Can rustup install hijacked toolchain from RUSTUP_DIST_SERVER by accident?

comicfans · April 20, 2019, 9:21am

Hello everyone, I'm new to rust.

I've installed rustup binary(itself) from trusted source (official website), but due to internet restriction , I have to use RUSTUP_DIST_SERVER to download toolchain(for higher speed) , but I'd like to know how rustup handle update info and binary download from dist server ? I mean if I my rustup binary is trustable , but I use RUSTUP_DIST_SERVER to download toolchain, can RUSTUP_DIST_SERVER provided hijacked toolchain to me ?

I've found some signatures valiatation issue on github

https://github.com/rust-lang/rust/issues/16442
https://github.com/rust-lang/rustup.rs/issues/242
https://github.com/rust-lang/rustup.rs/issues/241
https://github.com/rust-lang/crates.io/issues/75

but I'm not sure which one related to RUSTUP_DIST_SERVER. any help ?

system · July 19, 2019, 9:21am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Rustup 1.5.0 released announcements	4	6106	January 12, 2023
Install rustup components offline help	3	1645	January 9, 2021
The Simplest Rust Toolchain Installer announcements	1	467	January 12, 2023
Notice: Deprecation of rustup install and rustup uninstall	1	596	March 7, 2020
Toolchain corruption on windows help	2	1045	November 10, 2021

Can rustup install hijacked toolchain from RUSTUP_DIST_SERVER by accident?

Related topics