This situation is the sad and absurd result of two processes going on in the Rust community.
The first is that the Rust community on Reddit is in a feedback loop of groupthink and outrage, making it into a powerful vector for harassment. The maintainer of the actix project had a particularly terrible experience of escalating harassment from the users of this subreddit, and its extremely sad. This has caused a lot of grief for the maintainer of actix and prevented real (but far overblown) code issues from being fixed in a productive way.
But I think Steve undersells the absurdity of the unsafe anxiety. Some Rust commmunity members are conflating two wildly different scenarios together. The first is a library exposing an API which, if used in an unlikely and contrived way, could result in a program using that library containing undefined behavior. Then, since that program has undefined behavior, it could contain a memory bug. If that were the case, someone could potentially exploit that bug to attack a user of that program. You'll notice this is a series of conditional statements - its a funnel of decreasing probability.
So yes, library APIs which can allow UB in safe code - even unlikely and contrived safe code - must be fixed. The goal of Rust is that safe APIs can never cause UB. But people should have a proportionate understanding of the risk profile of these bugs (again: a programmer using this API in an unlikely way could create a program with a bug that could potentially be exploitable). This is a miniscule increase in the risk of another heartbleed, it is not the same thing as heartbleed.
The spark that lit the kindling of the toxic Reddit community was a blog post by Shnatsel, a member of the RustSec team. This blog post didn't get attention here, but I want to take a moment to look at how ridiculously it frames things by examining its analysis of a different project: reqwest (sort of the most standard HTTP client library in Rust).
The fuzz test, which is what the library is about, found no security issues. It found some hangs in 6% of cases and Shnatsel traces them to a known deadlock issue. This is a great result.
But Shnatsel spends most of this talking about a custom hashmap implemented in the http library, which the RustSec group did a security audit of just a few months ago. That security audit found only two issues, both UB that would result from a contrived use of a minor library API (they are linked in the blog post, but not explained). These two issues were fixed, and the fix released, by the maintainers of the http crate in 10 days.
This is an incredible success! The security audit of a foundational library found two minor issues which were promptly fixed, and the fuzz confirms that the entire stack on top of it seems to contain no memory issues. Wonderful result, but how does Shnatsel frame this?
> First things first: it didn’t segfault! I am actually impressed because I had really low expectations going into this.
Come on! The blog post is full of these kinds of snide zingers which are totally unfounded in the face of the actual evidence presented. When you have someone writing in this disingenuous, meanspirited way about open source maintainers and then putting this in front of a groupthinking rage machine community like Reddit, of course you're going to get harassment. This behavior is totally unacceptable, and it's very sad to see it promoted in the Rust community.
That article from Shnatsel is really stunning, just everything about is negative and snarky- to a comical point. His avatar is a cartoon pony doing a facepalm! I find it kind of funny that the author of this has singled out reddit for criticism when seemingly prominent members of the Rust community are perfectly willing to be so openly toxic.
Being negative and snarky about crappy, hacked-together code that might cause security issues all over the place is not a bad thing. Yes, most of the snark there is about 'http' crate with its weird custom implementation of basic data structures.
'Crappy' and 'Hacked-together' are literally just insults, they don't carry real technical criticism and frankly they just continue to undermine the credibility of the author. The fact is that 'crappy' code is the most used http crate by far. Clearly everyone in the rust community must be an idiot to be using it. I'm sure the author went off and wrote a totally safe replacement for it. See, now we all get to be dicks to each other rather than actually working to fix stuff.
The first step in working to fix stuff is being aware of the issues - there's nothing "insulting" about that. Unsafe blocks without any clearly-stated rationale and safety analysis is quite subpar quality. Just because it's common and a "most used crate" does not make it OK, leftpad was widely used too.
With all due respect, you are not the universal arbiter of "crappy"-ness and "hacked-together"-ness, nor is anybody else. My guess is that you have concerns about the library, and you are absolutely within your right to say so. Your concerns may even have significant substance to them; or perhaps there is additional perspective that could change your mind.
Unfortunately, presenting your view and judgement as a statement of objective fact not only shuts down potentially valid counter-argumentation, but it's also inflammatory/insultory because it misrepresents your agency in the situation, and diminishes the efforts/personhood of those who contributed to the library.
It's understandable that you might want to use such phrasing as short-hand from time to time, but saying it out loud, especially in a public venue is regrettably demonstrative of a lack of self-awareness. It drowns out your message regardless of its merit, and pushes other people away. It's a reductive way of thinking, and it does everybody (including yourself) a disservice.
In the words of Groucho Marx "I don't want to belong to any club that would have me as a member."
We could all choose be sour and jaded, fighting over scraps in a futile search for self-worth –OR– we could each take it upon ourselves to be the standard-bearers of what was, and hopefully will remain, a warm and inviting place for meritorious debate. I choose the latter.
