Can rustup install hijacked toolchain from RUSTUP_DIST_SERVER by accident?

Hello everyone, I’m new to rust.

I’ve installed rustup binary(itself) from trusted source (official website), but due to internet restriction , I have to use RUSTUP_DIST_SERVER to download toolchain(for higher speed) , but I’d like to know how rustup handle update info and binary download from dist server ? I mean if I my rustup binary is trustable , but I use RUSTUP_DIST_SERVER to download toolchain, can RUSTUP_DIST_SERVER provided hijacked toolchain to me ?

I’ve found some signatures valiatation issue on github

but I’m not sure which one related to RUSTUP_DIST_SERVER. any help ?

1 Like