999 crates of Rust on the wall (lawngno.me)
from thomask@lemmy.sdf.org to rust@programming.dev on 11 Jun 03:40
https://lemmy.sdf.org/post/18069813

#rust

threaded - newest

BB_C@programming.dev on 11 Jun 10:28 next collapse

Good work.
I don’t know if kornel* still lurks here, but I think he did/does related/similar analysis for lib.rs.

* @kornel@programming.dev / @kornel@mastodon.social

kornel@mastodon.social on 11 Jun 18:16 collapse
ericjmorey@programming.dev on 11 Jun 10:33 collapse

I’ve been comparing crates on crates.io against their upstream repositories in an effect to detect (and, ultimately, help prevent) supply chain attacks like the xz backdoor1, where the code published in a package doesn’t match the code in its repository.

The results of these comparisons for the most popular 9992 crates by download count are now available. These come with a bunch of caveats that I’ll get into below, but I hope it’s a useful starting point for discussing code provenance in the Rust ecosystem.

No evidence of malicious activity was detected as part of this work, and approximately 83% of the current versions of these popular crates match their upstream repositories exactly.