I gave up on naming https://github.com/rust-secure-code/safety-dance and instead started opening issues about crates we want to audit, as well as the ones audited already.
reqwest crate is horrifying - it's mostly red, with
slab and even custom locking primitives with a total of 3 stars on github. I started opening issues just for transitive dependencies of
reqwest but had to stop short. So if you ever need more crates to look at, just sift through transitive dependencies of
reqwest and open issues on that repo.
Are you making notes on unsafe patterns that could be done safely -- I'm hopeful we can turn some of these into clippy lints
@Shnatsel I would ~strongly recommend sticking a license file (even if it's just MIT or something) in the root by the way
Oh yeah, good point. @Tony Arcieri could you put a license on the repo and also provide a source / proper credits for the image?
Re: notes on patterns: sort of. I guess I should start putting these in the repo itself.
Mostly I'm noticing missing safe abstractions, documented here: https://github.com/rust-secure-code/safety-dance/issues/1#issuecomment-513589145
But there is one cool pattern I've been shown recently: https://github.com/sile/libflate/pull/39/files
Used to be
set_len(), then I've opened a PR that started zero-initializing the slice, and then someone else showed me this trick with writing to a vector from a Read impl but still making it bounded
Passing a buffer of uninitialized data to
read_exact() is very common apparently
Seems bad --
io::Read's docs say you can't do that
Yeah, docs started advising against that just recently, after I complained to RalfJung about that
I'm pretty sure reqwest still does it
re: the image, I know someone who knows someone who knows the artist. can try to vicariously get permission to use it. they don't seem to have social media presence and I don't know their contact details
I am attempting to (vicariously) ask the artist for permission. If I can't get it I'll remove the image.
re: licensing, should we just do the standard Apache-2.0 OR MIT?
sure, or even simply MIT I think would be fine
_a_ license is the important bit here :)
Yeah I don't particularly care about the license either. Apache+MIT sounds good.
Approved. Fire when ready.
This effort is now weirdly split between this WG and people hanging out in #black-magic on community Discord
regarding the Safety Dance logo, I have it on the word of a Rust core team member who contacted the original artist that it is in the public domain
@Shnatsel in which case, do you think it's ready to tweet? or were you planning on doing a blog post or something first?
Yay! Love the Safety Dance logo. You are all free to use my analogy to dancing across hot coals in explaining why the "dance" metaphor is appropriate.
@Shnatsel if you make a blog post, be sure to link to the video :wink: https://www.youtube.com/watch?v=AjPau5QYtYs
Seems bad --
io::Read's docs say you can't do that
that is, unless you know the
Read impl that is being called, and made sure it does not and will not (in the future) read from
Introducing the Rust Safety Dance, a project by the Secure Code WG to audit and potentially eliminate usages of unsafe from core ecosystem (and other) crates: https://github.com/rust-secure-code/safety-dance https://twitter.com/rustsecurecode/status/1153698020724113409/photo/1- Rust Secure Code WG (@rustsecurecode)
I'm not planning to make a blog post. Sadly I don't have the time, with being offline for a while and all that. I can help out again late August - early September.
@Shnatsel no worries, I was just curious if I should wait to tweet the link to the blog post first, if there were one. but... too late! already just tweeted the repo, and @RustLang retweeted it, so I think we're good
any thoughts on this? https://github.com/rust-secure-code/safety-dance/pull/15
viral marketing! :sweat_smile:
Sounds good to me
I've seen reference to a number of crates that help people avoid unsafe, like take_mut, owning_ref, and rental. Is safety-dance a good place to start cataloging them, like a "how to avoid unsafe" guide?
sounds like a good idea to me. maybe put them in the README or perhaps a separate .md file linked from the README...
does this mean they have been reviewed carefully by someone who is not their primary author to make sure they are not unsound?
perhaps we should open an issue to compile and discuss which ones should get included in a list
Are there any qualifications you need for writing that blog post? I could find someone to write it for you and put it on the blog post.
/cc @Tony Arcieri @Shnatsel
@Florian Gilcher not particularly, just enough background on what the project is and what its goals are to promote it
Are you guys aware of the list we (the UCG WG) are maintaining at https://github.com/rust-lang/unsafe-code-guidelines/issues/158 ? As part of safety-dance y'all are seeing a lot of real-world unsafe code out there, and I think (if that's something you'd like to do) it would be very helpful to use that to "cartograph" the less clear corners of the Rust unsafe code rules. Don't hesitate to open a thread in the UCG stream here on Zulip (#t-lang/wg-unsafe-code-guidelines), open an issue in the UCG repo or Cc me (
@RalfJung on GH) when there are questions about whether some concrete piece of unsafe code is UB or not.
