[binjooou]

A 1000 line long dependency file full of random literally whos code doing god knows what does not instill alot of confidence when I want to build and audit security critical programs.

[Pengtuzi]

You seem to be off by a factor of 100 unless I’m missing something?

[workspace.dependencies] clap = "4.0.32" libc = "0.2.139" thiserror = "1.0.38" glob = "0.3.1" sha2 = "0.10.6" digest = "0.10.6" signal-hook = "0.3.15" log = "0.4.17" syslog = "6.0.1" env_logger = "0.9.3"

[jmillikin]

Those are direct dependencies. The full dependency list is in Cargo.lock, which (as binjooou stated) is currently at 1013 lines.

I love Rust as a language, but one of the challenges with many projects currently written in it is that they follow the NPM model of using dozens of tiny dependencies for even trivial functionality. Luckily this seems to be limited to users of crates.io for now, and maybe things will change as the library situation matures.

[steveklabnik]

> which (as binjooou stated) is currently at 1013 lines.

That doesn't mean there are a thousand dependencies. Dependencies take far more than one line in a lockfile.

[jmillikin]

You may want to re-read their comment. They said "1000 line long dependency file", not 1000 dependencies.

[steveklabnik]

Sure. It's worth pointing out this discrepancy even if they didn't mean to imply it, because not everybody knows that this is the case.

[tempaccount420]

That's not what they said.

[akira2501]

And what dependencies do those dependencies have?

[AnIrishDuck]

It transitively expands out to 47 unique packages? Still doesn't seem that crazy to me:

  $ cargo tree -e no-build --prefix none | sort | uniq | grep -v sudo | grep -v '\*'
  aho-corasick v0.7.20
  atty v0.2.14
  bitflags v1.3.2
  block-buffer v0.10.4
  cfg-if v1.0.0
  clap_builder v4.1.14
  clap_derive v4.1.14 (proc-macro)
  clap_lex v0.4.0
  clap v4.1.14
  cpufeatures v0.2.6
  crypto-common v0.1.6
  digest v0.10.6
  env_logger v0.9.3
  error-chain v0.12.4
  generic-array v0.14.7
  glob v0.3.1
  heck v0.4.1
  hostname v0.3.1
  humantime v2.1.0
  io-lifetimes v1.0.9
  is-terminal v0.4.5
  itoa v1.0.6
  libc v0.2.140
  linux-raw-sys v0.1.4
  log v0.4.17
  match_cfg v0.1.0
  memchr v2.5.0
  num_threads v0.1.6
  once_cell v1.17.1
  proc-macro2 v1.0.54
  quote v1.0.26
  regex-syntax v0.6.29
  regex v1.7.3
  rustix v0.36.11
  sha2 v0.10.6
  signal-hook-registry v1.4.1
  signal-hook v0.3.15
  strsim v0.10.0
  syn v2.0.11
  syslog v6.0.1
  termcolor v1.2.0
  thiserror-impl v1.0.40 (proc-macro)
  thiserror v1.0.40
  time-core v0.1.0
  time v0.3.20
  typenum v1.16.0
  unicode-ident v1.0.8

[int_19h]

For something like sudo - which is the kind of app where you want to carefully audit the code line by line - this does look pretty bad.

[tialaramex]

> the kind of app where you want to carefully audit the code line by line

This should be much less necessary for Safe Rust. The existing C sudo needs libpcre2, and OpenSSL neither of which are small - among other dependencies.

Some of these dependencies do use unsafe Rust in places, and so it's valuable that those places should be inspected carefully (and not only for sudo) - but many do not, humantime for example is entirely safe Rust. Is it possible it has a logic error of some sort? Yes. Is it likely it somehow introduces a security hole? Not really. A C equivalent could easily introduce a critical buffer overflow, use after free or similar but that's not possible in safe Rust.

[akira2501]

sudo doesn't strictly need OpenSSL. That dependency is part of it's log server client implementation, and it's also available for the plugin system.

I had no idea sudo even had the need for plugins.

Which raises the question, maybe there's a need for two different sudo implementations. One that provides the simplest possible implementation of the feature, and another one that provides fancy log server and plugin integrations.

[IshKebab]

Are you worried about supply chain attacks? Because those are still extremely rare.

Or are you worried about bugs in dependencies? Because it's not like C sudo doesn't have dependencies.

Would you prefer that they implemented SHA2 themselves rather than using the battle tested crate that everyone else uses?

[int_19h]

For something like this, I think I would actually prefer that they copied existing code for hashing. It's simple and stable enough to avoid taking a dependency.

[baq]

You don’t need cargo to write software in Rust