Cargo Sherlock | Muhammad Hassnain

When you install a package or library from internet, how do you know that the package is safe to use? How do you know that the package is not vulnerable to any security threats? Mostly, you don’t and most of the time, you decide that this package is use because of certain assumptions you might make. Like for instance, you might assume that the package is safe because it has a lot of downloads, or because it is used by a lot of people. This project is an attempt to formally model this “trust” in the supply chain of packages. We implment this for Rust.

It has been submitted to PLDI 2025 and is currently under review. Please check back later for more details.

Fun Fact : This project was orginally called “Right Hand Side (RHS)”, because when we discussed about this for the first time, there were two projects on the board, one on the left side and one on the right side. The one on the left side was called “Left Hand Side (LHS)” and the one on the right side was called “Right Hand Side (RHS)”. The name stuck and we decided to keep it. We even debatted named the porject Rust Holmes Sherlock to keep the RHS abbreviation.