semver-trick
rustsec
semver-trick | rustsec | |
---|---|---|
15 | 33 | |
414 | 1,524 | |
- | 1.4% | |
2.8 | 9.5 | |
25 days ago | 17 days ago | |
Rust | Rust | |
Apache License 2.0 | GNU General Public License v3.0 or later |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
semver-trick
-
Making Rust supply chain attacks harder with Cackle
Let's say crate B depends on crate A with a pinned dependency, and uses one of its types in a public interface.
Crate C depends on them both. It now can't bring in updates to A until B does, and when B updates that's a breaking change, so it better bump its major version.
Take a look at this teick, for example, for foundational crates updating their major version: https://github.com/dtolnay/semver-trick
Now imagine that being an issue every single patxh update.
-
The module system is too confusing
Rust modules require a tiny bit more definition up-front, but they neatly decouple the module hierarchy from file layout so you can reorganize code however you like in future, and they support very fine grained control of privacy (such as being able to say pub(super) and pub(crate)). In extreme cases, you can even re-export symbols from one module in another without it counting as a breaking change, so you have even more options for evolving your project without breaking existing consumers. Look at the the semver trick as an example of how powerful this can be and how much freedom it gives library implementors. (And even if you're only a library consumer, wouldn't you rather be consuming libraries by implementors that had more freedom and power?)
-
My first year with Rust: The good, the bad, the ugly
A library author concerned about this can use the semver trick. TL;DR: if your current version is 0.42, you can do a 1.0 release, then do a 0.43 release that depends upon your 1.0 release and re-exports all the symbols.
-
Does Rust have any design mistakes?
I mean for all the parts of the standard library that do not change, one could presumably use the semver-trick.
-
Rust is hard, or: The misery of mainstream programming
The semver trick can help with libraries at least when they go to unify the ecosystem. Release new versions that replicate previous APIs in a compatible way while moving to the standard library implementation.
-
Roadmap
Because you still run into the problem that's been seen when various important crates upgraded and either didn't use the semver trick or had downstream crates specifying Cargo.toml version requirements too narrowly for it to be effective.
- The Rust SemVer Trick (2019)
-
This Year in Embedded Rust: 2021 edition
It's called the "semver-trick" [1].
[1]: https://github.com/dtolnay/semver-trick
- The Semver Trick
-
The chip shortage keeps getting worse. Why can't we just make more?
The JVM is 114MiB on my machine. A near-minimal ggez program in debug mode is about 100MiB,¹ and ggez is small for a Rust application library. When you start getting into the 300s of dependencies (i.e. every time I've ever got beyond a trivial desktop application), you're lucky if your release build is less than 100MiB.
Sure, I could probably halve that by forking every dependency so they aren't duplicating versions, but that's a lot of work. (It's a shame Rust doesn't let you do conditional compilation based on dependency versions, or this would be a lot easier. As it is, we have to resort to the Semver trick: https://github.com/dtolnay/semver-trick/ — not that many people do that, so it's functionally useless.)
¹: I can get it down to around 8MiB with release mode, lto etc., but that significantly increases the build time and only about halves the weight of the intermediate build files.
rustsec
-
Rust Tooling: 8 tools that will increase your productivity
cargo-audit is a simple Cargo tool for detecting vulnerable Rust crates. You can install it with cargo install cargo-audit, use cargo audit and you’re done! Any vulnerable crates will appear below, like so:
-
Rust Offline?
Further we use cargo-auditable and cargo-audit as part of both our pipeline and regular scanning of all deployed services. This makes our InfoSec and Legal super happy since it means they can also monitor compliance with licenses and patch/update timings.
-
Sudo and Su Being Rewritten in Rust for Memory Safety
Yeah your decade old single header libs get so many audits by comparison.
https://github.com/RustSec/rustsec/tree/main/cargo-audit
https://mozilla.github.io/cargo-vet/
cargo is not npm
-
A CVE has been issued for hyper. Denial of Service possible
PSA: before filing CVEs for other people's projects, file an issue with https://rustsec.org instead
-
Should atomics be unsafe?
Historically, such serious bugs get communicated broadly and addressed very quickly via security advisory blog posts and on https://rustsec.org.
-
Rust from a security perspective, where is it vulnerable?
For known vulnerabilities we have the rustsec vulnerability database. You could have a look over there for inspiration. There's also the related cargo-audit for checking dependencies for known vulnerabilities.
-
capnproto-rust: out-of-bound memory access bug
Would be cool if this was also reported to https://rustsec.org/ that way cargo audit could pick up and alert the users about it.
-
`cargo audit` can now scan compiled binaries
P.S. I also made scanning binaries 5x faster in the latest release of cargo audit.
-
My Rust development workflow (after 3+ years)
Thanks to cargo and the community, project maintenance is straightforward in rust. You'll need to install cargo-outdated and cargo-audit:
-
Mental models for learning Rust
Use the automated tools to assist you in the maintenance of your projects: rustfmt, clippy, cargo update, cargo outdated and cargo-audit.
What are some alternatives?
lang-team - Home of the Rust lang team
opensnitch - OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
cargo-llvm-lines - Count lines of LLVM IR per generic function
vulndb - [mirror] The Go Vulnerability Database
rust-base64 - base64, in rust
gosec - Go security checker
Thruster - A fast, middleware based, web framework written in Rust
crates.io - The Rust package registry
rust-quiz - Medium to hard Rust questions with explanations
ripasso - A simple password manager written in Rust
serde - Serialization framework for Rust
advisory-db - Security advisory database for Rust crates published through crates.io