SoylentNews is people
SoylentNews
Most loved programming language Rust sparks privacy concerns
Rust developers have repeatedly raised concerned about an unaddressed privacy issue over the last few years. [...] However, for the longest time developers have been bothered by their production builds leaking potentially sensitive debug information.
In early 2017, a Rust developer filed an issue on the Rust lang's GitHub asking, "How can I stop rustc [from] including system specific information such as absolute file paths of the source it's compiled from in the binaries it generates? [...] These absolute path names revealed the developer's system username and the overall structure of directories, including the home directory."
[...] On a first glance, this "leak" of usernames and absolute paths may seem trivial to a reader. However, over years, many more developers were left surprised to notice such information being included not just in debug builds but their production Rust builds as well [1, 2, 3, 4, ...] and pushed for a change.
[...] Interestingly, despite being a privacy risk, the inadvertent inclusion of metadata such as absolute paths may aid computer forensics experts and the law enforcement as the path could reveal system usernames. Of course, any developer who is aware of this issue can trivially build their Rust applications inside of a container, and use a pseudonymous username to minimize impact from the issue.
To understand if Rust considered this a vulnerability or planned on a bug fix, BleepingComputer reached out to the Rust core team for comment.
"We agree that this is a bug worth fixing and will be supporting our teams in solving it," Manish Goregaokar of the Rust team and a senior software engineer at Google told BleepingComputer.
Although at this time, it is not known how or when the Rust team plans on resolving this issue, the increased pressure from the developer community seems to be steering Rust maintainers into an actionable direction.
(Score: 2) by hopdevil on Thursday April 08 2021, @01:55AM (2 children)
Do the people that maintained the code after you have the same attention to those 3rd party libraries? Do you really trust the people that wrote that code or those take over the project from them?
This is how you get fucked by security issues, just sayin'
(Score: 3, Insightful) by DannyB on Thursday April 08 2021, @04:10PM (1 child)
Most libraries I use are developed by foundations with sponsors, or by communities that maintain things in an open and transparent way. These libraries tend to be widely used and by corporations that can afford to contribute.
Some libraries are relatively simple, need little maintenance. Being widely used still implies the "many eyes" thing. One library I started using over ten years ago started to become obscure. Another company which uses it in a major product (Jira) now maintains it. So I was pleasantly surprised.
As for trust, I don't give that easily. But I would point out that the libraries I used are often developed by people in other corporations making large commercial software products. So, in other words, peers.
I hear what you say about security issues. I pay attention to that. I look for updates, and why updates happen. But this is the typical over-engineered Java boring corporate world, vs the wild west of ${some-other-ecosystems}.
Your points are well made.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 2) by hopdevil on Thursday April 08 2021, @04:33PM
I'm glad you clarified, respect++