Google Open Source RustCrate Review Result: Easy for Rust developers to verify source code security

On May 25th, IT Home reported that many of Google's open source projects use Rust, a modern system language aimed at building reliable and efficient software. Recently, Google opened up the review results of RustCrate on GitHub, and developers can import these review results into their own projects to prove the properties of the RustCrate used.

There is a service called Crates. io in the Rust community that allows developers to publish their own developed Crates. Developers can also download and use Crates developed by others using Crates. io. But all third-party code carries certain risk factors. At the local compiler level, the requirement for Crate may only be to not contain active malicious code, not violate privacy, leak data, or install malicious software, but the code for client-side deployment needs to comply with stricter requirements, such as ensuring no memory security issues, and also to comply with the requirements of a series of standards and specifications, and use updated encryption technology.

Therefore, usually at the beginning of a new project, development team members conduct a thorough review of the source code based on its security, correctness, testing, and other standards. When several different projects review the same Crate, it may lead to duplicate work. Therefore, in order to eliminate duplicate work and verify security, Google's internal projects must undergo a thorough review before starting to use the new Crate.

When third-party developers review the Crate used in their projects, they may waste resources to perform duplicate work. Therefore, Google announces the results of the open source review to avoid duplicate review work. Google continuously integrates these audit results into the supply chain repository and uses cargo to quickly validate the Crate used in the project.

Developers can import the audit results of Google Open Source, including attributes such as code quality, security, and testing requirements, into their own projects, and determine whether they meet project requirements based on these Crate attributes. Different use cases have different requirements, and cargo allows users to independently configure requirements for each dependent project.

Recently, Google's ChromeOS and Fuchsia projects have already contributed to the Crate review results, and other Google projects will gradually join, so as to cover more Crate. At present, this work is still in its early stages, including the operational details of cargo execution and shared auditing, and there may be further changes in the future.

IT Home Note: In the Rust programming language, Crate is a compilation unit in Rust. Crate can be compiled into binary files or libraries, which contain Rust code and other related resources and can be compiled into executable files or function libraries. Rust makes it easy to encapsulate and share code in Crates, just like software packages in other languages. These Crates are reusable software components and therefore have considerable universality.