Google Open Sources Internal Rust Crate Audit Results
3 min readGoogle Open Sources Internal Rust Crate Audit Results
- Huawei Mate 60 Pro Makes Satellite Calls: Only US$0.18/minute
- Huawei Mate60 Pro: First Smart Phone Supports Satellite Calls
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
Google Open Sources Internal Rust Crate Audit Results.
Google has announced and released some aggregated results of an internal audit of Rust crates, continuing its commitment to the open source Rust community.
For a long time, Google has been actively embracing Rust and has applied it in many open source projects. And continuous investment in the Rust community: including helping to establish the Rust Foundation, employees actively contributing to Rust upstream, financially supporting key Rust projects, etc.
The results of the open source audit of Rust Crate allow developers to easily import the results that have been audited by Google into their own projects to prove the properties of the Rust Crate used;
and based on these data, determine whether the crate meets the requirements of the project. security, correctness, and testing requirements. At the same time, it also avoids some repeated audit work among developers.
“Rust makes it easy to package and share code into crates, which are reusable software components like packages in other languages. We embrace the broad ecosystem of open source Rust crates, leveraging crates written outside of Google, Also released several crates of our own.”
According to the introduction, the Rust community itself has a service called Crates.io for developers to distribute their own crates; developers can use Crates.io to download and use crates developed by others, but all third-party codes have certain risk factors.
Before a project starts using a new crate, members typically perform a thorough audit, measuring it against their standards for security, correctness, testing, etc.
Google consolidated its audit results and made an open source release , and also used cargo vet to quickly verify the crates used by the project.
Different use cases have different requirements, and cargo vet allows users to configure requirements independently for each dependency.
At the native compiler level, a crate may only be required to not contain active malicious code, violate privacy, leak data, or install malware.
But client-deployed code usually needs to meet stricter requirements, such as ensuring that there are no memory safety issues, using the latest cryptography, and complying with standards and specifications.
When using and sharing audit results, it is therefore important to consider the relationship of the project’s requirements to the facts recorded during the audit.
Currently, the ChromeOS and Fuchsia projects have contributed their audit results.
Google said some of the company’s other open source projects will soon join the ranks. “We hope that by sharing our work with the open source community, the Rust ecosystem can be made more secure and reliable… We hope you find value in the work Googlers are doing and join us in building a safer, more A solid Rust ecosystem.”
Reference:
https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html
Google Open Sources Internal Rust Crate Audit Results
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?
