Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Software supply chain security in the Rust ecos...
Search
Alexis Mousset
December 04, 2024
Technology
27
0
Share
Software supply chain security in the Rust ecosystem
Paris Rust meetup
December 4th, 2024
Alexis Mousset
December 04, 2024
More Decks by Alexis Mousset
See All by Alexis Mousset
Supply Chain Security in the Rust Ecosystem
amousset
0
70
Designing the future of agent-server communication in RUDDER
amousset
0
60
Other Decks in Technology
See All in Technology
Bref でサービスを運用している話
sgash708
0
220
仕様通り動くの先へ。Claude Codeで「使える」を検証する
gotalab555
3
650
【関西電力KOI×VOLTMIND 生成AIハッカソン】空間AIブレイン ~⼤阪おばちゃんフィジカルAIに続く道~
tanakaseiya
0
140
GitHub Actions侵害 — 相次ぐ事例を振り返り、次なる脅威に備える
flatt_security
13
7.5k
Kubernetesの「隠れメモリ消費」によるNode共倒れと、Request適正化という処方箋
g0xu
0
170
GitHub Advanced Security × Defender for Cloudで開発とSecOpsのサイロを超える: コードとクラウドをつなぐ、開発プラットフォームのセキュリティ
yuriemori
1
130
ASTのGitHub CopilotとCopilot CLIの現在地をお話しします/How AST Operates GitHub Copilot and Copilot CLI
aeonpeople
1
100
GitHub Copilotを極める会 - 開発者のための活用術
findy_eventslides
1
490
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
10
77k
Oracle Cloud Infrastructure(OCI):Onboarding Session(はじめてのOCI/Oracle Supportご利⽤ガイド)
oracle4engineer
PRO
2
17k
AWSで2番目にリリースされたサービスについてお話しします(諸説あります)
yama3133
0
120
FASTでAIエージェントを作りまくろう!
yukiogawa
4
190
Featured
See All Featured
WENDY [Excerpt]
tessaabrams
9
37k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
287
14k
Being A Developer After 40
akosma
91
590k
A Tale of Four Properties
chriscoyier
163
24k
Self-Hosted WebAssembly Runtime for Runtime-Neutral Checkpoint/Restore in Edge–Cloud Continuum
chikuwait
0
440
Noah Learner - AI + Me: how we built a GSC Bulk Export data pipeline
techseoconnect
PRO
0
160
A designer walks into a library…
pauljervisheath
211
24k
What does AI have to do with Human Rights?
axbom
PRO
1
2.1k
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
minecr
1
220
Stop Working from a Prison Cell
hatefulcrawdad
274
21k
Building an army of robots
kneath
306
46k
Statistics for Hackers
jakevdp
799
230k
Transcript
Software supply chain security in the Rust ecosystem Paris Rust
Meetup #73 December 4th, 2024 amousset
SOFTWARE SUPPLY CHAIN A software supply chain is the components,
libraries, tools, and processes used to develop, build, and publish a software artifact. Wikipedia (I would add the people too)
slsa.dev (Supply-chain Levels for Software Artifacts)
xkcd.com/2347/
RUST awesome cargo tooling + language composability > a lot
of dependencies compiled language, static dependencies > traceability & maintenance issues
WHAT DOES YOUR BINARY INCLUDE? all dependencies all artifacts in
crates (binaries, data, etc.) C libraries built automatically in crates
TOOLING FOR DEPENDENCIES # list people who have # write
access to your artefacts cargo supply-chain # audit and share crate audits cargo vet # look for known vulnerabilities cargo audit cargo deny
TOOLING FOR BUILD # respect Cargo.lock cargo build --locked #
include dependencies in binary cargo auditable build # build a SBOM cargo cyclonedx
WHO WORKS ON IT? Linux Foundation Rust Foundation Google /
Microsoft (GitHub) Specialized companies Rust Secure Code WG / RustSec
FUTURE? Technical improvements Better integration Attestation, etc. Community & FOSS?
THANKS! Alexis Mousset / amousset Rust Secure Code WG /
RustSec lettre email library rudder.io > open-source infra security & automation > open 6 months Rust internship 🦀
amousset
sgash708
gotalab555
tanakaseiya
flatt_security
g0xu
yuriemori
aeonpeople
findy_eventslides
cybozuinsideout
oracle4engineer
yama3133
yukiogawa
tessaabrams
stephaniewalter
akosma
chriscoyier
chikuwait
techseoconnect
pauljervisheath
axbom
minecr
hatefulcrawdad
kneath
jakevdp
