Question 280148 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – Is it safe to install Rust crates? Is `crates.io` curated or reviewed for malware?

With Debian and Ubuntu, there is some quality control. With Boost (C++’s main repo), there is significant quality control. Are Rust crates(.io) similar or are they a complete free-for-all? Can anyone upload any code they want under any name that they want?

crates.io‘s "Security" link sends you to rust-lang.org/policies/security that just talks about how very important security is to Rust.

Tags:

2

Answers


  1. 0

    Maybe the cargo.io policies page gives you the answer you are looking for:

    Removal

    Many questions are specialized instances of a more general form: “Under what circumstances can a package be removed from Crates.io?”

    The short version is that packages are first-come, first-served, and we won’t attempt to get into policing what exactly makes a legitimate package. We will do what the law requires us to do, and address flagrant violations of the Rust Code of Conduct.

    Login or Signup to reply.
  2. 0

    Crates.io does not review packages before publishing them.

    This is not unusual. Most package repositories, including NPM, PyPi (the repo behind pip), and Ruby gems don’t do any auditing before publishing. It’s simply too much work to do for free and slows publishing down a lot. The downsides to this are well known, and there are plenty of articles describing them and instances of problematic behavior (ex. left-pad).

    Boost is somewhat unique in that it actually curates libraries before inclusion. That elevates the trust and helps ensure good practices, but gives the repository much less breadth – you won’t, for example, find a QUIC client in Boost.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search