Originally posted by darkonix
View Post
Announcement
Collapse
No announcement yet.
Rust-Based Coreutils 0.0.26 Increases Compatibility With GNU Coreutils
Collapse
X
-
Originally posted by jacob View Post
I definitely don't trust the CPU manufacturer, for sure the microcode contains malware (jokes aside, with Intel, AMD and ARM at least, it actually officially does).
Comment
-
Originally posted by darkonix View PostOMG who knows what those transistors are doing inside the chips? Nope, we need our own CPUs made with kitchen appliances to be sure.
- Likes 1
Comment
-
Originally posted by QwertyChouskie View Post
The whole point with XZ was that "Jia Tan" built trust and got the malicious update shipped in many distros as a normal update. Checksums prevent MitM attacks, they mean nothing if you intentionally update to a new release that later turns out to be malicious. The Cargo ecosystem is absolutely vulnerable to an XZ-style attack, same as any package-based ecosystem where you might have packages maintained by a single person that doesn't get much scrutiny.
However Cargo, without being immune, is still less open to attacks than projects without dependency managers (or than something like pip or npm). With Cargo, you at least have the assurance that you are building against the same actual code as the upstream project. It's not a reproducible build, but it goes let's say half way there. In other words, if your upstream promises that they actually do their homework that they review and vet what they actually use, and if you trust them for that, then you're safe. With C/C++, or npm, pip etc., you don't even have that. In fact you can't even be sure that some reverse proxy along the way hadn't been compromised to serve you a malware-enabled version of a C library you are trying to download.
Also Cargo has a "cargo audit" utility, which checks the versions of crates that you are really using against known security vulnerabilities. It's certainly not foolproof in that it wouldn't have stopped the XZ attack until it was discovered and reported (in the hypothetical example in which systemd and XZ were written in Rust), but again, it's more than most if not all common ecosystems have to offer.
- Likes 1
Comment
-
Originally posted by darkonix View PostEvery project should develop their own libraries for absolute everything.
Clearly this is a development that weakens the trust you can put in such a piece of software, simply because it reaches a count that is far beyond what anyone can keep track of even if they are diligent about their dependencies.
Comment
-
Originally posted by ZeroPointEnergy View PostOr we can just stop only arguing with extremes and recognize that there is clearly a scale between how granular split up the shared libraries are and that there is a trade-off here about how that spreads the eyes on a particular repository of those components.
Clearly this is a development that weakens the trust you can put in such a piece of software, simply because it reaches a count that is far beyond what anyone can keep track of even if they are diligent about their dependencies.
Comment
-
Originally posted by ZeroPointEnergy View Post
What is extreme about recognizing that there is clearly a trade-off for how splintered your dependencies are?
C/C++ were created well before the concept of dependency repositories was commonplace, and never developed a standard. Most modern languages reuse libraries easily: Python, Java, JavaScript (ugh), Go, Rust. That's the standard today. People need to adapt and find ways to ensure security in other ways than just avoiding reuse.
- Likes 1
Comment
-
Originally posted by darkonix View PostMost modern languages reuse libraries easily: Python, Java, JavaScript (ugh), Go, Rust. That's the standard today. People need to adapt and find ways to ensure security in other ways than just avoiding reuse.
If this issue is not obvious to you, then feel free to use system tools that build from 300 dependencies, play the canary in the coal mine and find out.
Comment
Comment