this post was submitted on 19 Aug 2023
55 points (96.6% liked)

Rust

6028 readers
1 users here now

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

[email protected]

Credits

  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

founded 1 year ago
MODERATORS
top 4 comments
sorted by: hot top controversial new old
[–] thesmokingman 33 points 1 year ago

Lander’s take at the end highlights a key gap in their security knowledge: while I might not necessarily read every line in package, I am able to audit every line. Since I am able to audit, I can use tools to do some parsing of every line to identify potential problems (CVE analysis is a thing) and gain some modicum of confidence. I cannot audit a binary without serious effort in via decompilation and similar resource-intensive processes.

Security is not about preventing everything by knowing everything. It’s about picking the path that gives both reasonable confidence that things will not go wrong and strong confidence that we can improve when things go wrong (because they will go wrong). Lander assumes security is about the former while ignoring the latter.

[–] kogasa 14 points 1 year ago* (last edited 1 year ago)

Seems the precompiled binary isn't reproducible. It seems odd that they would even consider this option without figuring that out first.

I don't like the comparisons to Moq. The issue with Moq was the use of a precompiled binary explicitly designed to exfiltrate PII. That's not fixable. It's inherently malicious. This is an implementation detail that will run afoul of security policies and break build systems, but it can be fixed.

[–] CameronDev 3 points 1 year ago (1 children)

Perhaps I missed it in the article/GitHub issue, but what was the reason for the change? Something something compile times??

[–] grinde 5 points 1 year ago* (last edited 1 year ago)

Yup. The binary is precompiled proc macros. Should save a negligible amount of time...