libs-team VS rustsec

In rust, both release and debug builds use a release version of the runtime. The bugs the debug version is meant to catch are much more difficult to hit in rust (often but not always requiring unsafe). There isn't currently a feature to use the debug runtime in rust-- you can only change C to match for those debug builds.

Note that this has been discussed at length (and I do mean "at length") here: https://github.com/rust-lang/libs-team/issues/72

The Compiler Team, especially the Diagnostics Working Group that improves compiler error messages. The Libs Team, for work on the contents of the standard library documentation

See https://github.com/rust-lang/libs-team/issues/72#issuecommen... for what I believe is an exhaustive list of possible ways of helping the situation.

The point is how the MSRV of a popular crate affects this dynamic for other crates. For an even more extreme example than time, see here for libc, with many heavyweights offering opinions: https://github.com/rust-lang/libs-team/issues/72

In case you haven't seen it yet, there is a very long discussion surrounding MSRV policy of the libc crate on rust-langs github repo. It's about a library, not a binary, but I think there's a lot of information in the thread, some of which will also apply to binaries.

Would you mind sharing your use case for being stuck with a particular version of Rust and why you can't upgrade? In particular with the libs team: https://github.com/rust-lang/libs-team/issues/72

Compare Stepanov's brilliant design of the STL to Rust's current reworking of their 'binary search api'. https://github.com/rust-lang/libs-team/issues/81

Maybe 'memory safety' isn't the most important thing in this world. To me, writing software that does useful things in the simplest and most correct way is what matters. I get the feeling it's harder to understand my program's correctness with Rust (I mean algorithmic correctness). The C++ standard library has time and space complexity for every algorithm. I'm not seeing that's the case with Rust (correct me if I'm wrong).

There's also the pretty fundamental libc crate that wants to choose an MSRV policy and you can see the full discussion here: https://github.com/rust-lang/libs-team/issues/72

cargo-audit is a simple Cargo tool for detecting vulnerable Rust crates. You can install it with cargo install cargo-audit, use cargo audit and you’re done! Any vulnerable crates will appear below, like so:

Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.

Yeah your decade old single header libs get so many audits by comparison.

https://github.com/RustSec/rustsec/tree/main/cargo-audit

https://mozilla.github.io/cargo-vet/

cargo is not npm

PSA: before filing CVEs for other people's projects, file an issue with https://rustsec.org instead

Historically, such serious bugs get communicated broadly and addressed very quickly via security advisory blog posts and on https://rustsec.org.

For known vulnerabilities we have the rustsec vulnerability database. You could have a look over there for inspiration. There's also the related cargo-audit for checking dependencies for known vulnerabilities.

Would be cool if this was also reported to https://rustsec.org/ that way cargo audit could pick up and alert the users about it.

P.S. I also made scanning binaries 5x faster in the latest release of cargo audit.

Thanks to cargo and the community, project maintenance is straightforward in rust. You'll need to install cargo-outdated and cargo-audit:

Use the automated tools to assist you in the maintenance of your projects: rustfmt, clippy, cargo update, cargo outdated and cargo-audit.