About release dead code crates

zhuxiujia · March 19, 2022, 2:51pm

Mail queries are made for crates that have not been maintained for at least 2 years, and if there is no response, the library is deleted and released. This prevents someone from taking the name and not using it

elidupree · March 19, 2022, 2:56pm

This has been discussed before, and a major problem is that if anyone has a dependency on the deleted crate, it not only breaks their code, but also allows supply-chain attacks where a malicious user creates a new, malicious crate with the same name as the deleted one.

bascule · March 19, 2022, 3:09pm

For what it's worth, we track unmaintained crates in the RustSec Security Advisory Database:

ChrisJefferson · March 19, 2022, 9:21pm

What does "maintained" mean?

While Rust isn't old enough yet, I've worked with libraries in C which haven't had an update in 10 years, as they are just "done".

bascule · March 19, 2022, 9:36pm

You can review the WIP guidance we're crafting on that topic here:

tl;dr: crates where the author agrees it's unmaintained, or crates with non-communicative authors which are not receiving any updates/releases/etc

kornel · March 22, 2022, 2:01pm

The supply-chain problem can be solved by allowing new maintainers only release a higher semver-major version. So if a crate stopped being maintained at v3.3.0, the new owner can only release v4.0.0, but not 3.3.1 nor 2.0.0. In typical usage this will prevent other users from automatically upgrading to a potentially-malicious crate. There can also be a required period in between when the crate is completely yanked and unusable, so that its active users will notice and remove the dead dependency.

ckaran · March 22, 2022, 3:28pm

What about a scheme using digital signatures? AFAIK, crate repositories (including crates.io) match based on the name of the crate alone. Given that, we can have the following scheme:

When an author makes a release, they sign two documents. The first is a UTF-8 encoded plain text file containing the canonical name of the crate only. This is the exact name that you would use in your Cargo.toml file, and anywhere else that is mechanically verified or used. The second is the complete material that is being released, which must be signed with the same key.
When you download a crate, you get both of these files, plus the keys to verify the signature. The verifying keys are put in your Cargo.lock file, or in .cargo, or wherever it's best to place it.
When you build a crate, cargo verifies that signatures on both files is good, complaining loudly if the signatures on either are bad. It will also do this if it already has key material on file for that crate.

For someone to replace a well-known crate, they have to get people to accept the new keys before their replacement crate will be built and incorporated.

I think that this will require minimal changes. Basically, a new file (CrateRepositoryName.txt? Someone bikeshed this) that the crate author will need to sign before upload, and maybe some work on the crate repositories end to reject releases that don't have this file. After that, it becomes a matter of educating people, and eventually releasing the names of dead crates.

I think that the following table outlines the possible outcomes of good/bad signatures:

Name File	Complete Material in Release	Keys matching	Result
Good signature	Good signature	Matches original	Good crate, carry on
Good signature	Good signature	Doesn't match original	Maybe a new maintainer? Verify before use.
Good signature	Bad signature	Matches original	Corrupted crate, use a different version, contact author.
Good signature	Bad signature	Doesn't match original	Supply chain attack! Report to rustsec ASAP!
Bad signature	Good signature	Matches original	Corrupted crate, use a different version, contact author.
Bad signature	Good signature	Doesn't match original	Supply chain attack! Report to rustsec ASAP!
Bad signature	Bad signature	Matches original	Supply chain attack! Report to rustsec ASAP! (implies `crates.io` was hacked)
Bad signature	Bad signature	Doesn't match original	See below

In the last line, if the signatures are bad and the keys don't match the original then there are a couple of possibilities.

First, the author may have updated their keys, but forgotten to update crates.io with the new keys. Report it as a bug to the author, and see if they put out a new release shortly. Note that it would be good practice for crate authors to keep the contents of new release identical to the old release, while just updating their keys; this lets automated tools verify that this was just an honest mistake as the contents of the release will remeain the same.

The other possibility is that someone is trying to do a supply chain attack, but has done a really, really bad job of it. Report it to rustsec, so that they can see if there is anything that can/should be done.

I think that crates.io can automatically triage some of the above. For those parts that are highly likely to be supply chain attacks, it could even report to rustsec automatically.

amosonn · March 24, 2022, 9:15pm

In that case, there's no real need to yank at all. The old versions can stay available for download, if the problem is just hogging the name and not the storage required. This might be confusing if the two crates would share the same landing page, so it would be better to add crates.io support for multiple pages of the same crate. However if the assumption is that the old crate is dead, findability of it is less important.

alilleybrinker · March 28, 2022, 7:46pm

Getting people to manage keys correctly is really difficult. Even when they're strongly motivated to do so. People still lose keys to access cryptocurrency wallets worth large amounts of money.

Getting people to actually think about whether to accept or reject updated keys for their counterparties rather than blindly accept updated keys is even harder.

Adding key management to things needs to be thought about extremely carefully for usability, because otherwise you get a lot of friction for little real-world benefit.

ckaran · March 28, 2022, 8:04pm

I agree that getting people to manage their keys correctly is difficult. But I also think that it's the best way to deal with this problem. Supply chain attacks are real, and as rust gets to be bigger, it will become a bigger target to attack. Crypto is probably going to be the only realistic way of dealing with it...

alilleybrinker · March 29, 2022, 11:08pm

I agree that supply chain attacks are a real problem. However, saying "something must be done" isn't the same as "this specific thing must be done."

