Shulou(Shulou.com)11/24 Report--

CTOnews.com, May 25-many of Google's open source projects use Rust, a modern system language designed to build reliable and efficient software. Google recently opened up the review results of Rust Crate on GitHub, which developers can import into their projects to prove the attributes of the Rust Crate used.

▲ source Google open source blog Rust community has a service called Crates.io that allows developers to publish their own Crate. Developers can also use Crates.io to download and use Crate developed by others. But all third-party code carries certain risk factors. At the local compiler level, the requirements for Crate may only be that it does not contain active malicious code, does not invade privacy, disclose data, or install malware, but the code for client-side deployment needs to meet more stringent requirements, such as ensuring that there are no memory security issues, compliance with a series of standards and specifications, and the use of newer encryption technologies.

Therefore, usually at the beginning of a new project, development team members will conduct a thorough review of the source code according to its security, correctness, testing and other standards, and when several different projects review the same crate, it may lead to duplicate work, so in order to eliminate duplicate work and verify security, Google's internal projects must be thoroughly reviewed before they start using the new Crate.

Third-party developers may waste resources to perform repetitive work when reviewing the Crate used in the project, so Google announced the results of the open source audit to avoid repetitive audit work. Google continuously integrates these audit results into the supply chain repository and uses cargo vet to quickly verify the Crate used by the project.

Developers can import Google open source audit results, including code quality, security and test requirements, into their own projects, and determine whether they meet the project requirements according to these Crate attributes. Different use cases have different requirements, and cargo vet enables users to configure requirements independently for each dependent project.

A few days ago, Google's ChromeOS and Fuchsia projects have contributed Crate audit results, and other Google projects will gradually join, so that more Crate can be covered. This work is still in its early stages, including the operational details of cargo vet implementation and shared audits, and may change later.

CTOnews.com Note: in the Rust programming language, Crate is a compilation unit in Rust. Crate can be compiled into a binary file or library, which contains Rust code and other related resources, and can be compiled into an execution file or function library. Rust makes it easy to encapsulate and share code in Crate. Like software packages in other languages, these Crate are reusable software components and therefore have considerable universality.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.