Many of Google’s open-source projects use Rust, a modern systems language designed to build reliable and efficient software. Google has open-sourced the results of its review of Rust Crate on GitHub, and developers can import these results into their projects to prove the properties of the Rust Crate they use.
▲ Image Source Google Open Source Blog
The Rust community has a service called Crates.io for developers to distribute their own crates, and developers can use Crates.io to download and use crates developed by others, but all third-party code carries an element of risk. At the local compiler level, the requirements for Crate may only be that it does not contain active malicious code, violate privacy, compromise data or install malware, but code for client-side deployment needs to meet more stringent requirements, such as ensuring that there are no memory security issues and that it also meets a range of standards and specifications and uses newer encryption technologies.
Therefore, usually at the beginning of a new project, members of the development team will thoroughly review the source code based on its security, correctness, testing, and other criteria, which can lead to duplication of effort when several different projects review the same crate.
Third-party developers reviewing the Crate used by their own projects may waste resources performing duplicate work, so Google announced open-source review results to avoid duplication of review efforts. Google continuously integrates these review results into its supply chain repository and uses cargo vet to quickly validate the Crate used by a project.
Developers can import Google’s open-source audit results, including attributes such as code quality, security, and testing requirements, into their own projects and decide if they meet the project requirements based on these Crate attributes. Different use cases have different requirements, and cargo vet allows users to configure requirements independently for each dependent project.
Google’s ChromeOS and Fuchsia projects have already contributed Crate audit results, and other Google projects will be added gradually so that more Crates are covered. This work is still in its early stages, including details on how cargo vet implementation and shared auditing works, and may change later.
In the Rust programming language, a Crate is a compilation unit in Rust that can be compiled into a binary or library containing Rust code and other related resources that can be compiled into an executable or function library. are reusable software components and are therefore quite widely applicable.
