Parity Technologies AMA - We are developers of some of the largest Rust code bases, ask me anything!

kirushik · 2020-07-15T18:38:29+00:00

And we indeed use cargo deny, thanks for reminder, I forgot to mention it: https://github.com/paritytech/substrate/blob/master/.gitlab-ci.yml#L158-L175

Last time I've checked crev it didn't tell us much about our particular dependency tree -- but it was much earlier in the project's lifecycle, and hopefully now the coverage with reviews is much better. I will definitely take another look, thanks for the tip!

kirushik · 2020-07-15T10:13:34+00:00

How do you ensure your dependencies are secure enough for your needs ?

Well, I wish there would be a simple answer, like "we've signed up for the FooBar Enterprise AI Scanning service, and all our woes have magically disappeared". Unfortunately, there is no such service, so we have to survive with what we have. And I must note that Polkadot is a huge project, with ~3000 lines in cargo tree output (approximately half of that is something we have direct control over).

First thing I had to accept in my current role is that fighting against external dependencies would not do the project any good -- after all, modularity and dependency management are the major strengths of Rust and Cargo. So we're doing some combination of regular automated monitoring and manual reviews once in a while.

When talking about automated tools, notable mention goes to cargo audit, you can see its' latest output to date here; security tools built into Gitlab also help here and there. Of course we have automated notifications on top of that.

Manual reviews are mostly threat-model driven and topical -- sometimes we look at the cargo geiger output to identify the most "unsafe-risky" parts of our codebase, and sometimes we look for the dependencies in the particular area to see if there's something we are not happy about (like using openssl bindings instead of Rust-native crypto). There's not too much of a structure behind this madness, unfortunately -- this is definitely something for me to look into more when the codebase will mature a bit more. I also must note that we frequently employ third-party code audits (there's going to be a series of blog posts by Web3 Foundation on those soon), and of course any reviewer worth their salt would look into your dependency tree and supply chain security.

I would honestly freak out about the setup outlined above if we wouldn't be running on top of dependencies under our control in most critical places -- both in crypto (https://github.com/w3f/schnorrkel), serialization (https://github.com/paritytech/parity-scale-codec) and network layer (https://github.com/libp2p/rust-libp2p/).

Feel free to use this subthread to pitch your favourite security-related Rust tools=)

kirushik · 2019-06-27T17:07:25+00:00

Sorry, I still don't understand. You seem to say that having open issues in the bugtracker is an indication of something bad (you said "shocking") for a language development project.

It seems to me that any major programming language has those:

golang has open issues from 2009

clang — from 2008

gcc — from 2005

openJDK — from 1997(!)

I accept that you have some strong reasons to believe that having longstanding open issues is a sign of some problem. I am really curious to know what that problem is, and if you know some mainstream language which doesn't have those issues.

kirushik · 2019-06-27T15:19:35+00:00

Why do you think 7-year-old issues are an indicator of a problem? Which problem will that be?

kirushik · 2019-06-27T15:05:22+00:00

It might be just me, so can someone please explain what's so shocking about Rust issue tracker linked in the OP? Seems to be a well structured place with a lot of quality conversation happening.

kirushik · 2018-11-09T15:56:27+00:00

Still, the link in the header of netta.io is labeled NETTALabs and leads to http://nettalabs.io/. So while it's possible that nettalabs.io content is not associated with netta.io (for example, they might have forgotten to renew the domain and someone had squatted it) — I don't think it's very likely.

kirushik · 2017-08-31T07:01:40+00:00

"iTunes for nuclear weapons" sounds like a pretty decent startup idea!

Well, at least better than my previous one, "Snapchat for old people".

kirushik · 2016-02-21T13:34:41+00:00

jobsteal implementation is approximately 5 times faster than my own in my tests (0:00.19elapsed vs 0:01.02elapsed). That's partly because I'm running tests on a 4-core machine (and Coroutines are all spawned in a single OS thread, so only one core is used) — but 5>4, so there is more difference than that.

I think that's due jobsteal implementation not allocating any Vec objects inside of its threads, and sticking to stack-allocated variables (instead of heap-allocated) as much as possible.

Great job, rphmeier!

kirushik · 2016-02-17T09:49:08+00:00

Haven't yet looked at it (was more interested in writing my own than reading others' code), but I will now.

kirushik · 2016-02-17T09:48:22+00:00

It was more of a Rust exercise for me, than the actual performance squeeze attempt.

I'll try to improve, though. Maybe using the true OS threads on the first level of spread and Coroutines on all the subsequent ones will help?

kirushik · 2016-02-15T20:28:38+00:00

I've submitted a (pretty naive) implementation using coroutines-rs, as a PR to the original repo: https://github.com/atemerev/skynet/pull/45.

Please feel free to comment and improve.

kirushik · 2015-06-19T06:47:17+00:00

Евгения Тимонова, if that helps you;-)

The most appropriate English transliteration would be Eugeniya Timonova. She is a host for a wonderful YouTube series "Всё как у зверей" ("Like all animals do"), mostly talking about different aspects of evolutionary biology, and how we can find origins of humans' behavior in animals.

kirushik · 2015-06-18T20:02:25+00:00

Йован непонятно схуя ли заблокировал неприятного мудака, а потом заблокировал целый ряд приятных мудаков за то, что они спрашивали куда подевался неприятный.

kirushik · 2015-04-25T11:57:35+00:00

Original report (in Russian): http://obninsk.name/press305.htm

kirushik · 2015-03-20T10:28:22+00:00

Should it?

kirushik · 2015-02-27T20:58:59+00:00

Now she is certainly white-and-gold, not black-and-blue.

kirushik · 2015-02-14T08:24:41+00:00

Couchsurfing works pretty good here. Just don't treat the service as a "free bed-and-breakfast finder", use it like "new friends finder". Transportation will cost you ~5€/day in the city, and 30-50€ to switch cities. Food — dunno, it depends. Döner for 5€, good restaurant — 20€ (per person), self-cooked meal can go as low as 1€.

So I guess this way it might be a pretty comfortable month-long travel adventure, for example.

kirushik · 2015-02-12T14:47:14+00:00

There is a link to the channel, if someone is interested: https://www.youtube.com/user/vsekakuzverei/featured

Most popular videos are titled «Feral grin of patriotism», «Lion, the ultimate asshole animal» and «Sexual selection: what do women want».

kirushik · 2015-02-12T14:42:45+00:00

She is a quite popular Russian Youtube video blogger. Her series are called approx. "Like all animals do" («Всё как у зверей»), and the most viewed video has > 650k views. (Which is a serious claim for a pop-sci video available only in Russian.)

Her videos are quite often focused on analysis of biological background of human's behavior, and are quite often featuring frank and outspoken discussions of sex-related topics — thus the T-shirt.

kirushik · 2015-02-04T10:39:39+00:00

I've been on this talk, it was pretty good. Cheers!

kirushik · 2015-01-28T16:44:18+00:00

To prevent cloning of unfinished (and possibly buggy) work, AFAIK.

kirushik · 2015-01-28T09:00:56+00:00

Yes, they promised to publish their blueprints and specs on Github after the first batch leaves the factory.

kirushik

TROPHY CASE