boringssl
tokio
Our great sponsors
boringssl | tokio | |
---|---|---|
10 | 196 | |
1,719 | 24,677 | |
3.4% | 2.8% | |
6.5 | 9.5 | |
5 days ago | 3 days ago | |
C | Rust | |
GNU General Public License v3.0 or later | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
boringssl
-
New vulnerabilities (CVE-2022-3602 and CVE-2022-3786) in OpenSSL, how they affect IoT and RTOS Devices.
I have nothing constructive to add except that OpenSSL has a long history of producing vulnerabilities so much so that Google has created their own fork publicly available here: https://boringssl.googlesource.com/boringssl/ (used in chromium, chrome, and android).
-
OpenSSL added new C parser code [...] without doing any basic security testing
> Large web companies like Google implement their own encryption stack anyway.
Google uses BoringSSL[1], which is another OpenSSL fork. I believe AWS uses a mix of OpenSSL and Boring SSL (someone can correct me!).
So it's "their own encryption stack," but that stack is at least originally comprised of OpenSSL's code. They've probably done an admirable job of refactoring it, but API and ABI constraints still apply (it's very hard to change the massive body of existing code that assumes OpenSSL's APIs).
[1]: https://boringssl.googlesource.com/boringssl/
-
CVE-2022-3786 and CVE-2022-3602: X.509 Email Address Buffer Overflows
OpenSSL gets plenty of funding but we need to put more funding into TLS implementations that have a bigger focus on security and stability like boringssl, nss, go's tls, and rustls. It's 2022 and we have both languages better suited for this and tools to make existing languages safer and more robust, it's incredible to me that we aren't even more anxious over the current state of openssl.
-
BearSSL: A smaller SSL/TLS library
It was not built for chromium AFAIK
To quote: https://boringssl.googlesource.com/boringssl/
BoringSSL arose because Google used OpenSSL for many years in various ways and, over time, built up a large number of patches that were maintained while tracking upstream OpenSSL. As Google's product portfolio became more complex, more copies of OpenSSL sprung up and the effort involved in maintaining all these patches in multiple places was growing steadily.
Currently BoringSSL is the SSL library in Chrome/Chromium, Android (but it's not part of the NDK) and a number of other apps/programs.
- OpenSSL Security Advisory for CVE-2022-0778
-
I think a major issue with the rust ecosystem is that it's full of unexpected design decisions
Use Google's fork of OpenSSL which exists because Google likes to do it's own weird things sometimes. This doesn't say anything about "OpenSSL is considered dangerous", it says "This allows us to mostly avoid compromises in the name of compatibility. It works for us, but it may not work for you."
- Information and learning resources for cryptography newcomers
-
OpenSSL Security Advisory (14 December 2021)
And this is why projects like https://boringssl.googlesource.com/boringssl/ exist
-
U.S. Telecoms Are Going to Start Physically Removing Huawei Gear
The immediate effect of Heartbleed was the OpenBSD folk [1] and Google [2] forking OpenSSL.
There's a talk from Bob Beck of OpenBSD on pruning OpenSSL, it's pretty hilarious [3].
In that case open source was at least able to react appropriately, even if it didn't act preemptively.
[1]: https://www.libressl.org
[2]: https://boringssl.googlesource.com/boringssl/
[3]: https://www.youtube.com/watch?v=GnBbhXBDmwU
-
Cloudflare: Warp for Linux and Proxy Mode
I doubt the reference to Musk's brand is intentional. It's more likely that it's a reference/homage to BoringSSL (https://github.com/google/boringssl) and "boring tech" in general that is purposefully designed to be minimalist, simple to use, and narrow in scope.
tokio
-
On Implementation of Distributed Protocols
Being able to control nondeterminism is particularly useful for testing and debugging. This allows creating reproducible test environments, as well as discrete-event simulation for faster-than-real-time simulation of time delays. For example, Cardano uses a simulation environment for the IO monad that closely follows core Haskell packages; Sui has a simulator based on madsim that provides an API-compatible replacement for the Tokio runtime and intercepts various POSIX API calls in order to enforce determinism. Both allow running the same code in production as in the simulator for testing.
