Is it safe to install Rust crates? Is `crates.io` curated or reviewed for malware?

459 views Asked by At

With Debian and Ubuntu, there is some quality control. With Boost (C++'s main repo), there is significant quality control. Are Rust crates(.io) similar or are they a complete free-for-all? Can anyone upload any code they want under any name that they want?

crates.io's "Security" link sends you to rust-lang.org/policies/security that just talks about how very important security is to Rust.

3

There are 3 answers

0
xamgore On BEST ANSWER

It's not safe by default. Lib.rs is integrated with review systems, though. If you check a crate, there will be Audit button, leading to the reviews list.

0
aled On

Maybe the cargo.io policies page gives you the answer you are looking for:

Removal

Many questions are specialized instances of a more general form: “Under what circumstances can a package be removed from Crates.io?”

The short version is that packages are first-come, first-served, and we won’t attempt to get into policing what exactly makes a legitimate package. We will do what the law requires us to do, and address flagrant violations of the Rust Code of Conduct.

Since they are not policing valid packages that implicitly means they are not reviewing packages uploaded to crates.io.

8
Colonel Thirty Two On

Crates.io does not review packages before publishing them.

This is not unusual. Most package repositories, including NPM, PyPi (the repo behind pip), and Ruby gems don't do any auditing before publishing. It's simply too much work to do for free and slows publishing down a lot. The downsides to this are well known, and there are plenty of articles describing them and instances of problematic behavior (ex. left-pad).

Boost is different in that it curates libraries before inclusion. That elevates the trust and helps ensure good practices, but gives the repository much less breadth - you won't, for example, find a QUIC client in Boost.