logo

blog

My website can't be that messy, right? git clone https://anongit.hacktivis.me/git/blog.git/

rust-issues.xhtml (3459B)

    

  1. <!DOCTYPE html>
  2. <html xmlns="http://www.w3.org/1999/xhtml">
  3. 	<head>
  4. <!--#include file="/templates/head.shtml" -->
  5. 		<title>Rust issues — lanodan’s cyber-home</title>
  6. 	</head>
  7. 	<body>
  8. <!--#include file="/templates/en/nav.shtml" -->
  9. 	<main>
  10. 		<h1>Rust issues</h1>
  11. 		<h2>Library Management</h2>
  12. 		<p>You cannot install rust libraries (be it source code like with Go and NodeJS, or binaries like with C) in your system, meaning vendored dependencies for applications.</p>
  13. 		<ul>
  14. 			<li>Need to apply modifications on a system/popular library? Or upgrade it? Prepare for per-application patching. (good luck with security)</li>
  15. 			<li>Need to audit your system? You're going to have to review multiple versions of the same libraries multiple times.</li>
  16. 			<li>A library is broken or upstream gave up, fork it and replace it in your system? Nope.</li>
  17. 		</ul>
  18. 		<p>
  19. 			This is why I think Rust is completely a net-negative for holistic security and software freedom.
  20. 			You can get a better security track record for your own little code in your application than in C++, but not for the actual entire application and even less the whole OS.
  21. 			See <a href="https://en.wikipedia.org/wiki/Log4shell">log4shell</a> if you want a recent example of a massive failure in a safety-oriented language (Java), that we're absolutely going to get in other languages unless people think about systems as a whole (like a separated logging daemon).
  22. 		</p>
  24. 		<h2>Bootstrapping Rustc / Cargo</h2>
  25. 		<p>See <a href="https://hacktivis.me/notes/bootstrapping#rust">Bootstrapping § Rust</a>.</p>
  26. 		<p>
  27. 			Would also add that Cargo having a whole bunch of dependencies that rely on fetching code directly from the internet is really scary.
  28. 			For example it depends on libgit2, which had repeated Remote Code Executions vulnerabilities (CVE-2019-1352, CVE-2019-1353, CVE-2020-12278, CVE-2020-12279, …) and I think is likely to get more in the future unless it changed it's design.
  29. 		</p>
  31. 		<h2><code>serde-rs</code> fiasco</h2>
  32. 		<p>
  33. 			<a href="https://www.bleepingcomputer.com/news/security/rust-devs-push-back-as-serde-project-ships-precompiled-binaries/">Ended up bundling binaries</a> due to how slow Rust compilation can be. And of course without ability to rebuild from source. Got fixed later with <a href="https://github.com/serde-rs/serde/pull/2590">Phase out precompiled #2590</a>.<br />
  34. 			This is what intentionally throwing distros away gets you into.
  35. 		</p>
  37. 		<h2>Abandonned <code>async-tar</code> gets a vulnerability, fix status gets lost into fork-ception</h2>
  38. 		<p>
  39. 			Managed to even break python <code>uv</code> packager:
  40. 			<a href="https://www.theregister.com/2025/10/22/vulnerable_rust_crate/">Forking confusing: Vulnerable Rust crate exposes uv Python packager</a>
  41. 		</p>
  43. 		<h2>Extra: Crates.io outage due to bad URL mangling</h2>
  44. 		<p>
  45. 			<a href="https://blog.rust-lang.org/inside-rust/2023/07/21/crates-io-postmortem.html">crates.io Postmortem: Broken Crate Downloads</a>
  46. 		</p>
  47. 		<p>The real bug is formatting URLs in the code of your application with string formatting. URLs are a structure, therefore they should be properly encoded and decoded as such regardless of them being somewhat text-based. There's prior art for this in <a href="https://hexdocs.pm/elixir/1.15.4/URI.html#__struct__/0">Elixir</a> and <a href="https://docs.harelang.org/net/uri">Hare</a>.</p>
  48. 	</main>
  49. <!--#include file="/templates/en/footer.shtml" -->
  50. 	</body>
  51. </html>