The problem in this case is one of trusting software artifacts. The SLSA and SCITT standards which are developing (building off of COSE and in-toto) are a more compelling and complete solution to this problem that one that the Rust community could device independently.

ckaran · March 30, 2022, 1:06pm

I agree 100% with this. I misunderstood what you were saying; I thought that you were saying that because keys are difficult to manage, we should give up trying to solve the problem in a robust manner.

Thank you, I didn't know about those at all! Have you brought these to the attention of the rust secure code working group? As you say, they are much more complete standards than what we're discussing here.

alilleybrinker · March 31, 2022, 2:38pm

I have now raised these in the Rust secure code working group Zulip channel. Thanks!

bascule · April 4, 2022, 4:31pm

Speaking on behalf of the Rust Secure Code Working Group, we have been following and participating in various in-toto discussions for several years.

Adding anything like that to cargo itself seems rather tricky though. We've had a few issues open about that for several years:

github.com/rust-lang/crates.io

Security model / TUF

opened 01:02AM - 24 Nov 14 UTC

tarcieri

C-enhancement infrastructure

The fun thing about packaging systems with central package directories is the ce…ntral package directories have this annoying tendency to be compromised. There have been a few such notable compromises in recent history, such as RubyGems and npm. Fortunately no serious problems resulted in either of these attacks they were both detected early, but a more sinister attack could go undetected, poisoning the package repository and spreading malware. One way to stop this is to move the source of authority for the integrity of packages from the package repository to the developers of packages. However, managing keys is hard, and many people simply won't want to do this. Furthermore, you have to worry about how to retrofit the existing packages into this model if your packaging system didn't launch with developer-managed keys from day one (which Cargo didn't) There's a system that solves all these problems called The Update Framework (TUF), collaboratively developed by both Tor developers and academics: http://theupdateframework.com/ The Update Framework allows developers to opt-in to managing their own keys. High profile packages can be signed by developers: specifically, TUF supports "threshold signatures" so k / n developers are needed to countersign a package in order for it to count as released. However, not everyone is forced to manage their own keys: people who don't want to can have their packages signed by the package repository instead. TUF secures developer keys by having developers who own "unclaimed" packages request to associate some signing keys with them. A system administrator then periodically (once a week or other tolerable time interval) signs these developer keys with an offline key (or keys, TUF uses threshold signatures everywhere). At this point, these packages move from "unclaimed" to "claimed", and become what TUF calls a "delegated target": the developers, not the packaging system, become the source of truth for that particular package. For more information, I suggest you read their paper "Survivable Key Compromise In Software Update Systems": http://freehaven.net/~arma/tuf-ccs2010.pdf I think a system like TUF can easily be retrofitted to Cargo as it exists today. There are a few changes I might recommend before you try to add TUF, but I think you're off to a good start. However, if you did want to use something like TUF, it does figure into the overall AuthZ model of the system. There are a number of outstanding AuthZ issues / suggestions like #48 and #58. If you do want to integrate a system like TUF where developers manage their own keys, it will definitely influence whatever AuthZ model you adopt, because TUF moves things like authorization and integrity partly to the client. I worked on adding TUF to RubyGems at one point and liked it, although we never finished. The people behind it worked on adding it to PyPI, and were very helpful with our efforts to add it to RubyGems.

There's also a tracking issue for a potential integration with Sigstore, which is currently being explored by RubyGems:

github.com/sigstore/community

Cargo signing

opened 09:16AM - 08 May 21 UTC

lukehinds

Creating this issue to start gathering thoughts on crates sigstore signing. …## Current Status Cargo performs no signing verification of crates at present. Users running the `cargo install` command will download unsigned code which will be compiled and executed. There has been discussions around using TUF, but progress is arguably very slow, as its been in discussion for over 5 years now [0] / [1]. In thread [0] there appears to be a preference for a TUF based CA / PKI: **_"So, my vote is for a centrally managed PKI, and more specifically for TUF."_** A pull request was made to sign registry index commits [2], was never merged and discussion has moved to this issue [3]. Discussions there have dried up (last comment was late last year). Two sigstore community folks @trishankatdatadog and @joshuagl comment on a document produced here at [4] which supports what we all believe, TUF + TLOGS is a "belt and braces" approach and they compliment each other. I know @SantiagoTorres has looked at this before. [0] https://github.com/rust-lang/crates.io/issues/75 [1] https://www.reddit.com/r/rust/comments/6qjpzf/could_the_security_of_cargo_and_the_crates_system/ [2] https://github.com/rust-lang/rfcs/pull/2474 [3] https://github.com/rust-lang/cargo/issues/4768 [4] https://ssl.engineering.nyu.edu/blog/2020-02-03-transparent-logs

Note however that the Cargo team is overwhelmed with open PRs as there aren't enough reviewers for those PRs:

It would probably make sense to explore any of these integrations via a 3rd party tool, prototyping and proving them out in a way which doesn't require direct integration with Cargo or crates.io, and exploring a potential direct integration with Cargo as a next step.

system · July 3, 2022, 4:31pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Tracking unmaintained crates using RustSec cargo	13	1741	September 6, 2019
Abandoned crates community	16	5336	March 25, 2019
Crates.io squatting tools and infrastructure	163	16596	April 18, 2019
[pre-RFC] Security advisories as part of crates.io metadata cargo	30	4206	March 25, 2019
Handling End-of-life of a version tools and infrastructure	5	1436	March 25, 2019

About release dead code crates

Related Topics