Analysis

Rust proposal separates fetching from building to tighten security

Cargo can already execute code while it is still “just building,” and a new Rust Internals proposal wants to split fetching from running to make that trust boundary obvious.

Jamie Taylor··2 min read
Published
Listen to this article0:00 min
Rust proposal separates fetching from building to tighten security
Source: substackcdn.com

Cargo’s smooth one-step workflow is exactly what makes this proposal sting. A Rust Internals discussion on June 17, 2026 argued that building a project can already execute arbitrary code through build scripts and proc macros, so a plain cargo build can become a code-execution step before it ever feels like one.

The core complaint is simple: Rust’s tooling often treats fetching dependencies, inspecting them, and running them as one continuous motion. Cargo documentation says a build.rs file in a package root is compiled and executed just before that package is built. The Rust Reference says procedural macros run during compilation and have the same file and I/O access as the compiler, which puts them in the same security bucket as build scripts. rust-analyzer’s security docs go further, saying it assumes all code is trusted and that proc macros and build scripts can execute arbitrary code by default.

AI-generated illustration
AI-generated illustration

That makes the case for a cleaner split between fetching and building. A fetching-only phase would let developers decide when the network is allowed, when code is allowed to run, and which stage deserves sandboxing. It would also fit real-world Rust workflows better than the current all-in-one model: mirrored registries, offline review, hermetic CI systems, and editor tools that only need metadata could all benefit from a stage that stops short of execution.

The security pressure behind that idea is not theoretical. On March 21, 2026, the Rust Security Response Team disclosed CVE-2026-33056, a Cargo vulnerability tied to extracting packages with a vulnerable tar crate that could let a malicious crate change permissions on arbitrary directories. On May 25, 2026, the team disclosed CVE-2026-5222 and CVE-2026-5223, both affecting Cargo and third-party registries. Those incidents sharpen the appeal of separating download, inspection, and build into distinct steps instead of one opaque action.

Rust’s tooling already has pieces that point in that direction. rust-analyzer can be configured to disable build scripts and proc macros, cargo-audit checks Cargo.lock for known vulnerabilities, and crates.io now surfaces a Security tab with RustSec advisories. The Rust Project Goals for Cargo also mention prototype Cargo build analysis and a rework of Cargo’s build directory layout, both of which support a more explicit build pipeline.

The idea of sandboxing build.rs and proc macros is not new either. A 2024 pre-RFC argued for sandboxed, deterministic proc macros and estimated that 99% of macros should be amenable to sandboxing. That long-running thread gives the June 2026 discussion its force: Rust does not need to stop trusting its ecosystem, but it may need to make trust happen in stages instead of all at once.

This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.

Did this article answer your question?

Discussion

More Rust Programming News