28 Feb
2023
28 Feb
'23
4:01 a.m.
On Mon, Feb 27, 2023 at 4:42 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
On 2/27/23 4:22 PM, Dan Cross wrote:
FTR, you don't usually do this as root, as by default `rustup`
installs into $HOME.
I'm not sure how this is any less safe than downloading, say, a
tarball and running the contained `configure` script, except that in
the latter case one at least has the chance to look at the script
contents.
[COFF]
On Mon, Feb 27, 2023 at 4:16 PM Chet Ramey <chet.ramey(a)case.edu> wrote:
Sure. My sense is that the world is a less trustworthy place today, that
there are more bad actors out there, and that promoting unsafe practices
like this does little good. If practices like this become the norm (and
they have), it gets very easy to trick someone (or worse, compromise the
server and replace the script with something that does just a little bit
extra). Blindly executing code you get from elsewhere as root isn't a
great idea. On 2/27/23 4:01 PM, segaloco wrote:
I find this a little odd. If I go back to O'Reilly books from the
early 90s, there was advice to do all sorts of suspect things in them, The official Rust book lists a blind script grab
from a website piped into a shell as their "official" install mechanism.
Well, I suppose if it's from a trustworthy source...
(Sorry, my eyes rolled so hard they're bouncing on the floor right now.) Look at the compromises the Python community has been
dealing with
recently, involving replacing common packages on well-known repository
sites with malicious ones.
That seems like an issue that is independent of the delivery mechanism.
FWIW, when my old team brought the Rust toolchain into Google, we
investigated this issue at length. Another team (Android security, I
believe) had used `mrustc`, which is a Rust compiler written in C++,
to bootstrap the "real" Rust compiler from source. We then downloaded
and vendored each dependent crate (Rust library) that we needed, with
an auditing step. So it's entirely possible to work with Rust without
ever using `rustup`.
- Dan C.