easier, as it'd be quite odd if some crate which shouldn't need networking, does need it. ;). Especially in stuff like typo squatting on crates.io (😦) |
It might be worthwhile to think about ways of making these capabilities as specific as possible without being a nuisance. For example capabilities might be specified at the level of a specific function call, at the level of a code block, or at the level of a use statement. example:
|
Any new thoughts on this? |
https://github.com/davidlattimore/cackle is doing some work towards this. |
The most appropriate venue for an open-ended request like this is still not the Rust issue tracker, sorry. |
It would be nice if rust had a pretty good answer to "why is this date formatting library reading from disk and talking to the network?"
Constantly monitoring significant numbers of rust crates across the ecosystem doesn't scale well. Is there an effective way to get Pretty Good supply chain security in rust packages? I am interested to find out whether the rust community has a method of solving 98% of this problem, not 100%.
Some example approaches here would include:
Additional potential approaches are very welcome
The text was updated successfully, but these errors were encountered: