logo

blog

My website can't be that messy, right? git clone https://hacktivis.me/git/blog.git
commit: c28c17a1a13fd13025a836751f2beb1616a809f4
parent 0cd631596665d00b66a15745ed6c4555668ec773
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Sat, 29 Jul 2023 09:41:00 +0200

notes/rust-issues.xhtml: New


Diffstat:


Anotes/rust-issues.xhtml33+++++++++++++++++++++++++++++++++


1 file changed, 33 insertions(+), 0 deletions(-)

diff --git a/notes/rust-issues.xhtml b/notes/rust-issues.xhtml
@@ -0,0 +1,33 @@
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml">
+	<head>
+<!--#include file="/templates/head.shtml" -->
+		<title>Rust issues — lanodan’s cyber-home</title>
+	</head>
+	<body>
+<!--#include file="/templates/en/nav.shtml" -->
+	<main>
+		<h1>Rust issues</h1>
+		<h2>Library Management</h2>
+		<p>You cannot install rust libraries (be it source code like with Go and NodeJS, or binaries like with C) in your system, meaning vendored dependencies for applications.</p>
+		<ul>
+			<li>Need to apply modifications on a system/popular library? Or upgrade it? Prepare for per-application patching. (good luck with security)</li>
+			<li>Need to audit your system? You're going to have to review multiple versions of the same libraries multiple times.</li>
+			<li>A library is broken or upstream gave up, fork it and replace it in your system? Nope.</li>
+		</ul>
+		<p>
+			This is why I think Rust is completely a net-negative for holistic security and software freedom.
+			You can get a better security track record for your own little code in your application than in C++, but not for the actual entire application and even less the whole OS.
+			See <a href="https://en.wikipedia.org/wiki/Log4shell">log4shell</a> if you want a recent example of a massive failure in a safety-oriented language (Java), that we're absolutely going to get in other languages unless people think about systems as a whole (like a separated logging daemon).
+		</p>
+
+		<h2>Bootstrapping Rustc / Cargo</h2>
+		<p>See <a href="https://hacktivis.me/notes/bootstrapping#rust">Bootstrapping § Rust</a>.</p>
+		<p>
+			Would also add that Cargo having a whole bunch of dependencies that rely on fetching code directly from the internet is really scary.
+			For example it depends on libgit2, which had repeated Remote Code Executions vulnerabilities (CVE-2019-1352, CVE-2019-1353, CVE-2020-12278, CVE-2020-12279, …) and I think is likely to get more in the future unless it changed it's design.
+		</p>
+	</main>
+<!--#include file="/templates/en/footer.shtml" -->
+	</body>
+</html>