this post was submitted on 19 Aug 2023
66 points (94.6% liked)
Rust Lang
2 readers
1 users here now
Rules [Developing]
Observe our code of conduct
- Strive to treat others with respect, patience, kindness, and empathy.
- We observe the Rust Project Code of Conduct.
- Submissions must be on-topic
- Posts must reference Rust or relate to things using Rust. For content that does not, use a text post to explain its relevance.
- Post titles should include useful context.
- For Rust questions, use the stickied Q&A thread. [TBD]
- Arts-and-crafts posts are permitted on weekends.
- No meta posts; message the mods instead.
Constructive criticism only
- Criticism is encouraged, though it must be constructive, useful and actionable.
- If criticizing a project on GitHub, you may not link directly to the project’s issue tracker. Please create a read-only mirror and link that instead.
- Keep things in perspective
- A programming language is rarely worth getting worked up over.
- No zealotry or fanaticism.
- Be charitable in intent. Err on the side of giving others the benefit of the doubt.
No endless relitigation
- Avoid re-treading topics that have been long-settled or utterly exhausted.
- Avoid bikeshedding.
- This is not an official Rust forum, and cannot fulfill feature requests. Use the official venues for that.
No low-effort content
- Showing off your new projects is fine
No memes or image macros
- Please find other communities to post memes
No NSFW Content
- There are many other NSFW communities, let’s keep this related to the language
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
That’s the problem: it is incredibly difficult to verify.
Which is exactly why people are upset.
They’re not accusing the maintainer of doing anything malicious, they’re saying the choice that was made makes it impossible for them to verify if anything malicious was done, or will be done in the entire future of the project.
The reasons given are easily addressed by some of the commenters suggestions, those suggestions have been ignored.
So now a core rust library has a big shiny hackers target on it, because if someone manages to hack or trick the builder into uploading a malicious binary, no one (maintainers included) would be any the wiser.
This is enough to get the crate blocked on a corporate level for security reasons.
Edit: that’s not to mention the extreme end of the problem, which looks more like suits showing on his door saying “here is our secret court order that says you can’t tell anyone about this. Now change the build to use this binary we provide you because we said so”
No regular open source maintainer has the ability to protect themselves or others against a state sponsored attack of that level, and it would likely look just like this if it happened.