rust-issues.xhtml (3894B)
- <!DOCTYPE html>
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <!--#include file="/templates/head.shtml" -->
- <title>Rust issues — lanodan’s cyber-home</title>
- </head>
- <body>
- <!--#include file="/templates/en/nav.shtml" -->
- <main>
- <h1>Rust issues</h1>
- <h2>Library Management</h2>
- <p>You cannot install rust libraries (be it source code like with Go and NodeJS, or binaries like with C) in your system, meaning vendored dependencies for applications.</p>
- <ul>
- <li>Need to apply modifications on a system/popular library? Or upgrade it? Prepare for per-application patching. (good luck with security)</li>
- <li>Need to audit your system? You're going to have to review multiple versions of the same libraries multiple times.</li>
- <li>A library is broken or upstream gave up, fork it and replace it in your system? Nope.</li>
- </ul>
- <p>
- This is why I think Rust is completely a net-negative for holistic security and software freedom.
- You can get a better security track record for your own little code in your application than in C++, but not for the actual entire application and even less the whole OS.
- See <a href="https://en.wikipedia.org/wiki/Log4shell">log4shell</a> if you want a recent example of a massive failure in a safety-oriented language (Java), that we're absolutely going to get in other languages unless people think about systems as a whole (like a separated logging daemon).
- </p>
- <h2>Bootstrapping Rustc / Cargo</h2>
- <p>See <a href="https://hacktivis.me/notes/bootstrapping#rust">Bootstrapping § Rust</a>.</p>
- <p>
- Would also add that Cargo having a whole bunch of dependencies that rely on fetching code directly from the internet is really scary.
- For example it depends on libgit2, which had repeated Remote Code Executions vulnerabilities (CVE-2019-1352, CVE-2019-1353, CVE-2020-12278, CVE-2020-12279, …) and I think is likely to get more in the future unless it changed it's design.
- </p>
- <h2><code>serde-rs</code> fiasco</h2>
- <p>
- <a href="https://www.bleepingcomputer.com/news/security/rust-devs-push-back-as-serde-project-ships-precompiled-binaries/">Ended up bundling binaries</a> due to how slow Rust compilation can be. And of course without ability to rebuild from source. Got fixed later with <a href="https://github.com/serde-rs/serde/pull/2590">Phase out precompiled #2590</a>.<br />
- This is what intentionally throwing distros away gets you into.
- </p>
- <h2><code>ring</code> crypto library</h2>
- <ul>
- <li><a href="https://lib.rs/crates/ring/versions">No release, stable or alpha, since 2021</a></li>
- <li>Used by virtually everything in Rust, it's a dependency of <code>rustls</code> <a href="https://lib.rs/crates/ring/rev">among other things</a></li>
- <li>Grabs some C and Assembly code from BoringSSL, which no one except Google should be using as it doesn't have versions nor security notices</li>
- <li><code>x86_{32,64}</code> and <code>arm{32,64}</code> only due to it using assembly and released versions not supporting a fallback to portable code. So for other architectures like ppc64, riscv, … you need to mangle the dependency tree to use patches / forks or the latest git.</li>
- </ul>
- <h2>Extra: Crates.io outage due to bad URL mangling</h2>
- <p>
- <a href="https://blog.rust-lang.org/inside-rust/2023/07/21/crates-io-postmortem.html">crates.io Postmortem: Broken Crate Downloads</a>
- </p>
- <p>The real bug is formatting URLs in the code of your application with string formatting. URLs are a structure, therefore they should be properly encoded and decoded as such regardless of them being somewhat text-based. There's prior art for this in <a href="https://hexdocs.pm/elixir/1.15.4/URI.html#__struct__/0">Elixir</a> and <a href="https://docs.harelang.org/net/uri">Hare</a>.</p>
- </main>
- <!--#include file="/templates/en/footer.shtml" -->
- </body>
- </html>