I’ve been wanting to write rust for quite some time, but I can’t get over crates. The system just seems insecure to me.

You’re not the only one with this concern but it is essentially how modern package management works, not just for Rust but all modern programming languages.

What happens in 10 years when the servers go down?

While I don’t think that would happen, there are ways to avoid this. You can host your own registry and mirror the crates.io crates, if you want.

Is there any sort of mitigation for supply chain attacks?

Whenever you have dependencies, you obviously need to either trust them or vet them. If the package is popular enough and the author is reliable enough, then you can choose to trust it. It really depends on what kind of risk you’re willing to take on.

As I understand it anyone can submit code; what’s stopping someone from putting malicious code into a crate I’ve been using?

In principal nothing. Again, if you have dependencies, you need to vet them. This isn’t really a Rust problem, it’s just a general problem with depending on other people’s code. You would still have this problem even if you manually downloaded external pieces of code from other people instead of via cargo.

In practice, there is a team managing crates.io and I believe they do look for malware or malicious crates (like crates with names very similar to popular crates that attempt to trick people into downloading due to a typo in the name).

But yes, this isn’t really a problem with Rust specifically. I will say that the popular crates in the Rust ecosystem are generally very high quality and I have a fair bit of trust for them myself. Unless you are a big company that needs to carefully vet your dependencies, I wouldn’t worry too much.