Announcement

Collapse
No announcement yet.

Rust-Written Rustls Now Reportedly Outperforming OpenSSL & BoringSSL

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Can they stop naming projects written in Rust with Rust in the name?

    Comment


    • #22
      Originally posted by Shnatsel View Post

      This is the entire dependency tree for rustls:

      rustls v0.23.15
      ├── aws-lc-rs v1.10.0
      │ ├── aws-lc-sys v0.22.0
      │ │ ├── libc v0.2.159
      │ │ └── paste v1.0.15 (proc-macro)
      │ ├── mirai-annotations v1.12.0
      │ ├── paste v1.0.15 (proc-macro)
      │ ├── untrusted v0.7.1
      │ └── zeroize v1.8.1
      ├── log v0.4.22
      ├── once_cell v1.20.2
      ├── rustls-pki-types v1.10.0
      ├── rustls-webpki v0.102.8
      │ ├── aws-lc-rs v1.10.0 (*)
      │ ├── rustls-pki-types v1.10.0
      │ └── untrusted v0.9.0
      ├── subtle v2.6.1
      └── zeroize v1.8.1
      yeah, these are the obvious dependencies aka rust cargo dependencies, aws-lc-rs is basically the "entry" into the unsafe world.

      In general its good to have an abstraction with a memory safe language. Memory safety is infectious like async programming -> good thing.

      Comment


      • #23
        In microservices and its stack there is need for contracts and contract level agreement and other related tech and other service decisions, maybe also tech stack development and mature level analysis and contract development...

        practically said, if there are microservices and such understanding is more complex in some situations than required or wanted, then come into place various other frameworks and other stuff...

        to this problem seems as not so related, but today server(not only http in various levels and protocols, rfc or ieee understanding sometimes also iso standards ill for tough programming requirements for end level programmer), but today server is monolithic shit with automatic certificate requirements as automatic addon or automatic service or messages understanding and relations... which in server Space could translate to market share of http servers or application market share of security libs...

        but for problem there is also understanding, that protocols and also http/2/3 and so on has some implementations, but for a lot of programs there is no interface, there is no service contracts for apps to choose its backend or automatic addon, or forcing for protocols to have some abilities, which practically said in game industry is big shit for programmers to implement anticheating or network shits which means that a lot of games are Windows or gameconsole only...

        today Debian/Ubuntu and similar have /etc/alternatives which said which program is default choosen one , but programs or server apps have .env which could said such thing also... but for rustls implementations maybe there is need for think about classic libs what does it means for today shit with https://www nonsense and maybe some upgrades for RIPE is required for wipeout some tech nerd understanding from last math centuries not so needed practically anymore even in some postquant world where math is present but also something more for end programmers even in rust Space is maybe needed but not present

        Comment


        • #24
          the real benchmark of that type of library is its security, not its performance.

          Comment


          • #25
            Originally posted by access View Post
            That's the lock file. These are the deps: https://github.com/rustls/rustls/blob/main/Cargo.toml -> https://github.com/rustls/rustls/blo...tls/Cargo.toml etc

            OpenSSL is for the test suite.
            That's only the top Cargo file, which declares the sub-projects, like the library itself, benchmarks, examples, and so on (see in the first section). You should look at the actual dependencies in the library's Cargo itself: https://github.com/rustls/rustls/blo...tls/Cargo.toml (under "dependencies"). But the hierarchy has been posted before, I see.

            Actually, the lock file gives the unfolded list of dependencies, so it's quite relevant (but very verbose).
            Last edited by Unscript; 23 October 2024, 04:07 AM.

            Comment


            • #26
              Originally posted by MillionToOne View Post
              Can they stop naming projects written in Rust with Rust in the name?
              Not until the Rust Foundation enforces their trademarks

              Comment


              • #27
                Originally posted by ssokolow View Post

                [image: not sure if arguing in bad faith or just stupid]
                You're replying to a post complaining about the code being written by "pajeets" and "troons", so assuming the former is pretty safe.

