Hacker News new | ask | show | jobs
by akira2501 1144 days ago
And what dependencies do those dependencies have?
1 comments
AnIrishDuck 1144 days ago
It transitively expands out to 47 unique packages? Still doesn't seem that crazy to me:

  $ cargo tree -e no-build --prefix none | sort | uniq | grep -v sudo | grep -v '\*'
  aho-corasick v0.7.20
  atty v0.2.14
  bitflags v1.3.2
  block-buffer v0.10.4
  cfg-if v1.0.0
  clap_builder v4.1.14
  clap_derive v4.1.14 (proc-macro)
  clap_lex v0.4.0
  clap v4.1.14
  cpufeatures v0.2.6
  crypto-common v0.1.6
  digest v0.10.6
  env_logger v0.9.3
  error-chain v0.12.4
  generic-array v0.14.7
  glob v0.3.1
  heck v0.4.1
  hostname v0.3.1
  humantime v2.1.0
  io-lifetimes v1.0.9
  is-terminal v0.4.5
  itoa v1.0.6
  libc v0.2.140
  linux-raw-sys v0.1.4
  log v0.4.17
  match_cfg v0.1.0
  memchr v2.5.0
  num_threads v0.1.6
  once_cell v1.17.1
  proc-macro2 v1.0.54
  quote v1.0.26
  regex-syntax v0.6.29
  regex v1.7.3
  rustix v0.36.11
  sha2 v0.10.6
  signal-hook-registry v1.4.1
  signal-hook v0.3.15
  strsim v0.10.0
  syn v2.0.11
  syslog v6.0.1
  termcolor v1.2.0
  thiserror-impl v1.0.40 (proc-macro)
  thiserror v1.0.40
  time-core v0.1.0
  time v0.3.20
  typenum v1.16.0
  unicode-ident v1.0.8
link
int_19h 1144 days ago
For something like sudo - which is the kind of app where you want to carefully audit the code line by line - this does look pretty bad.
link
tialaramex 1143 days ago
> the kind of app where you want to carefully audit the code line by line

This should be much less necessary for Safe Rust. The existing C sudo needs libpcre2, and OpenSSL neither of which are small - among other dependencies.

Some of these dependencies do use unsafe Rust in places, and so it's valuable that those places should be inspected carefully (and not only for sudo) - but many do not, humantime for example is entirely safe Rust. Is it possible it has a logic error of some sort? Yes. Is it likely it somehow introduces a security hole? Not really. A C equivalent could easily introduce a critical buffer overflow, use after free or similar but that's not possible in safe Rust.

link
akira2501 1143 days ago
sudo doesn't strictly need OpenSSL. That dependency is part of it's log server client implementation, and it's also available for the plugin system.

I had no idea sudo even had the need for plugins.

Which raises the question, maybe there's a need for two different sudo implementations. One that provides the simplest possible implementation of the feature, and another one that provides fancy log server and plugin integrations.

link
IshKebab 1143 days ago
Are you worried about supply chain attacks? Because those are still extremely rare.

Or are you worried about bugs in dependencies? Because it's not like C sudo doesn't have dependencies.

Would you prefer that they implemented SHA2 themselves rather than using the battle tested crate that everyone else uses?

link
int_19h 1143 days ago
For something like this, I think I would actually prefer that they copied existing code for hashing. It's simple and stable enough to avoid taking a dependency.
link
IshKebab 1142 days ago
Existing code like the code in the sha2 crate??
link
int_19h 1142 days ago
Sure. Or rather the parts of it that they're actually using.
link