September 28, 2023


Networking, Computer, PBX, IT, DIY Solution

Google Open Sources Internal Rust Crate Audit Results

3 min read

Google Open Sources Internal Rust Crate Audit Results


Google Open Sources Internal Rust Crate Audit Results. 

Google has announced and released some aggregated results of an internal audit of Rust crates, continuing its commitment to the open source Rust community.

For a long time, Google has been actively embracing Rust and has applied it in many open source projects. And continuous investment in the Rust community: including helping to establish the Rust Foundation, employees actively contributing to Rust upstream, financially supporting key Rust projects, etc.


Google Open Sources Internal Rust Crate Audit Results


The results of the open source audit of Rust Crate allow developers to easily import the results that have been audited by Google into their own projects to prove the properties of the Rust Crate used;

and based on these data, determine whether the crate meets the requirements of the project. security, correctness, and testing requirements. At the same time, it also avoids some repeated audit work among developers.


“Rust makes it easy to package and share code into crates, which are reusable software components like packages in other languages. We embrace the broad ecosystem of open source Rust crates, leveraging crates written outside of Google, Also released several crates of our own.”


According to the introduction, the Rust community itself has a service called for developers to distribute their own crates; developers can use to download and use crates developed by others, but all third-party codes have certain risk factors.

Before a project starts using a new crate, members typically perform a thorough audit, measuring it against their standards for security, correctness, testing, etc.

Google consolidated its audit results and made an open source release , and also used cargo vet to quickly verify the crates used by the project.


Different use cases have different requirements, and cargo vet allows users to configure requirements independently for each dependency.

At the native compiler level, a crate may only be required to not contain active malicious code, violate privacy, leak data, or install malware.

But client-deployed code usually needs to meet stricter requirements, such as ensuring that there are no memory safety issues, using the latest cryptography, and complying with standards and specifications.

When using and sharing audit results, it is therefore important to consider the relationship of the project’s requirements to the facts recorded during the audit.


Currently, the ChromeOS and Fuchsia projects have contributed their audit results.

Google said some of the company’s other open source projects will soon join the ranks. “We hope that by sharing our work with the open source community, the Rust ecosystem can be made more secure and reliable… We hope you find value in the work Googlers are doing and join us in building a safer, more A solid Rust ecosystem.”




Google Open Sources Internal Rust Crate Audit Results


Copyright © All rights reserved. | Newsphere by AF themes.