securityrustrust-cargomalwarerust-crates

Is it safe to install Rust crates? Is `crates.io` curated or reviewed for malware?


With Debian and Ubuntu, there is some quality control. With Boost (C++'s main repo), there is significant quality control. Are Rust crates(.io) similar or are they a complete free-for-all? Can anyone upload any code they want under any name that they want?

crates.io's "Security" link sends you to rust-lang.org/policies/security that just talks about how very important security is to Rust.


Solution

  • It's not safe by default. Lib.rs is integrated with review systems, though. If you check a crate, there will be Audit button, leading to the reviews list.