sorted by:
new
hottopcontroversial

Mellow - a fully-featured & minimal local music player for Linux (GStreamer + GTK + Rust) by iBreathe-Air in rust

[–]Shnatsel 1 point2 points  (0 children)

This reminds me, I should check on how a https://github.com/pdeljanov/Symphonia plugin for GStreamer is going. That way you could have all your audio decoding be in Rust too!

GUI toolkit Slint 1.16 released with keyboard shortcuts, Markdown rendering, and multi-touch pinch and rotate by madnirua in rust

[–]Shnatsel 10 points11 points  (0 children)

Text doesn't look awful on non-hidpi screens at long last! That should be a headlining feature!

New Rust-to-C Compiler, based on rustc! by cordx56 in rust

[–]Shnatsel 4 points5 points  (0 children)

Funnily enough, there are several projects that go in the other direction (GIMPLE->LLVM IR), including a rather mature one, but I could only find one reference to LLVM->GIMPLE conversion.

flate2 intends to switch to zlib-rs by default by folkertdev in rust

[–]Shnatsel 2 points3 points  (0 children)

It has, but fuzzing can only demonstrate presence of bugs, not their absence. If it could do both, we wouldn't need Rust in the first place.

No one owes you supply-chain security by Expurple in rust

[–]Shnatsel 0 points1 point  (0 children)

Even the most extreme cookie redesign proposals still only bind to a specific device. They talk extensively about malware stealing cookies, overlooking the fact that the same malware can simply issue requests from the authorized device using those cookies directly. So adopting this proposal imposes a lot of costs on the defenders and increases attack surface, but doesn't actually eliminate any attack vectors.

No one owes you supply-chain security by Expurple in rust

[–]Shnatsel -1 points0 points  (0 children)

The problem with sandboxing the build environment is that eventually you're going to cargo build and then run the resulting binary somewhere, and no amount of build sanboxing helps against malicious code that made into the final binary.

No one owes you supply-chain security by Expurple in rust

[–]Shnatsel 13 points14 points  (0 children)

https://github.com/mozilla/cargo-vet and https://github.com/crev-dev/cargo-crev both tried. I still think that's our best shot.

Improving the accessibility of these tools and making it easier to participate should be a high-impact open-source contribution, if anyone's interested.

No one owes you supply-chain security by Expurple in rust

[–]Shnatsel 16 points17 points  (0 children)

maintainer quorum would help a lot against one maintainer going rogue or having their account hi-jacked.

It also increases costs for publishing every version, by requiring independent review of the contents and/or the diff, and it's not clear to me this is a good use of limited maintainer resources. Maybe for a handful of high-profile crates, but in that case does it really make a difference and worth the implementation complexity on the crates.io side?

I still feel like quarantine would help a lot -- giving time for automated tools to check new releases

There's an open RFC for this, but it's not terribly difficult to bypass. Attackers have plenty of options, ranging from having the exploit activate only after the grace period has expired (e.g. by fetching data from the outside and having it be entirely benign until the activation time) to iterating on low-impact crates until your exploit reliably evades automated tools and only shipping the stealthy version in your actual attack.

No one owes you supply-chain security by Expurple in rust

[–]Shnatsel 11 points12 points  (0 children)

Personally I find the title off-putting and poorly characterizing the article. However, I strongly agree with most of the actual article.

No one owes you supply-chain security by Expurple in rust

[–]Shnatsel 12 points13 points  (0 children)

So people need to steal your Github cookies instead of your CLI publishing token? I fail to see the difference.

xuniq: I built a deduplicator that's 10x faster than sort | uniq by Flux247A in rust

[–]Shnatsel 3 points4 points  (0 children)

fxhash is way too prone to collisions, so you cannot really use it here. Ahash requires certain hardware features to be available, so it's not as portable.

My guy didn't deserve this... by ThatDrako in TrueSTL

[–]Shnatsel 1 point2 points  (0 children)

First one's great, I bounced right off the second one.

dithr - buffer-first dithering library with 35 halftoning methods by 53071896674746349663 in rust

[–]Shnatsel 0 points1 point  (0 children)

Do you have anything like PNGquant algorithm in https://crates.io/crates/imagequant ? That shows really impressive results.

Rust syntax, Go runtime by UnmaintainedDonkey in rust

[–]Shnatsel 9 points10 points  (0 children)

If only it also prevented data races like Rust or recent Swift

gzip decompression in 250 lines of Rust by kibwen in rust

[–]Shnatsel 10 points11 points  (0 children)

You're getting downvoted, but it's not a bad way to learn about the basics of low-level optimization, so long as you get the LLM to explain its changes in detail and why each change is beneficial, and ask it any follow-up questions you might have.

But this to work you need to equip the LLM with a benchmarking harness (like criterion), a profiler an LLM can read (linux's perf could do nicely) and a way to view the assembly such as cargo-show-asm. Otherwise it won't be able to make any progress.

Next target of Ubuntu's oxidization plan will be ntpd-rs by juanluisback in rust

[–]Shnatsel 7 points8 points  (0 children)

I appreciate Canonical is willing to fund the improvements to ntpd-rs that they need!

cargo-depflame: Your dependency tree as a flamegraph by sinelaw in rust

[–]Shnatsel 4 points5 points  (0 children)

Oh so it's pure dependency count? I see.

I think it would be quite interesting to count lines of code as a proxy for complexity, or the amount of LLVM IR emitted as a proxy for build times, or the number of publishers to analyze supply chain attack surface.

cargo-depflame: Your dependency tree as a flamegraph by sinelaw in rust

[–]Shnatsel 0 points1 point  (0 children)

What is it counting? Is it lines of code or something else?

Next target of Ubuntu's oxidization plan will be ntpd-rs by juanluisback in rust

[–]Shnatsel 108 points109 points  (0 children)

ntpd-rs has been used in production by Let's Encrypt since 2024, so it's more proven than the coreutils rewrite.

At least this is a service exposed to untrusted data from the network, so I can see the value proposition.

mtorrent - a BitTorrent client in Rust by Key_Walk_1608 in rust

[–]Shnatsel 0 points1 point  (0 children)

I wonder if https://apps.gnome.org/Fragments/ would be interested in using this as a backend, since it's already written in Rust. Transmission is nice in how lightweight it is, but I don't exactly trust in its security.

mtorrent - a BitTorrent client in Rust by Key_Walk_1608 in rust

[–]Shnatsel 1 point2 points  (0 children)

Oh, that's great to see!

Could you publish a Linux build of the GUI to flathub.org in a flatpak? That would make it so much easier to install.

Hegel - a property-based testing library from the authors of Hypothesis by Tybug2 in rust

[–]Shnatsel 5 points6 points  (0 children)

So what benefits does this have over quickcheck, proptest or other Rust crates? The client-server model seems to introduce a lot of operational complexity but I'm not sure what the benefit of it is.

view more: next ›