undefined | Better HN

0 pointsiknowstuff2y ago0 comments

Long story short is that I trust their quality. The community is great about vetting unnecessary uses of unsafe code.

That’s more than can be said about hand rolled equivalents in C/C++.

0 comments

5 comments · 1 top-level

palata2y ago· 4 in thread

So if you have 200 dependencies, you trust them just because they don't run what Rust calls "unsafe" code? What about safe code that could be malware?

rendaw2y ago

Isn't this hierarchical trust? You select immediate dependencies that you believe are written by reasonably security-conscious people, not just anything that immediately solves a problem, and because they're reasonably security-conscious people they select their own dependencies the same way? And at each level vetting is implicitly shared with other users of the dependencies, some of whom will be more critical/inquisitive.

I've heard the alarms about dependencies and I'm not sold. I feel like this is bleeding over from the JS/frontend world where people don't choose to do the above, for whatever reason.

Whenever I add a dependency in Rust I look at crates.io downloads, dependents (any big projects there?), github stars, I browse the issues to see what sort of problems have been reported and when, with what sort of replies from the author, how many contributors there are, release history, what commits look like, and what other stuff the authors have worked on. I use a lot of dependencies, and I do rewrite stuff myself when I feel like I can't rely on a dependency.

palata2y ago

That's the thing about trust: not everyone uses it the same. There are documented examples of malware being injected to millions of dependents through package managers, so we know that "hierarchical trust" does not work.

The big difference with a distro is that I choose to trust the distro maintainers, which is only a handful of people. Whereas with your hierarchical trust, you choose to trust many random people.

1 more reply

rockdoe2y ago

FYI Google and Mozilla audit all their dependencies and share them:

* https://chromium.googlesource.com/chromiumos/third_party/rus...

* https://searchfox.org/mozilla-central/source/supply-chain/au...

It's quite likely that most of your dependencies were already audited.

meragrin_2y ago

So what in there guarantees I can get the same thing they audited?

1 more reply

j / k navigate · click thread line to collapse

0 comments

5 comments · 1 top-level

palata2y ago· 4 in thread

So if you have 200 dependencies, you trust them just because they don't run what Rust calls "unsafe" code? What about safe code that could be malware?

rendaw2y ago

I've heard the alarms about dependencies and I'm not sold. I feel like this is bleeding over from the JS/frontend world where people don't choose to do the above, for whatever reason.

palata2y ago

The big difference with a distro is that I choose to trust the distro maintainers, which is only a handful of people. Whereas with your hierarchical trust, you choose to trust many random people.

1 more reply

rockdoe2y ago

FYI Google and Mozilla audit all their dependencies and share them:

* https://chromium.googlesource.com/chromiumos/third_party/rus...

* https://searchfox.org/mozilla-central/source/supply-chain/au...

It's quite likely that most of your dependencies were already audited.

meragrin_2y ago

So what in there guarantees I can get the same thing they audited?

1 more reply

j / k navigate · click thread line to collapse