time VS Libc

// To load RUST_LOG from .env file. dotenv().ok(); /* On Ubuntu 22.10, calling UtcOffset's offset methods causes IndeterminateOffset error!! See also https://github.com/time-rs/time/pull/297 ... */ // TO_DO: 11 is the current number of hours the Australian Eastern Standard Time (AEST) // is ahead of UTC. This value need to be worked out dynamically -- if it is at all // possible on Linux!! // let guard = init_app_logger(UtcOffset::from_hms(11, 0, 0).unwrap());

The problem is that this effects higher languages too, because they often build on libc. And on some OSes, they don't have a choice, because the system call interface is unstable and/or undocumented).

For example in rust, multiple time libraries were found to be unsound if `std::env::set_env` was ever called from a multi-threaded program. See:

https://github.com/time-rs/time/issues/293 and https://github.com/chronotope/chrono/issues/499

https://github.com/rust-lang/rust/issues/27970

https://github.com/rust-lang/rust/issues/90308

On that note, it would also be good to configure cargo-deny so that a CI pipeline and any maintainer can easily audit the current dependency versions. Sometimes CVEs require a new major semver (looking at you, time 0.1.x and thus chrono 0.4.x), so it's not enough to rely on people installing the tool with semver-compatible updates. Automatically auditing dependencies is really important, and given how easy cargo-deny makes it, I don't think many projects have any excuse not to configure it.

I've come to understand that correct support for leap seconds for time computations cannot be implemented in a reliable and globally consistent manner. Here is a GitHub discussion that touches on this.

Upgrade time to 0.3

I'm not fully aware of all the history but here's what I think happened: time 0.1 was originally a minimal wrapper around libc time functions, maintained by Alex Crichton. (I seem to remember it may have been part of the std library before 1.0, but I'm not sure about that part.) In August of 2016 it was declared to no longer be actively maintained, with the README stating bugs would still get fixed.

link to source code

Does rust also add an pthread_atfork handler? Otherwise, it seems likely still unsafe for rust to claim to support calling fork (for execv) or posix_spawn, as most libc call realloc on the `environ` contents, but do not appear to take any care to ensure that (v)fork/posix_spawn doesn't happen concurrently with that. Worse yet, the `posix_spawnp` API takes an `envp` parameter and expects you to pass it the global pointer `environ`, which is completely unsynchronized across that fork call. It is not obvious to me that this is a security gap, but certainly it seems to me that this would violate rust's safety claim, if it is not taking added precautions there.

The Apple Libc appears to just unconditionally drops the environ lock in the child (https://github.com/apple-oss-distributions/Libc/blob/c5a3293...), while glibc doesn't appear to even bother with that (https://github.com/bminor/glibc/blob/6ae7b5f43d4b13f24606d71...)

Doesn't musl have the same issue? https://github.com/JuliaLang/julia/issues/34726#issuecomment...

I also wonder about OSX's libc. Newer versions seem to have some sort of locking https://github.com/apple-open-source-mirror/Libc/blob/master...

but older versions (from 10.9) don't have any lockign: https://github.com/apple-oss-distributions/Libc/blob/Libc-99...