The AWS announcement is more interesting than the Foundation’s announcement: it has a small survey of formal verification tools for Rust, and more details of the logistics. They seem to be aiming the challenges at academics; there aren’t any rewards beyond getting to publish a paper about it, as far as I can see.
In the last 3 years, 57 soundness issues have been filed in the Rust standard library and 20 CVEs have been reported.
I’d be curious to see a more specific reference for this. Since Rust 1.56 released just 3 years ago, there have been only 13 point releases to Rust stable, with CVEs mentioned only a handful of times (and not all related to the stdlib).
Does this mean that:
Most of these issues get detected before hitting Rust stable? That would imply that the nightly/beta process is working well. And yes, nightly is offered as the “raw snapshot of today” without guarantee, so using a nightly compiler for production isn’t a good security posture anyway.
Anyone not using the latest stable Rust is prone to known security issues, unfixed in their version of the compiler? As far as I can tell, when a CVE is reported, a fix is only proposed on top of the latest stable Rust, nothing is backported to previous Rust versions.
I see a lot of crates go out of their way to support the oldest MSRV possible, but is that relevant if only the latest stable Rust is supported for security fixes? (Yes some applications like medical devices require the code to still compile in 20 years, but that’s on them to vendor dependencies that compile with the toolchain they pin, and to backport security fixes.)
The AWS announcement is incorrect, or misleadingly inflating some numbers?
The AWS announcement is more interesting than the Foundation’s announcement: it has a small survey of formal verification tools for Rust, and more details of the logistics. They seem to be aiming the challenges at academics; there aren’t any rewards beyond getting to publish a paper about it, as far as I can see.
Oh I missed that! I wonder why they buried that sentence.
It’s super easy to miss and as far as I can tell it doesn’t say anywhere whether it’s $10 or $10,000.
From the AWS announcement:
I’d be curious to see a more specific reference for this. Since Rust 1.56 released just 3 years ago, there have been only 13 point releases to Rust stable, with CVEs mentioned only a handful of times (and not all related to the stdlib).
Does this mean that:
Most of these issues get detected before hitting Rust stable? That would imply that the nightly/beta process is working well. And yes, nightly is offered as the “raw snapshot of today” without guarantee, so using a nightly compiler for production isn’t a good security posture anyway.
Anyone not using the latest stable Rust is prone to known security issues, unfixed in their version of the compiler? As far as I can tell, when a CVE is reported, a fix is only proposed on top of the latest stable Rust, nothing is backported to previous Rust versions.
Looking at the Debian changelog for rustc, it’s not like Debian stable is backporting any fixes either.
I see a lot of crates go out of their way to support the oldest MSRV possible, but is that relevant if only the latest stable Rust is supported for security fixes? (Yes some applications like medical devices require the code to still compile in 20 years, but that’s on them to vendor dependencies that compile with the toolchain they pin, and to backport security fixes.)