libflate and bragging about it has set off a chain of events that led to discovery of UB in
spin crate (used by
#[no_std] mode) plus a hopefully safer rewrite, discovery of UB in
image as well as further audit of
reqwest that's currently ongoing.
This was made possible by @Lokathor creating a
#black_magic channel in Rust community Discord (https://bit.ly/rust-community) which attracted people who know UB when they see it. This looks like a solid start for the "safety effort similar to libs blitz" goal for this year.
Sadly I will not be able to lead that charge for much longer because I have a month of being mostly if not totally offline ahead of me, but I'm really glad to see that it's happening.
And by the way, the new rewritten
spin crate could use an audit.
Code without the annoying diffs: https://github.com/64/spin-rs/blob/master/src/rw_lock.rs
The libs-blitz-like effort could use some organizational resources - mostly a structured(ish) guide to doing it plus a way for people to claim crates for audit to avoid duplication of effort and also a way to track results. The results will be very helpful to inform clippy lints and/or new safe abstractions.
cargo crev might be an interesting way to track progress
Yeah, I thought of that already. Maybe not track as it's ongoing, but record the results of you analysis in crev - definitely.
actually I should record the fact that I cleansed libflate of unsafety in crev
and file RustSec advisories too
so wait, safe
Vec::append_from_within or not?
It does need it. I've just copied the implementation from RFC into a crate, so the unsafe block is now in a crate instead of libflate itself.
the other missing part is safely creating a CString from
@Tony Arcieri could you create a repo called "safety blitz" under the WG? We'll use the issue tracker mostly, to keep track of which crates were audited and which still need auditing. And if they can't be made unsafe-free, what's stopping them
I cannot create repos due to legal restrictions
Looks like I've started https://github.com/rust-secure-code/wg/issues/19 without really intending to
safety 'blitz' implies some sort of temporary project, maybe there's a better name?
It was kind of intended to be temporary - we audit the key crates of the ecosystem, remove unsafety from them and add clippy lints or safe abstractions that allow doing the same things safely where it wasn't possible before. That should prevent any further unsafety creep. Moreover, many of these abstractions have already landed, like to_bytes/from_bytes, and crates just need to be brought up to date.
@Tony Arcieri ping? Any updates on this?
ohai, whoops https://github.com/rust-secure-code/safety-blitz
@Shnatsel I have been informed "blitz" as a name did not go over well for the "libs blitz" and perhaps we should select something different
safety dance? :sweat_smile:
I have been told to ask #community-team for help on Discord if we have trouble coming up with a name
heh, eh. yeah, hi!
also you can just ask any question here
Also, with these kinds of projects: habitually ping the community team to help you in marketing :). That's what we're there for!
yes, thank you!
I have tentatively renamed the repo to
safety-dance and I guess I'll see what @Shnatsel thinks
IDK, I have an image of dance in programming as something negative. Like, writing boilerplate or some such.
Also apologies for my low participation lately, I'm currently traveling
@Shnatsel #community-team (on Discord) has offered to help pick a name if you don't like
For me, "dance" is actually somewhat appropriate, given the circuitous coding that is sometimes necessary to avoid momentary exposure to UB. But I think of it more like dancing on hot coals, because of the difficulty in determining the steps needed to get safely from the starting point to the finish line.
how about: safety-survey, unsafety-purge, safety-audit, safety-probe, safety-review
+1 for unsafety-purge or safety-review. For me, the terms survey, audit and probe all have somewhat inaccurate connotations.
I defer to the community team on this.
I've described the effort in more detail in #community-team on the official Rust Discord, waiting for their input
this is neat @Joshua Liebow-Feeser https://www.reddit.com/r/rust/comments/cfh8la/thinking_of_using_unsafe_try_this_instead/