On Thu, Jun 22, 2017 at 11:30 AM, Nils Freydank <nils.freyd...@posteo.de> wrote: > Am Donnerstag, 22. Juni 2017, 16:41:54 CEST schrieb R0b0t1: >> [other quote] >> This is kind of troubling because much like Cabal it seems like the >> Rust package management system is insecure. Does the Firefox build >> process make use of it? > > Could you please specify what in your eyes is insecure in rust’s pm? > -- > GPG fingerprint: '00EF D31F 1B60 D5DB ADB8 31C1 C0EC E696 0E54 475B' > Nils Freydank
I spent the most time looking at Cabal (Haskell's package manager) and so as far as code-related specifics go I have the best references in relation to it. I admit Rust may be different and that I haven't had a great deal of time to look at it, but I have seen this pattern in a few language-specific package managers to date. The gist of it is that the package managers are typically designed to download and run unsigned code as root. Releases are not signed and code may be fetched over plain HTTP. This is something even Windows doesn't let you do by default now. My research on Rust's crate system reached a point a while ago where I think I need a developer to chime in on it.
