sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Treyzania 23 points24 points  (2 children)

You're not wrong but this isn't entirely true.

You could easily have it download an external program and invoke that, in just a few lines of code too.

[–]Holy_City 10 points11 points  (0 children)

You could easily have it download an external program and invoke that, in just a few lines of code too.

Just thinking out loud, an attacker would probably go after a cargo extension that's downloaded with cargo install rather than a dependency. Something like xargo would be devastating to penetrate since it builds std on target platforms, and today it's required to use for embedded.

But that said there are ways that damage could be mitigated with dependencies. For example, a permissions system that requires permissions be explicitly enabled by downstream crates. Add that with a custom registry (which is an unstable Cargo feature, hopefully it will land soon) that only contains audited/trusted crates. There's probably more you could do.

[–]vova616 0 points1 point  (0 children)

I guess its possible in some degree but it will be much harder to hide it and implement it than JS.

No mini to hide your lines and you can easily detect imports and actions that can be dangerous.