I'm going to kick safety-dance into a higher gear by promoting it on Reddit. Before I invite more people to join I want to get the docs and processes up to scratch. Please check this out and let me know if it looks OK to you:
@Shnatsel just make sure you wait a little bit... Reddit is currently having a ton of issues due to the us-east-1 outage
Good call. It's gonna take a while for me to write some docs anyway. Probably not gonna post until tomorrow
The number of people subscribed to safety-dance and immediately responding to issues is already impressive
Initial trophy case up: https://github.com/rust-secure-code/safety-dance/pull/23
Just the stuff I've been involved with for now, to establish the structure. Once I merge this everyone is encouraged to add their contributions!
OK it's merged. Please open PRs for your contributions!
Also my "new advisory" sense is tingling: https://github.com/image-rs/image/pull/985
I've opened a PR to update mission statement for safety-dance, please let me know if it makes sense or if it can be improved: https://github.com/rust-secure-code/safety-dance/pull/28/files
Safety dance is getting so much attention that we're almost done with the crates we've picked for auditing already! We need some more popular crates to look at!
And that's before I even started widely promoting it. It's never even been posted to Reddit
What I really wanted to say is "Please throw some more crates at it!"
the amount of unsafe relative to the complexity (and the fact that headers are such an easy thing for an attacker to poke at) always made me really worried about https://github.com/hyperium/http/blob/master/src/header/map.rs
i can file an issue for it after lunch i guess, or someone else can
that's most of the unsafe in that crate last time i looked, but it's... large, complex, and the unsafe seems to rely on a bunch of tricky invariants
Everyone: looks like safety-dance is almost ready for wider promotion! We just need to pick more crates for auditing - most of what we have picked on the issue tracker is already partially or mostly done.
Please add some important crates! (But preferably not async ones because those are under a lot of churn right now due to upcoming async/await)
@Shnatsel if you're interested in doing a Safety Dance blog post, @nikomatsakis was talking about setting up a shared "Team Blog" where we could promote it
I do think we could use a WG blog to announce stuff like safety dance. Partly because I'm annoyed by the popups that Medium shows these days.
I'm not 100% confident it's a good idea to put it under rust-lang.org domain. It makes it a bit too official for my liking, too much responsibility.
For example: I am mostly single-handedly driving safety-dance, and if I mess up I kinda want it to be just me who messes up, or a relatively obscure WG, and not the entire Rust org as a whole
Or maybe I should just get more people to sanity check whatever I'm doing with safety dance, then we'll be fine
" it would require a fixed-capacity Vec-like view of memory. I'll need to write an RFC for one at some point." @Shnatsel
what does that mean exactly?
Probably. There's a bunch of those around but no definitive implementation. Since it is also needed for a safer Read trait and the impl is very complex I'm pretty sure it needs to be in
Other known impls of this idea:
heapless::Vec will not work because it's always on the stack while we want to have a non-owning view of arbitrary slice of
This abstraction really needs to be in
std because we need multiple crates to agree on it. For example,
flate2 would both pass it to
miniz_oxide backend and accept such a view from client code, so we have a stack of 3 different crates passing it to each other
io::Cursor on a fixed-sized array work?
Uuuh, sorta? I'm not sure if it's OK to have
MaybeUninit<T> as the backing storage for
And you would still need some
unsafe to e.g. get the initialized portion as a slice, or apply changed length to Vec when the backing storage came from a Vec, but that might be possible to encapsulate. Still, doesn't sound very obvious or ergonomic to me.
nice post. seems to be garnering a decent amount of attention
Yeah, seems to be working. After the flop of the 2019 goals blog post I was afraid I was losing my touch, but apparently not :sweat_smile:
Yeah it's #1 link on Rust subreddit now :big_smile:
By the way, people seem to like the safety-dance name and logo, so thanks to @Tony Arcieri for finding those!
Heapless offers static
// in a
const-fn has not been fully stabilized you need to use the helper structs in
i module, which must be wrapped in a tuple struct)
static mut XS: Vec<u8, U8> = Vec(heapless::i::Vec::new());
This is relevant to our interests: https://github.com/rust-lang/rfcs/pull/2802