-
I pre-released my project "json-responder" written in Rust
tokio / hyper / toml / serde / serde_json / json5 / console
-
Cryptoflow: Building a secure and scalable system with Axum and SvelteKit - Part 0
tokio - An asynchronous runtime for Rust
-
Top 10 Rusty Repositories for you to start your Open Source Journey
3. Tokio
-
API Gateway, Lambda, DynamoDB and Rust
The AWS SDK makes use of the async capabilities in the Tokio library. So when you see async in front of a fn that function is capable of executing asynchronously.
-
The More You Gno: Gno.land Monthly Updates - 6
Petar is also looking at implementing concurrency the way it is in Go to have a fully functional virtual machine as it is in the spec. This would likely attract more external contributors to developing the VM. One advantage of Rust is that, with the concurrency model, there is already an extensive library called Tokio which he can use. Petar stresses that this isn’t easy, but he believes it’s achievable, at least as a research topic around determinism and concurrency.
-
Consuming an SQS Event with Lambda and Rust
Another thing to point out is that async is a thing in Rust. I'm not going to begin to dive into this paradigm in this article, but know it's handled by the awesome Tokio framework.
-
netcrab: a networking tool
So I started by using Tokio, a popular async runtime. The docs and samples helped me get a simple outbound TCP connection working. The Rust async book also had a lot of good explanations, both practical and digging into the details of what a runtime does.
-
Thread-per-Core
Regarding the quote:
> The Original Sin of Rust async programming is making it multi-threaded by default. If premature optimization is the root of all evil, this is the mother of all premature optimizations, and it curses all your code with the unholy Send + 'static, or worse yet Send + Sync + 'static, which just kills all the joy of actually writing Rust.
Agree about the melodramatic tone. I also don't think removing the Send + Sync really makes that big a difference. It's the 'static that bothers me the most. I want scoped concurrency. Something like <https://github.com/tokio-rs/tokio/issues/2596>.
Another thing I really hate about Rust async right now is the poor instrumentation. I'm having a production problem at work right now in which some tasks just get stuck. I wish I could do the equivalent of `gdb; thread apply all bt`. Looking forward to <https://github.com/tokio-rs/tokio/issues/5638> landing at least. It exists right now but is experimental and in my experience sometimes panics. I'm actually writing a PR today to at least use the experimental version on SIGTERM to see what's going on, on the theory that if it crashes oh well, we're shutting down anyway.
Neither of these complaints would be addressed by taking away work stealing. In fact, I could keep doing down my list, and taking away work stealing wouldn't really help with much of anything.
-
PHP-Tokio – Use any async Rust library from PHP
The PHP <-> Rust bindings are provided by https://github.com/Nicelocal/ext-php-rs/ (our fork of https://github.com/davidcole1340/ext-php-rs with a bunch of UX improvements :).
php-tokio's integrates the https://revolt.run event loop with the https://tokio.rs event loop; async functionality is provided by the two event loops, in combination with PHP fibers through revolt's suspension API (I could've directly used the PHP Fiber API to provide coroutine suspension, but it was a tad easier with revolt's suspension API (https://revolt.run/fibers), since it also handles the base case of suspension in the main fiber).
What are some alternatives?
OpenSSL - TLS/SSL and crypto library
async-std - Async version of the Rust standard library
wolfssl - The wolfSSL library is a small, fast, portable implementation of TLS/SSL for embedded devices to the cloud. wolfSSL supports up to TLS 1.3!
Rocket - A web framework for Rust.
libsodium - A modern, portable, easy to use crypto library.
hyper - An HTTP library for Rust
Tink - Tink is a multi-language, cross-platform, open source library that provides cryptographic APIs that are secure, easy to use correctly, and hard(er) to misuse.
futures-rs - Zero-cost asynchronous programming in Rust
webpki - WebPKI X.509 Certificate Validation in Rust
smol - A small and fast async runtime for Rust
istlsfastyet.com - Is TLS fast yet? Yes, yes it is.
rayon - Rayon: A data parallelism library for Rust