Stream: wg-secure-code

Topic: Requests to join WG


Tony Arcieri (Sep 03 2019 at 22:26, on Zulip):

We have a request from someone to join the WG. I don't know who they are, or what the policy around that should be: https://github.com/rust-lang/team/pull/103#issuecomment-527554952

Tony Arcieri (Sep 03 2019 at 22:26, on Zulip):

guess I should look into how the other WGs handle this sort of thing

Tony Arcieri (Sep 03 2019 at 22:26, on Zulip):

anyone know this person?

Shnatsel (Sep 03 2019 at 22:35, on Zulip):

Nope, not me

Stuart Small (Sep 03 2019 at 22:36, on Zulip):

Nope. Apparently we have a mutual contact on linkedin but I can't see who

Shnatsel (Sep 03 2019 at 22:36, on Zulip):

Uh, I guess I'd reply that participation in WG doesn't require being on that list, and tell them to come hang out with us on Zulip?

Tony Arcieri (Sep 03 2019 at 22:52, on Zulip):

sounds good

Shnatsel (Sep 03 2019 at 22:55, on Zulip):

Is that team info actually surfaced anywhere other an obscure toml file?

Stuart Small (Sep 03 2019 at 22:56, on Zulip):

On the site. Let me find the link....

Stuart Small (Sep 03 2019 at 22:57, on Zulip):

https://www.rust-lang.org/governance/wgs/wg-secure-code

Shnatsel (Sep 03 2019 at 22:57, on Zulip):

Woah

Shnatsel (Sep 03 2019 at 23:00, on Zulip):

OK, I know what I'm putting on my resume now :joy:

HeroicKatora (Sep 03 2019 at 23:01, on Zulip):

Why is the title of that page 'Unknown localization governance-team-wg-secure-code-name …' though on my end?

simulacrum (Sep 03 2019 at 23:02, on Zulip):

I think that's a bug in localization (cc @Florian Gilcher, I think?)

Stuart Small (Sep 03 2019 at 23:02, on Zulip):

You've earned it. Too many times when I'm fuzzing and think I found something new I goto the github page and see your user icon and go "oh damn". You are busy

Shnatsel (Sep 03 2019 at 23:05, on Zulip):

FWIW I haven't done any fuzzing in a while. You can find new bugs simply by running existing fuzzing harnesses on libs.

Shnatsel (Sep 03 2019 at 23:05, on Zulip):

Although the situation with continuous fuzzing is improving - fuzzit.dev has easy Rust integration now

Shnatsel (Sep 03 2019 at 23:06, on Zulip):

not sure if anyone's figured out Google's OSS-fuzz yet

Stuart Small (Sep 03 2019 at 23:06, on Zulip):

Yeah same. I took a break to rewrite the rust fuzzing book. Unfortunately I got derailed from that goal. That's going to be where I picked up when I get back though

Shnatsel (Sep 03 2019 at 23:06, on Zulip):

Oh neat!

Shnatsel (Sep 03 2019 at 23:07, on Zulip):

I'm really stoked for someone adapting https://github.com/AngoraFuzzer/Angora for Rust. The thing is, the fuzzer is written in Rust but it uses older LLVM so it can't fuzz Rust code yet

Stuart Small (Sep 03 2019 at 23:07, on Zulip):

The docs in there are a bit light but a great start. I wanted to expand on it more and cover other fuzzers, strategies etc. I'll hit yall up when I get something together to check over it

Shnatsel (Sep 03 2019 at 23:09, on Zulip):

It looked pretty solid to me actually, just needed "DISABLE ALL CHECKSUMS" in big letters

Stuart Small (Sep 03 2019 at 23:11, on Zulip):

There are a few others things missing. Like expanding on how to use arbitrary. I had to read through the source to get a handle on it. It still seems weird that fuzzers I had looked at at the time used the ring buffer when generating structs.

Shnatsel (Sep 03 2019 at 23:16, on Zulip):

Oh if you figure out how to use Arbitrary I'll be eternally grateful. Everyone just throws a ring buffer at it, I decline to do so and just get panics because there is not data in the buffer instead. Both options suck.

Shnatsel (Sep 03 2019 at 23:16, on Zulip):

Ring buffer potentially sucks less.

Shnatsel (Sep 03 2019 at 23:16, on Zulip):

It feels like very advanced stuff though, I'm not sure it's in scope for the book even

Shnatsel (Sep 03 2019 at 23:19, on Zulip):

https://github.com/jakubadamw/arbitrary-model-tests - this is recent and very cool

Shnatsel (Sep 03 2019 at 23:19, on Zulip):

contains Arbitrary + fuzzers

Shnatsel (Sep 03 2019 at 23:19, on Zulip):

https://github.com/Eh2406/auto-fuzz-test this is my attempt

Shnatsel (Sep 03 2019 at 23:26, on Zulip):

Oh, and https://github.com/blt/bughunt-rust also does Arbitrary+fuzzers but in a slightly awkward way

Daniel Henry-Mantilla (Sep 06 2019 at 13:44, on Zulip):

I know I don't really hang out in zulip much (yet), but I would nevertheless like to join this WG. I guess maybe @Shnatsel can vouch for my activity in #black-magic and safety-dance :shrug:

Shnatsel (Sep 06 2019 at 17:15, on Zulip):

Oh yeah, I can. You can also link plenty of Github activity as proof!

Shnatsel (Sep 06 2019 at 17:17, on Zulip):

https://github.com/rust-lang/rust/pull/64069
https://github.com/m4b/goblin/pull/182
https://github.com/ruuda/claxon/pull/19 + actually made the crate behind it

Florian Gilcher (Sep 09 2019 at 09:00, on Zulip):

@simulacrum yes, can you please report to rust-lang/www.rust-lang.org. It's just not available yet.

Last update: Nov 11 2019 at 22:50UTC