                Comment


                • #28
                  Originally posted by Almindor View Post

                  I'd be careful here. `unsafe` in Rust is actually in many ways more dangerous than plain C or even assembly. The reason for that is that in `unsafe` blocks, you (as in the programmer) are responsible for ensuring that the invariants expected by the compiler are upheld on the unsafe/safe barrier.
                  You are responsible for ensuring the invariants expected by the compiler in C too, that's what the infamous undefined behaviour is all about after all (assembly arguably is less dangerous in this aspect though). The appeal of unsafe Rust however is that you can actually uphold more invariants easier, since it often allows local reasoning.

                  Comment


                  • #29
                    Originally posted by Almindor View Post

                    I'd be careful here. `unsafe` in Rust is actually in many ways more dangerous than plain C or even assembly. The reason for that is that in `unsafe` blocks, you (as in the programmer) are responsible for ensuring that the invariants expected by the compiler are upheld on the unsafe/safe barrier.

                    This, as it turns out, is quite difficult and tricky in some cases. It can definitely be much more murky than plain old C. I'm saying this as an embedded rust developer and generally a big rust fan.

                    For anyone more interested in Rust and `unsafe`, I strongly suggest going over the Rustonomicon at https://doc.rust-lang.org/nomicon/
                    I wouldn't say it's more dangerous than plain C, though, since C leaves as much freedom, if not more, and programmers are on their own to manage ownership, which they don't all do the same way (so collaborative projects may see a mix of methods). Assembly doesn't check anything and is the lowest level, so it's obviously the least safe, by far. But yes, unsafe depends more on the programmer than the rest of the code. Normally, a Rust developer should already be more careful, but it's still tricky indeed, especially when allocating and freeing memory. I see no Miri validation flow, but I haven't checked in the dependencies.

                    Anyway, there's very little unsafe used in this library, though it's not as much documented as it should. I would be more concerned about the alpha stage of it (it's only 0.23) and the dependencies (some of which are very alpha, too). There are a number of issues, and the code hasn't been exposed as much as the library it wants to replace, and the compiler can only do so much to guarantee safety.

                    Comment


                    • #30
                      Originally posted by Shnatsel View Post

                      This is the entire dependency tree for rustls:

                      rustls v0.23.15
                      ├── aws-lc-rs v1.10.0
                      │ ├── aws-lc-sys v0.22.0
                      │ │ ├── libc v0.2.159
                      │ │ └── paste v1.0.15 (proc-macro)
                      │ ├── mirai-annotations v1.12.0
                      │ ├── paste v1.0.15 (proc-macro)
                      │ ├── untrusted v0.7.1
                      │ └── zeroize v1.8.1
                      ├── log v0.4.22
                      ├── once_cell v1.20.2
                      ├── rustls-pki-types v1.10.0
                      ├── rustls-webpki v0.102.8
                      │ ├── aws-lc-rs v1.10.0 (*)
                      │ ├── rustls-pki-types v1.10.0
                      │ └── untrusted v0.9.0
                      ├── subtle v2.6.1
                      └── zeroize v1.8.1
                      ...and once_cell recently became part of the Rust standard library, so it's only in there because they're being responsible about supporting old toolchain versions for stable/LTS distros who like to pin them.

                      (Plus, paste v1.0.15 (proc-macro), zeroize v1.8.1 , aws-lc-rs v1.10.0, rustls-pki-types v1.10.0, and untrusted v0.9.0 are in there twice, despite being downloaded and compiled once each, since that's how cargo tree shows things.)

                      If you snip out any transitive dependencies which are already depended on at a higher level, it looks like this:

                      Originally posted by Shnatsel View Post
                      rustls v0.23.15
                      ├── aws-lc-rs v1.10.0
                      │ ├── aws-lc-sys v0.22.0
                      │ │ └── libc v0.2.159
                      │ ├── mirai-annotations v1.12.0
                      │ ├── paste v1.0.15 (proc-macro)
                      │ └── untrusted v0.7.1
                      ├── log v0.4.22
                      ├── once_cell v1.20.2
                      ├── rustls-pki-types v1.10.0
                      ├── rustls-webpki v0.102.8
                      ├── subtle v2.6.1
                      └── zeroize v1.8.1
                      Last edited by ssokolow; 23 October 2024, 12:19 PM.

                      Comment

                      Working...
                      X