-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supply chain security / simplify dependencies #152
Comments
Great point. Let's go together through list of dependencies and let's check what we use them for and how much work it would be to replace some of them. |
List of dependencies with uses, and some preliminary commentary:
libc = "0.2"
subprocess = "0.2"
|
A sensible approach might be:
This will leave us with libc, signal-hook, subprocess, and maybe a logging lib, which we can then consider further. |
A deeper matter is also what is pulled in recursively by the packages that we do keep. Cargo.lock is currently almost 700 lines, naming 74 packages, including many packages with names like "android*" and "wasm*", none of which are obvious for us. It's possible some of these dependencies can be controlled by features, and for the dependencies we can't get rid of we should definitely investigate that. Also, we should be mindful of recursive dependencies when purging. Trying to get rid of |
Sensible rules for taking new dependencies might be:
(In addition to an existing rule that I'm not sure we're paying attention to: are we only pulling in code with a compatible and desirable license?) |
Additional background: https://research.swtch.com/deps |
For #152 - remove wait-timeout dependency
With all the patches applied we are down to 4 explicit dependencies and 8 dependencies in total (and code size is reduced by approximately 75%). Of the 4, only libc comes from the rust project proper, the other three being signal-hook, page_size, and subprocess. Of the 8, signal-hook pulls in a private dependency, and subprocess pulls in 3 packages for winapi, which we do not need but it's not really in the way, probably. |
For #152 - Remove env_logger and log dependencies
With the patch to remove the dependency of signal-hook we may have come to the end of the line. I'm skeptical of trying to remove subprocess, even though it might be possible to replace it with std::process. We might reconsider if we decide to fix #88. Instead, I will spend some time vetting the subprocess library and see if we might consider pinning the version. |
Re subprocess: On hniksic/rust-subprocess#71 we read "The library is currently not very actively maintained, since std::process now has many more features compared to when I started writing subprocess." Indeed the last release was in May, 2022. There are no serious open bugs and crates.io shows a steady stream of downloads, but there isn't any evidence that this library is the best long-term bet. |
The fix to #88 will simplify removing the |
Fix #152 - Bump version, documentation, tidy up
This has been on my mind for a while but the recent exploitation of xz makes it a good time to talk about it. Sonar runs (or will run) on every node on almost every supercomputer in Norway. It pulls in not too many dependencies but some of them (clap, serde, libc) are quite large and actively maintained and some (subprocess, libc) are expected to do dark things by their nature.
https://news.ycombinator.com/item?id=39902241
https://research.swtch.com/xz-timeline
serde is an interesting case in point because for a while (possibly still but I've not been able to substantiate that) it shipped a precompiled binary in order to speed up compilation time, serde-rs/serde#2538. With this type of setup, vetting what we pull in and how it works is very hard.
Sonar actually has very simple needs and most of its libraries have been pulled in not because we need the full functionality but only a small part of it. It may be to our benefit to go over the list of dependencies, remove what we can, and perhaps audit and pin what we can't remove, and define some kind of upgrade protocol. For example, we have simple needs for csv and json production and for command line parsing and could easily replace those libraries if we wanted to.
I'm uncertain about how worried to be about this. Sonar currently runs with no special privileges and its only superpowers are that (a) it runs regularly and everywhere and (b) if an admin sees it running, she will think it is fine that it's running. It is otherwise no worse than any user program, indeed user programs whose source and binary we do not control. On the other hand, being everywhere and running all the time under the radar it is a very convenient stepping stone for a more sophisticated attack leveraging other mechanisms. And it is not out of the realm of the possible that Sonar will need some special powers eventually, for some types of monitoring. And if not Sonar, then maybe a program that Sonar runs - same problem.
The text was updated successfully, but these errors were encountered: