napkin-math VS rustsec

Most production storage systems/databases built on top of S3 spend a significant amount of effort building an SSD/memory caching tier to make them performant enough for production (e.g. on top of RocksDB). But it's not easy to keep it in sync with blob...

Even with the cache, the cold query latency lower-bound to S3 is subject to ~50ms roundtrips [0]. To build a performant system, you have to tightly control roundtrips. S3 Express changes that equation dramatically, as S3 Express approaches HDD random read speeds (single-digit ms), so we can build production systems that don't need an SSD cache—just the zero-copy, deserialized in-memory cache.

Many systems will probably continue to have an SSD cache (~100 us random reads), but now MVPs can be built without it, and cold query latency goes down dramatically. That's a big deal

We're currently building a vector database on top of object storage, so this is extremely timely for us... I hope GCS ships this ASAP. [1]

[0]: https://github.com/sirupsen/napkin-math

Trying to estimate performance using some napkin math based on this: https://github.com/sirupsen/napkin-math

So napkin maths time. Typical cross-world bog-standard network speeds for a single TCP channel of ~25MiBps. A single HEADERS+RST pair is likely < 128 bytes (40 for the HEADERS + whatever payload, and 32 for the RST). So 8 pairs per K, 8K pairs per MiB, 200K pairs per 25MiB...

Yes, sequential I/O bandwidth is closing the gap to memory. [1] The I/O pattern to watch out for, and the biggest reason why e.g. databases do careful caching to memory, is that _random_ I/O is still dreadfully slow. I/O bandwidth is brilliant, but latency is still disappointing compared to memory.

[1]: https://github.com/sirupsen/napkin-math

https://github.com/sirupsen/napkin-math (memorize these)

cargo-audit is a simple Cargo tool for detecting vulnerable Rust crates. You can install it with cargo install cargo-audit, use cargo audit and you’re done! Any vulnerable crates will appear below, like so:

Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.

Yeah your decade old single header libs get so many audits by comparison.

https://github.com/RustSec/rustsec/tree/main/cargo-audit

https://mozilla.github.io/cargo-vet/

cargo is not npm

PSA: before filing CVEs for other people's projects, file an issue with https://rustsec.org instead

Historically, such serious bugs get communicated broadly and addressed very quickly via security advisory blog posts and on https://rustsec.org.

For known vulnerabilities we have the rustsec vulnerability database. You could have a look over there for inspiration. There's also the related cargo-audit for checking dependencies for known vulnerabilities.

Would be cool if this was also reported to https://rustsec.org/ that way cargo audit could pick up and alert the users about it.

P.S. I also made scanning binaries 5x faster in the latest release of cargo audit.

Thanks to cargo and the community, project maintenance is straightforward in rust. You'll need to install cargo-outdated and cargo-audit:

Use the automated tools to assist you in the maintenance of your projects: rustfmt, clippy, cargo update, cargo outdated and cargo-audit.