Announcement

**Nth_man** · 05 June 2023, 07:16 PM

Originally posted by RahulSundaram View Post

> > [...] the Rust rewrite in this case seems more like a passion project and nothing to do with organizations.

> seems.. mmm... Redox is written in Rust and received an "anonymous" (who is interested in paying that?) $400,000 donation

Redox is unrelated to the topic. I specifically said, in this case ie) uutils.

It's related to the "seem more like a passion project and nothing to do with organizations" expression. Redox also seemed that.

**RahulSundaram** · 05 June 2023, 07:30 PM

Originally posted by Nth_man View Post

It's related to the "seem more like a passion project and nothing to do with organizations" expression. Redox also seemed that.

Bringing up random crypo donations for an unrelated project is not evidence of any organization involvement in uutils or anywhere else for that matter.

**Quackdoc** · 05 June 2023, 10:18 PM

Originally posted by Sethox View Post

On the surface it's a hobby project with some personal reasoning, but depending on how one research the source code (to rewrite it on another language) could prove good to analyze better solutions to the minor details.

Only when it's stable and good to go will the end-user see if it was worth it or not.

i've been using it on windows for a while now, It's quite a bit better then gnu for me, but on linux side I wouldnt use it yet. currently for me, it's great to get the tools that would otherwise be a hassle

**ZeroPointEnergy** · 06 June 2023, 01:56 AM

Originally posted by jacob View Post

If you are worried that someone may compromise a crate like clap that is used by uutils, the risk is really no greater than someone compromising C-written GNU coreutils' repository or tarballs.

Yeah, but we are talking about maybe 5 repository and parties for C coreutils you can try to compromise. For Rust coreutils it's over 80.

Maybe you can just ignore that or handwave it away. I can't.

**NobodyXu** · 06 June 2023, 02:26 AM

Originally posted by jacob View Post

Cargo provides some limited form of protection by letting you specify git checkout IDs, but having built-in support for PGP-signed tags would be good.

Cargo.lock (cargo lockfile) includes checksum for every dependencies.
Plus, https://crates.io is immutable.

**NobodyXu** · 06 June 2023, 02:30 AM

Originally posted by ZeroPointEnergy View Post

Yeah, but we are talking about maybe 5 repository and parties for C coreutils you can try to compromise. For Rust coreutils it's over 80.

Maybe you can just ignore that or handwave it away. I can't.

NOTE that rust-lang itself maintained many crates, including libc, regex etc, RustCrypto https://github.com/RustCrypto maintained many crypto related crates and rust-random https://github.com/rust-random maintains random related crates.

Also, dtolnay https://github.com/dtolnay/ and taiki-e https://github.com/taiki-e/ are two well-known and well-trusted people who owned and maintained many essential crates.

**jacob** · 06 June 2023, 02:40 AM

Originally posted by NobodyXu View Post

Cargo.lock (cargo lockfile) includes checksum for every dependencies.
Plus, https://crates.io is immutable.

But when you start a new project, you just indicate version numbers in your cargo.toml. If you could refer to a signed tag so that it would automatically check the signature the first time it pulls the dependency, that would be a massive improvement.

**NobodyXu** · 06 June 2023, 02:42 AM

Originally posted by jacob View Post

But when you start a new project, you just indicate version numbers in your cargo.toml. If you could refer to a signed tag so that it would automatically check the signature the first time it pulls the dependency, that would be a massive improvement.

But crates.io is already immutable, so I have confidence it is going to pull the same version or newer version that is compatible.

**jacob** · 06 June 2023, 02:44 AM

Originally posted by ZeroPointEnergy View Post

Yeah, but we are talking about maybe 5 repository and parties for C coreutils you can try to compromise. For Rust coreutils it's over 80.

Maybe you can just ignore that or handwave it away. I can't.

Well many C-based tools have been compromised. OpenSSH (!!!) for example had been backdoored several times. The number of dependencies is not a good indicator by the way. With Rust there tend to be many small libs as opposed to few large ones, but they are virtually all pulled from the same infrastructure (crates.io). So that makes one potential point of failure from an attacker's point of view. Whether that makes a compromise more likely or less than several distinct hosting infrastructures is a different debate altogether, and let's not forget that C libraries are then replicated among others in distros' repositories, which is another possible vector of compromise...

**lowflyer** · 06 June 2023, 03:06 AM

Originally posted by jacob View Post

... Code re-use is a GOOD THING. ...

You're correct as long as you only talk about the code itself and its qualities.

But it can become a nightmare when you need to confirm the legalities of all involved licenses. That's something commercial companies need to do. I see rust moving to a similar direction like JavaScript where a single function call can pull in over 20'000 legal dependencies.

Announcement

Rust-Written Coreutils Replacement uutils 0.0.19 Released

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment