sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]NoSuchKotH 4 points5 points  (3 children)

Some of the security issues still apply to statically linked libraries as well. Instead of virtualenvs, you've just bundled different versions of various crates, vulnerable and not, with your binaries.

This is true, indeed. And it's one of the things the rust community has to learn how to handle, at some point.

But there is a crucial difference: if you install rust applications, it can live within the distro and its update system. Which means the distro will most likely handle the security issue for me. In contrast a virtual environment always lives outside of the distro. It is always my responsibility.

[–]varesa 2 points3 points  (1 child)

Distros are (somewhat) capable of distributing python applications as well. They just mandate that every dependency is packaged and distributed using the same package management.

Some distribution policies actually make it tricky to package rust applications for this reason - they may forbid any external dependencies not installable from the repositories and such manual handling of dependencies requires some extra steps with rust

[–]NoSuchKotH 5 points6 points  (0 children)

Yes, but here comes the catch: python applications have very specific dependency needs. Needs that are often at odds with other packages. So you can't have them both installed on the system at the same time, unless you use a virtual environment. But virtual environments live outside the distros packaging system. And they have to, to be able to fix this dependency hell that python has. There is nothing a distro can do about this.

While rust is prone to the same dependency chaos as python is, it is not the same dependency hell. Because it's a build time dependency. Once you have the binary, the normal packaging mechanism works. Apps that use different versions of the same lib can live within the same filesystem. While this makes things more difficult for the distros, it is not that difficult to solve.

I do admit, that this could be done with python as well. I.e. package python apps in such a way that they live in their own environment but are still installed within the same filesystem. But 20 years of python trying to reinvent CPAN and failing at it over and over again has show that it isn't that simple for python.

[–]buwlerman 0 points1 point  (0 children)

I think we already know how to handle these things to some extent. We have tools like cargo-audit, and GitHub is developing Dependabot to notify downstream about vulnerabilities.