Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Danilo Bargen
    @dbrgn
    Hi @tarcieri! First of all, thanks for maintaining rustsec crates!
    I use cargo-audit as a step in almost all my Rust CI builds. Unfortunately, several of my builds broke recently. The reason is that the platforms crate started using nested import syntax: https://github.com/RustSec/platforms-crate/blob/master/src/platform/req.rs#L4
    Travis currently tests stable/beta/nightly, so this won't get caught. Would you be open to a "minimally supported Rust version" policy in your crate? What I usually do, is specifying that version in the README and adding a CI test target for that version. Depending on how strict you want to do it, you can then increment the minor or the major version whenever the minimally required Rust version changes, and declare that change in your changelog.
    Tony Arcieri
    @tarcieri
    @dbrgn absolutely. What do you happen to be using? We can start there :wink:
    Danilo Bargen
    @dbrgn

    @tarcieri sorry, only saw your reply now. gitter isn't great about notifications.

    I'll try to create a pull request by next week with what I suggested above :)

    Tony Arcieri
    @tarcieri
    @dbrgn I think the ship may have sailed on nested import syntax. Gonna switch out some dependencies, and I'm afraid that will probably be required at this point
    but I could call, say, 1.27 the minimum
    Danilo Bargen
    @dbrgn
    Yeah, that would already be an improvement :)
    Konrad Borowski
    @KonradBorowski_gitlab
    Didn't realize this gitter room existed.
    I'm assuming an abort (not a panic, you cannot catch unwind for aborts) in a library is a vulnerability?
    @tarcieri
    Konrad Borowski
    @KonradBorowski_gitlab
    by the way, i requested a CVE number for two pull requests I made, but I think it will take them a while to respond, so I submitted a vulnerability without CVE numbers for now
    Tony Arcieri
    @tarcieri
    @KonradBorowski_gitlab ohai... I think they're worth including
    Konrad Borowski
    @KonradBorowski_gitlab
    "I would include DoS issues that crash the entire process because you cannot reasonably guard against them in a DoS-critical application."
    oh, okay, so it's fine according to rustsec guidelines
    Tony Arcieri
    @tarcieri
    yeah
    Konrad Borowski
    @KonradBorowski_gitlab
    i submitted two pull requests by the way, feel free to review them
    Tony Arcieri
    @tarcieri
    yeah I saw, will review them soon
    Konrad Borowski
    @KonradBorowski_gitlab
    thanks :)
    Konrad Borowski
    @KonradBorowski_gitlab
    but yeah, i think a panic isn't exactly a security issue, annoying sure, but not really a security issue
    rust doesn't really prevent you from panicking, and it's easy to catch unwind in a server application
    so, sure, a HTTP request will return error 500 or whatever, but it won't crash the entire server
    Tony Arcieri
    @tarcieri
    "easy" heh
    but sure
    Konrad Borowski
    @KonradBorowski_gitlab
    it's easy if you aren't using unwinds as flow control
    Tony Arcieri
    @tarcieri
    "easy" if everything is RefUnwindSafe :wink:
    Konrad Borowski
    @KonradBorowski_gitlab
    what isn't ;)?
    Tony Arcieri
    @tarcieri
    anything with interior mutability and bugs :trollface:
    Konrad Borowski
    @KonradBorowski_gitlab
    i would say it's a good practice to avoid mutable state
    Tony Arcieri
    @tarcieri
    that's great until you... want to do I/O, or have a secure channel, heh
    as it were I'm in the midst of refactoring some code so it doesn't have to be RefUnwindSafe
    Konrad Borowski
    @KonradBorowski_gitlab
    if necessary, you can AssertUnwindSafe, implementing UnwindSafe is safe, but you may violate your code invariants
    i think it's a great thing that Rust forces you to think about "will my application be in proper state when a panic occurs somewhere"
    Tony Arcieri
    @tarcieri
    I'm in the process of moving things around so I don't have to lug things across unwind boundaries
    Konrad Borowski
    @KonradBorowski_gitlab
    that's great :)
    Tony Arcieri
    @tarcieri
    and in the process deleting an impl RefUnwindSafe
    msehnout
    @msehnout
    Hi, I work on a project, where we are trying to aggregate CVEs for many different languages and ecosystems (like PyPi, NPM, Maven etc.). The current approach works by collecting data from various sources and processing them in various ways, but it has many pitfalls due to the lack of clear versioning scheme like semver or backporting fixes to some older versions etc. Anyway, do you have any plans for an automated way in which the RUSTSEC advisories could be submitted? e.g. some Github bot. and, on the other hand, some API/RSS feed for fetching data about the advisories?
    It would be nice, it there was a system that could be used across all languages, though I am not sure if that isn't too ambitious.
    Tony Arcieri
    @tarcieri
    @msehnout I've heard rumors GitHub is working on something like that, but no, for now the closest thing would be automating submissions by opening issues via GitHub's API
    msehnout
    @msehnout
    @tarcieri ok, thanks for your response
    Konrad Borowski
    @KonradBorowski_gitlab
    Okay, so I reported a security issue in yaml crate two months ago (2018-09-25), but I got no response from a maintainer
    i'm not sure how to continue from here
    Tony Arcieri
    @tarcieri
    @KonradBorowski_gitlab you can open a RUSTSEC issue... is there a public issue on the yaml crate?
    Konrad Borowski
    @KonradBorowski_gitlab
    i probably should create one, i only sent an e-mail
    didn't want to make it public
    Tony Arcieri
    @tarcieri
    maybe try following up and giving them 90 days?
    that's more or less the "standard" now... I think mostly from people cargo culting what Project Zero does
    Konrad Borowski
    @KonradBorowski_gitlab
    okay
    leo-lb
    @leo-lb
    hi there, considering that most people are importing dependencies without reading their code and that these can contain build script or procedural macros that can compromise one's computer, I was thinking we should maybe provide a sandboxed offline compilation process by default in Cargo (SELinux, Hyper-V APIs, jail). What is your opinion on such a thing?