Hacker News new | past | comments | ask | show | jobs | submit login

So many of the CVEs against rust crates are actually against the bindings for things like ssl, glibc, and libcurl. I think accepting small growing subsets of ssl and curl for native implementation would be a good idea. And relibc too I suppose. Go went this route, and while it caused some headaches porting to new kernels, it has lots of benefits too.



Go has had to rollback on that decision.

Rust while much safer, also needs care if any crate makes use of unsafe, even in pure Rust.

https://thesquareplanet.com/blog/the-story-of-a-rust-bug/

Yes it is in the libc bindings, but the logic error is on Rust side.


That story seems to be about missing code/functionality, more than anything about a vulnerability. There is way more unsafe out there than there should be. Bindings are are one of the very few cases that must have it.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: