logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git
commit: 5295534511527f1f5c6c4c2e8ac66c4eff45695c
parent 7d2bf3061d7423389ecce40c293d654a5ed8a827
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Wed, 23 Aug 2023 19:23:51 +0200

notes/rust-issues: serde-rs, ring library


Diffstat:


Mnotes/rust-issues.xhtml14++++++++++++++


1 file changed, 14 insertions(+), 0 deletions(-)

diff --git a/notes/rust-issues.xhtml b/notes/rust-issues.xhtml
@@ -27,6 +27,20 @@
 			Would also add that Cargo having a whole bunch of dependencies that rely on fetching code directly from the internet is really scary.
 			For example it depends on libgit2, which had repeated Remote Code Executions vulnerabilities (CVE-2019-1352, CVE-2019-1353, CVE-2020-12278, CVE-2020-12279, …) and I think is likely to get more in the future unless it changed it's design.
 		</p>
+
+		<h2><code>serde-rs</code> fiasco</h2>
+		<p>
+			<a href="https://www.bleepingcomputer.com/news/security/rust-devs-push-back-as-serde-project-ships-precompiled-binaries/">Ended up bundling binaries</a> due to how slow Rust compilation can be. And of course without ability to rebuild from source. Got fixed later with <a href="https://github.com/serde-rs/serde/pull/2590">Phase out precompiled #2590</a>.<br />
+			This is what intentionally throwing distros away gets you into.
+		</p>
+
+		<h2><code>ring</code> crypto library</h2>
+		<ul>
+			<li><a href="https://lib.rs/crates/ring/versions">No release, stable or alpha, since 2021</a></li>
+			<li>Used by virtually everything in Rust, it's a dependency of <code>rustls</code> <a href="https://lib.rs/crates/ring/rev">among other things</a></li>
+			<li>Grabs some C and Assembly code from BoringSSL, which no one except Google should be using as it doesn't have versions nor security notices</li>
+			<li><code>x86_{32,64}</code> and <code>arm{32,64}</code> only due to it using assembly and released versions not supporting a fallback to portable code. So for other architectures like ppc64, riscv, … you need to mangle the dependency tree to use patches / forks or the latest git.</li>
+		</ul>
 	</main>
 <!--#include file="/templates/en/footer.shtml" -->
 	</body>