Originally posted by moltonel
View Post
Announcement
Collapse
No announcement yet.
Rustls Can Now Work With Nginx Via New OpenSSL Compatibility Layer
Collapse
X
-
- Likes 3
-
Originally posted by jacob View Post
The dependency doesn't "suddenly" get a security issue injected into it. If you trust a given git checkout not to become "suddenly" compromised, then it's the same thing here. This has been debated many times. Rust dependencies are locked to a code checksum.
Comment
-
Originally posted by vancha View Post
This sounds like a good idea. When you specify a dependency by version in your Cargo.toml file, does that pin the library you include to a specific commit?
- Likes 2
Comment
-
Originally posted by jacob View Post
The dependency doesn't "suddenly" get a security issue injected into it. If you trust a given git checkout not to become "suddenly" compromised, then it's the same thing here. This has been debated many times. Rust dependencies are locked to a code checksum. If the rustls developers are satisfied that their deps have no security issue at the moment they put their release out, then the deps are safe forever for everyone until they decide to update them.
Also, you keep bringing it around to dependencies I agree with. Yes, I agree that the Rustls guys shouldn't implement their own RNG, nor their own memory buffer wipeout. Those are not <100 LoC and have hidden complexities. The issue I take is with dependencies trees that eventually go down to "isOdd" 3-line pieces of code that are basically boilerplate and have 0 complexity. People just want to "save lines of code" and avoid doing it themselves.
Comment
-
Originally posted by Daktyl198 View Post
... just auto-update their dependencies via bots.
You made it seem like such devs are simultaneously lazy (by not checking dependencies) and hard-working (by bothering to setup such a bot). Which bot is that BTW?
- Likes 2
Comment
-
Originally posted by BreachScrambler View Post
Is this common? I contribute to Rust projects fairly often and dependency upgrades are manually done.
You made it seem like such devs are simultaneously lazy (by not checking dependencies) and hard-working (by bothering to setup such a bot). Which bot is that BTW?
Comment
-
Originally posted by Daktyl198 View Post
Setting up a bot is hardly any effort to add when setting up an automated build environment. As for bots, github has their own called Dependabot, but there are dozens out there that different developers prefer.
Automatically updating dependencies with known vulnerabilities with Dependabot security updates
Dependabot can help you fix vulnerable dependencies by automatically raising pull requests to update dependencies to secure versions.
- Likes 1
Comment
-
I'm all for Rust written libraries, but calling Rustls a TLS library written in Rust sounds a bit weird to me. It technically is a TLS library, but just the high level API, using one of two different Rust libraries under the hood, which themselves use a library written in C/C++ and assembly.
I prefer Rustls over OpenSSL to be honest, but I don't think you could Rustls a memory safe library when every crypto algorithm is written in assembly.
- Likes 1
Comment
-
Originally posted by darkonix View Post
Reading about Dependabot in their documentation, their use case seems not to auto upgrade just to get newer versions but to patch known security vulnerabilities:
That sounds like the opposite of insecurely updating dependencies, of course as long as the developers trust Dependabot.
- Likes 1
Comment
Comment