new | ask | show | jobs
vsgherzi 4 hours ago  [ - ]

Talked about this topic here on my blog

https://vincents.dev/blog/rust-dependencies-scare-me/

It sparked some interesting discussion by lots of the rust maintainers

https://news.ycombinator.com/item?id=43935067

A fat std lib will definitely not solve the problem. I am a proponent of the rust foundation taking packages under their wing and having them audited and funded while keeping original maintainers in tact

dathinab 2 hours ago  [ - ]

> fat std lib will definitely not solve the problem

fully agree, that was tried and failed severely

- in python there is a saying that standard library is where packages go to die. It's pretty common to pull in 3rd party libraries for things in python due to the build in version by itself sucks. Weather it's for UX, performance, bug-proneness, feature completeness and even "bad security choices stuck with for backward compatibility reasons" cases happened.

- in Java "batteries included" had been repeatedly involved in pretty bad security vulnerabilities. Often on the line of "that niche feature people may not even be aware of was callable though some reflection/dynamic resolution leading to a RCE".

In the end IMHO it's not supper relevant if the rust foundation takes packages under their wing or not. What matters is to create verifiable supply trust.

That crates.io is only meant to contain source code already helps, and them only allowing uploading new packages and yanking but not overwriting them also helps.

Through much more is needed.

vsgherzi 2 hours ago  [ - ]

Go is another example of a fat std lib causing issues specifics with their crypto code.

I think in general the things people are worried about are

1. Maintainer quits 2. Bad actor becomes new maintainer 3. Bad pr 4. Account compromise

When I say I want the rust foundation to take them under their wing what I really mean is I want the foundation to provide funding and have packages undergo the same procedure as the main language.

If there’s a cve the foundation should orchestrate reporting and standardize it.

If it becomes abandoned the foundation should handle that.

Basically I want it to be an extension of the standard but not in a way that actually requires it to be so. I just want these packages to have the seal of approval of the foundation so I know that they have a minimum amount of quality and are vetted on the regular by a trusted entity