It is absolutely a bad thing to be negative and snarky. It sews resentment within the community and taints potentially valid points. One can express legitimate concerns and be heard without putting oneself on a pedestal or diminishing the self-worth of others. We as a community must take responsibility for fostering a merit-based discourse, and reject pettiness and snark.
What sews resentment is being repeatedly dismissive of serious problems, as we're seeing with this hackish use of 'unsafe' features - that's an attitude that diminishes the self-worth of others, if I ever saw any. If anything, a bit of irony and snark can be helpful in underlining a sharp, pointed critique, while de-escalating the sorts of petty, antagonizing attitudes that we've seen in this case.
I think I understand what you are getting at. Though there may be disagreement on exactly where the lines should be drawn, I think it’s important to underscore the value of patience on the part of everyone in the conversation.
The rust community has a position on these things, but perhaps it isn’t as well-documented or refined as it could be.
No doubt, having to contend with this issue is frustrating for all parties. I think it’s important however to help people feel heard and respected even if we don’t agree with them. One of the burdens as a pillar of the community is the necessity to rise above that frustration (articulating it in an emotionally intelligent manner when necessary) – to focus on educating, and hearing constructive criticism.
That said, candidly it’s not helpful to talk about using snark as a means of being heard. It’s like saying “I’ll put down my weapons after you put down yours”
Let’s not bury the lede here: people are coming to Rust because they see, and are excited by its potential. They are passionate about making the language better. I think we should hear them, search for patience, and disagree without being disagreeable. We will go a LOT further together through collaboration than we can through divisive rhetoric.
Didn't the Rust stdlib just gain a high-performance hash map recently? Is there a real case for using a custom implementation in reqwest? I could see Shnatsel getting a bit frustrated wrt. that choice.
The reason the `http` crate has a "bespoke hashmap implementation" is not because "performance", it's because _HTTP headers call for different behavior than `std::collections::HashMap`_. Some of the differences in behavior include:
- The map needs to be a multimap.
- Insertion order needs to be preserved.
While `std::collections::HashMap` is an excellent HashMap, it is not a good fit for HTTP headers.
High performance relative to what? In the highest performance code, you will always want your own data structures, ones specialized for your particular use case. Generic facilities will never be quite as good. A general purpose language must support this kind of specialization.
The first is that the Rust community on Reddit is in a feedback loop of groupthink and outrage, making it into a powerful vector for harassment. The maintainer of the actix project had a particularly terrible experience of escalating harassment from the users of this subreddit, and its extremely sad. This has caused a lot of grief for the maintainer of actix and prevented real (but far overblown) code issues from being fixed in a productive way.
But I think Steve undersells the absurdity of the unsafe anxiety. Some Rust commmunity members are conflating two wildly different scenarios together. The first is a library exposing an API which, if used in an unlikely and contrived way, could result in a program using that library containing undefined behavior. Then, since that program has undefined behavior, it could contain a memory bug. If that were the case, someone could potentially exploit that bug to attack a user of that program. You'll notice this is a series of conditional statements - its a funnel of decreasing probability.
So yes, library APIs which can allow UB in safe code - even unlikely and contrived safe code - must be fixed. The goal of Rust is that safe APIs can never cause UB. But people should have a proportionate understanding of the risk profile of these bugs (again: a programmer using this API in an unlikely way could create a program with a bug that could potentially be exploitable). This is a miniscule increase in the risk of another heartbleed, it is not the same thing as heartbleed.
The spark that lit the kindling of the toxic Reddit community was a blog post by Shnatsel, a member of the RustSec team. This blog post didn't get attention here, but I want to take a moment to look at how ridiculously it frames things by examining its analysis of a different project: reqwest (sort of the most standard HTTP client library in Rust).
Here's the link: https://medium.com/@shnatsel/smoke-testing-rust-http-clients...
The fuzz test, which is what the library is about, found no security issues. It found some hangs in 6% of cases and Shnatsel traces them to a known deadlock issue. This is a great result.
But Shnatsel spends most of this talking about a custom hashmap implemented in the http library, which the RustSec group did a security audit of just a few months ago. That security audit found only two issues, both UB that would result from a contrived use of a minor library API (they are linked in the blog post, but not explained). These two issues were fixed, and the fix released, by the maintainers of the http crate in 10 days.
This is an incredible success! The security audit of a foundational library found two minor issues which were promptly fixed, and the fuzz confirms that the entire stack on top of it seems to contain no memory issues. Wonderful result, but how does Shnatsel frame this?
> First things first: it didn’t segfault! I am actually impressed because I had really low expectations going into this.
Come on! The blog post is full of these kinds of snide zingers which are totally unfounded in the face of the actual evidence presented. When you have someone writing in this disingenuous, meanspirited way about open source maintainers and then putting this in front of a groupthinking rage machine community like Reddit, of course you're going to get harassment. This behavior is totally unacceptable, and it's very sad to see it promoted in the Rust community.