Comment by kibwen
3 days ago
> both of these are not the case in practice though
No, people routinely write Rust with no third-party dependencies, and yet people do not routinely write C code that is memory-safe. Your threat model needs re-evaluating. Also keep in mind that the most common dependencies (rand, serde, regex, etc) are literally provided by the Rust project itself, and are no more susceptible to supply chain attacks than the compiler.
I know it's a sensitive topic for a lot of people, but as I said, I love rust. I don't know a lot of rust projects though that don't use any dependencies. In my humble opinion, disregarding the risks of such supply chain attacks is at least as bad as people disregarding the risk of memory unsafe code. But keep in mind, I'm not saying don't use rust.
mamma mia! one day anyhow and anyerror will be backdoored it's inevitable
People also write Rust code that is not memory-safe.
https://materialize.com/blog/rust-concurrency-bug-unbounded-...
But not "routinely".
How can you be sure? When I looked at for instance sudo-rs, it proclaimed loudly that it is memory safe, but its code has lots of unsafe.
https://github.com/trifectatechfoundation/sudo-rs
https://grep.app/search?f.repo=trifectatechfoundation%2Fsudo...
And Miri is very popular in Rust. Even if a Rust project doesn't have unsafe, sometimes people still run Miri with it, since dependencies might have messed up their unsafe usage.
3 replies →
The vast majority of Rust code out there doesn't use the `unsafe` keyword at all, and the vastly smaller amount of unsafe code that exists allows for focused and precise testing and verification. You really have no idea what you're talking about if you're trying to say that Rust is anywhere in the ballpark of C or C++ here.
Indeed, unsafe Rust is overall more difficult than C++, like one speaker at a Rust conference claimed: https://lucumr.pocoo.org/2022/1/30/unsafe-rust/
And you are not being honest nor accurate here.