Stream: wg-secure-code

Topic: least authority crates


Tony Arcieri (Dec 01 2018 at 00:49, on Zulip):

I posted a writeup of an "unsafe features" idea I've been thinking about: https://internals.rust-lang.org/t/crate-capability-lists/8933/2?u=bascule

Tony Arcieri (Dec 01 2018 at 00:49, on Zulip):

it's a sort of halfway point between going full ocap and letting any given crate take over your computer, server, business, etc

briansmith (Dec 02 2018 at 21:13, on Zulip):

@Tony Arcieri What is the problem that you're trying to solve? Avoiding intentionally malicious code, or avoiding accidentally dangerous code?

briansmith (Dec 02 2018 at 21:14, on Zulip):

If it is intentional malicious code, there are lots of ways to subvert the unsafe mechanism including sometimes simply defining a #[no_mangle] function named main() or similar

Tony Arcieri (Dec 02 2018 at 22:20, on Zulip):

the former, although as something weaker than "redesign Rust to be an ocap language", which is what some people are pushing

Tony Arcieri (Dec 02 2018 at 22:21, on Zulip):

and yeah, scroll down in that thread, I mention #[no_mangle]

Tony Arcieri (Dec 02 2018 at 22:21, on Zulip):

and suggested it would need to be #[cfg_attr(unsafe_feature = "x", no_mangle)]

Tony Arcieri (Dec 02 2018 at 22:22, on Zulip):

anyway, it's not that I don't want to see ocap features in Rust, it's that they can't work so long as unsafe is available

Tony Arcieri (Dec 03 2018 at 21:33, on Zulip):

heh https://medium.com/agoric/pola-would-have-prevented-the-event-stream-incident-45653ecbda99

Last update: Nov 11 2019 at 23:10UTC