10 comments

[ 2.5 ms ] story [ 33.8 ms ] thread
Good. I am glad we are getting serious and objective analyses of Rust's core and ecosystem. Surfacing such issues is healthy.

I am still impressed by the (IMO) small amount of issues uncovered. We're talking 43k+ packages and the Rust's stdlib and compiler. Only 76 CVEs! That might sound like a lot but it's definitely, what, 0.0018% compared to the number of packages. That means that for each CVE [that has been resolved and patched] you'll get ~566 packages fixed in one fell swoop.

Super rough estimations, of course, but I am glad that such work exists. I'd love to see even more of it! Rust is a modern fan object (including by myself) but we need less fandom and more facts. Let's have them.

Anybody knows links to other similar works like Rudra?

76 out of 43k sounds suspiciously low considering that there are probably more than a few dozen Rust packages that are just API wrappers around C/C++ libraries. I guess that analyzer stops at the language boundary(?)
Yep. Or, maybe it's the same kinds of detected problems like unsafe blocks that interact with the raw pointers and they weren't done carefully enough.
I think it is also important to remember that most crates are just unused hobby projects nobody cares about anymore, since you can push anything to crates.io.
That is the danger of a tiny standard library and a cascade of dependencies with various levels of quality and supported platforms.
I agree Rust's standard library can definitely be a bit more brave and include more things but calling it tiny is a bit of a stretch, no?
Nope, given that even for basic stuff like better error handling, or async runtime, one needs external crates.
Yeah, seems like some things were a bit rushed (async) because there was a worry about marketing and adoption -- worries that I think most of us will agree should have been lower priority.

But we also know that things to do stdlib to die, right? Python is a famous example; almost every Python dev I know never uses the builtin HTTP client APIs.

So eh, I am okay with having de facto standards in the form of widely accepted libraries.

On a separate note, I had really high hopes for Rust 2021 edition. They had a chance to introduce new syntaxes and address error handling at least but they opted not to do so. Disappointing.

Stdlib works on every platform the language targets, third parties is anyone's guess.

When I have Python installed, I can be 100% sure of what works, regardless how uncool the library might happen to be, so those builtin http client libraries will be used.

This is amazing work. It’s also an unmitigated success for the Rust community, if I’m reading the article correctly.

First, the issues surfaced are all in unsafe blocks, which is the desired state of things.

Second, it’s a testament to how powerful unsafe is in making code safer: I don’t think this sort of static analysis would ever go through the whole of crates.io in 6.5 hours if it had to analyse the complete code base for each package.