2 comments

[ 0.20 ms ] story [ 19.2 ms ] thread
For those in the know about such matters, where is the secret, community audited Rust supply chain?

Let's say I want to start a new project in Rust that needs to touch web services for some reason. The standard answer today is "just use crate <X>." But lets say that I'm security sensitive and spooked by how easy it appears to compromise open source dependencies in 2025.

So I thought, "well, Signal is the gold standard for security and open source - let's see what they do". Libsignal's 'Cargo.lock' has 599 packages in it. Is someone at Signal auditing all of those (and monitoring them for updates)? I see many well established shops using Rust with dependencies - I assume they're vendoring them internally and running them through their own reviews. Is that what everyone does? Or am I just being overly paranoid about the breadth of the dependency chain for what everyone relies on for being one of the most secure messaging clients?

> One compromise was due to a vulnerability that was already fixed, but had persisted on an old branch. Any time we make a security improvement (including patching a vulnerable Action) on a GitHub Actions workflow, we need to remember to cherry-pick it to all branches, including stale ones.

This stands out as an easy mistake to make.