Skip to content

Cargo does not verify code validity on local cache/registry #9691

New issue
New issue
Open
Open
Cargo does not verify code validity on local cache/registry#9691
Labels
A-cachingArea: caching of dependencies, repositories, and build artifactsC-bugCategory: bugS-triageStatus: This issue is waiting on initial triage.
@ufoscout

Description

@ufoscout
ufoscout
opened on Jul 15, 2021

Problem
I came across this issue yesterday: http-rs/surf#313
The problem was somehow caused by cargo itself that downloaded and cached in a corrupted way the code of a dependency into the ~/.cargo/registry folder of my local filesystem.

The fact that cargo did not verify the validity of the code (e.g using a checksum) before attempting a build really surprised me.

Shouldn't cargo by default apply whatever strategy to avoid code corruption/tampering/etc.? Isn't this a potential security issue?

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-cachingArea: caching of dependencies, repositories, and build artifactsC-bugCategory: bugS-triageStatus: This issue is waiting on initial triage.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions