by

Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    svartalf
    @svartalf
    @dbrgn thanks :)
    svartalf
    @svartalf
    I hope it would make people a bit more aware about security issues and the fact that CI does not ends with the "okay, it builds" step
    simlay
    @simlay
    Hi, if a crate's repo on github gets archived by the owner, would it be appropriate to file a advisory PR for the unmaintained attribute?
    simlay
    @simlay
    https://github.com/maidsafe/crust is the repo and crate in mind. Maybe it got moved to gitlab or something but the the crate didn't get edited or republished.
    Tony Arcieri
    @tarcieri
    @simlay sure, particularly if there are alternative crates which provide equivalent functionality you'd like to recommend current users switch to
    simlay
    @simlay
    I wish I had some more alternatives on the matter. I was actually exploring the topic of "peer-to-peer" communication and the crust crate claimed to do this nearly out of the box with some "security" built in.
    Anyway, I'll submit a PR about it being unmaintained.
    Tony Arcieri
    @tarcieri
    perhaps libp2p?
    Danilo Bargen
    @dbrgn
    hi. a stack overflow in a parsing library is a potential DoS source but nothing critical (in Rust), right?
    so, a regular github bug report + maybe a RUSTSEC advisory, right?
    Danilo Bargen
    @dbrgn
    Tony Arcieri
    @tarcieri
    if there’s remote DoS via stack overflow in Prost I think that’s worth an advisory
    Tony Arcieri
    @tarcieri
    @dbrgn worse, stack overflow is a soundness violation on e.g. ARM rust-lang/rust#43241
    so it’s memory corruption / potential RCE :grimacing:
    Danilo Bargen
    @dbrgn
    good point!
    by the way, should "undefined behavior" be a separate advisory category, since it could or could not lead to memory corruption / RCE?
    Tony Arcieri
    @tarcieri
    yeah. I mean ideally we’d move to the CWE categories, but I haven’t had time to make a crate for it
    svartalf
    @svartalf
    Hey! Is there any "yanked" warnings in the advisory db I could test on?
    Tony Arcieri
    @tarcieri
    @svartalf I used prost 6.0.0 in the example image
    there was a recently yanked version of the log crate
    it’s more or less pick any yanked crate and put it in your Cargo.lock
    svartalf
    @svartalf
    @tarcieri aha, rustsec is smart, okay :) I thought that there should an advisory for that
    Tony Arcieri
    @tarcieri
    yeah, it uses crates-index to check the crates.io index
    svartalf
    @svartalf
    Alright, thanks. I almost finished fixing audit-check action and it is time to test now
    Tony Arcieri
    @tarcieri
    nice
    svartalf
    @svartalf
    Tony Arcieri
    @tarcieri
    awesome
    Tony Arcieri
    @tarcieri
    @dbrgn heh yeah, I think that may have been the first unmaintained crate advisory
    err I guess I was scrolled way up
    thanks Gitter Desktop
    Danilo Bargen
    @dbrgn
    Gitter is a bit awkward to use sometimes. Some Rust projects like crev and Rust Embedded use Matrix. It's not perfect, but so far it has worked quite well. Maybe that would be an option?
    Tony Arcieri
    @tarcieri
    @dbrgn there’s a secure code WG group on Zulip
    O
    I’m not a super big fan of Zulip, but it exists...
    a bunch of the domain working groups are on one of the two Rust discords, heh
    I’m on Matrix for the Embedded WG
    so many chat apps
    Danilo Bargen
    @dbrgn
    Yep... I'm also on Telegram and Slack and Discord and on two Mattermost instances and on Threema (I work there, so that's a given).
    For open source communities Matrix isn't too bad as an IRC successor, since the protocol itself is open and it can be used from different clients. That's not the case with most of the other systems like Gitter, Discord or Zulip. But I understand why Rust is using Discord (since you can create grouped channels).
    Tony Arcieri
    @tarcieri
    I’ll care about the multi-client support when Seaglass is actually usable :stuck_out_tongue:
    I’m an early Matrix user and I like what they’re trying to do. I have a few things located there too
    the E2EE UX is unusably bad though
    Danilo Bargen
    @dbrgn
    Agreed. E2EE as an afterthought does not work well. I was highly sceptical when they announced that they'd "add encryption later".
    E2EE + Multidevice is a huge mostly unsolved problem. A single long-lived key is good for UX and for authentication but risky. Device keys are bad for UX and for authentication, since nobody will bother to authenticate.
    That's why I view Matrix as a public chat network like IRC, then it's ok-ish :)
    I'm currently using Riot on desktop and miniVector on Android. I tried Fractal a while ago, but it was still a bit buggy and missed a few features.
    Danilo Bargen
    @dbrgn
    Would someone here (e.g. @tarcieri) be interested in holding a 15-30 minute talk about a rustsec related topic (e.g. cargo-audit and the rustsec advisories) at a virtual Rust Zürich meetup, together with another speaker that talks about cargo-crev?
    (haha, "cargo-audit and the rustsec advisories" sounds like the name of a blues band...)
    Tony Arcieri
    @tarcieri
    :thumbsup:
    Danilo Bargen
    @dbrgn
    The meetup with @tarcieri and @chrysn will take place in 8 days: https://www.meetup.com/Rust-Zurich/events/270169298/