As SCA's keep on surfacing left and right, with quite a few attributable to a perfectly sane practice of preinstall hooks enabled by default in npm et al; is cargo in any way more secure, by design and/or surface area it covers?

I do not remember seeing any "hooks" anywhere near the Rust's package management toolkit, at least not in the traditional sense of the word; yet any crate that wishes to "preinstall" anything with a build.rs instead, can still do so - can it not?

2 posts - 2 participants

Read full topic