Why stdx is not on crates.io (kerkour.com)
47 points by Keyb0ardWarri0r 3 hours ago
maeln an hour ago
"The solution to rust's supply chain woes is me stealing some code and vibe coding the rest" is truly one of the take of all time.
And in general, people pointing at Rust "limited" stdlib (it's only limited compared to Python) as one of the big issue and risk with rust are, in my opinion, misguided. You will never make an stdlib big enough to remove the need for external dependencies. It also creates a bunch of other problems. Actually, to take Python as an example, some functionality being in the stdlib have created a bunch of issue over the years since you can't just introduce breaking changes in an stdlib as easily. Look at urllib2/3 or xml in python. In the end, almost everyone ends up using requests and lxml instead. There are many issues that need to be dealt with to mitigate supply chain attacks. A bigger stdlib or an "stdlib-extended" a la Boost, is not one of them.
Also, specifically for Rust, many people run in a no-std environment (anything sized constraint for the most part). So another stdlib would do nothing for them.
traceroute66 an hour ago
> it's only limited compared to Python
Erm ....
Its limited compared to Go as well.
And that's a BIG deal because Go gives you single binaries with a stdlib that allows you to hit the ground running in a serious manner.
For example, making API calls which is the sort of thing many here do for their bread and butter. Everything you need to do can be don in Go stdlib without opening yourself up to supply chain vulnerabilities or having to choose which crate or having to keep track of crates versioning. The same could be said of crypto or hundreds of other things present in the Go stdlib.
ameliaquining 19 minutes ago
This is mostly only true if you're writing a network service or maybe a CLI tool. Which is fair enough, since that's what Go is primarily for, but Rust aims to be, not just usable, but the best option, in a broader variety of domains. It wouldn't be feasible to have a batteries-included stdlib for all of them. (Python historically tried, and the results have been rather famously unsatisfactory.)
Also, even network services benefit from things like OpenAPI for type safety, and you don't get that from the Go stdlib.
kibwen 33 minutes ago
> Its limited compared to Go as well.
It depends on perspective. Go is tailored for writing backends, so it's great that it provides things like net/http (we could also interpret cause and effect inversely here; Go provides net/http so it gets used for writing backends). Rust's standard library is actually pretty damn huge, but it doesn't index heavily into specific applications, and instead tries to provide comprehensive support for low-level operations that enable you to build a custom-tailored solution to whatever you need on top of it. Rust's stdlib is "small" if all you want to do is build a webserver and don't want to go shopping around for libraries, but anyone who's intimately familiar with Rust's stdlib can tell you for a fact that it's absolutely not small in absolute terms. Rust literally stabilizes hundreds of new stdlib functions per year.
traceroute66 24 minutes ago
greyw an hour ago
How is code being "stolen" here? It's FOSS code that is being copied.
striking an hour ago
Take for example https://github.com/rust-stdx/stdx/tree/main/itoa. Its licenses and copyright information have been stripped. You are permitted to make copies of code under the MIT license, but the license also includes:
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
If the original repo were to disappear, it would be important to know who wrote the code and what the license actually is.
greyw 23 minutes ago
cetra3 2 hours ago
It just looks like stdx has copied stuff from crates and put it in a git repo.
It feels like this is worse than a package manager? As in why would I trust a random git repo to keep things up to date over the officially published channel?
sheept 2 hours ago
Plus, with forks anyone can publish a commit accessible from the main repo, so one could disguise a malicious version of stdx by forking the repo, pushing their charges, then setting the rev:
base64 = { git = "https://github.com/rust-stdx/stdx", rev = "<sha1 of malicious commit in fork>" }alphabeta3r56 an hour ago
This is hugely problematic behavior of github
testdelacc1 2 hours ago
This comment needs to be higher up. The author styles themselves as a cybersecurity expert, but makes the fundamental mistake of assuming that they’re trustworthy and we’d trust them no questions asked. Software security isn’t based on blind trust like this. I’m surprised an expert can’t see that.
The other reason I don’t trust them is because this repo is 100% AI slop, even for crypto code. He posted it on /r/rust where every comment was highly negative - https://www.reddit.com/r/rust/s/4I4Xc7x7ec. The thread was removed by a moderator with the note:
Please, stop posting articles from kerkour.com.
The blog has been on a downward spiral for years, it's doomed, let it go.
graypegg 2 hours ago
Yeah that confused me for a second too. I think they're talking about stdx as a single package, even though it contains multiple crates. If you wanted to install a crate from stdx specifically, you'd use this git URL but if you wanted any other package, you'd use another git URL controlled by that project.
So as I understand it, they're not suggesting that we pile many packages into 1 git repo as a sort of pseudo-crates.io, they're just promoting the fact that you can install a package directly from a git URL, rather than using a crate name on a registry.
What seems weird about that model to me is that dependancies will not sync between these individual packages. If package A chooses the canonical git URL for package C, and package B uses a self-hosted version of package C instead, you have two versions of package C.
deeebug 2 hours ago
Looks like it's that, plus vibe coding (in areas like crypto!) - https://kerkour.com/stdx
tialaramex an hour ago
The whole "There are test vectors so we know it's correct" is a strong sign that this isn't actually safe to use and that indeed the people who built it (to the extent people actually did build it) have no idea what they're doing.
FiloSottile 2 hours ago
Uh, yeah, this is not the writing of someone with the experience to maintain a cryptography toolkit: https://kerkour.com/nist-cryptography-backdoor
(I’m more worried about judgement calls than implementation correctness, it’s not about AI.)
tptacek 2 hours ago
tptacek an hour ago
The author is trying to make "stdx" a thing, and content like this (I'm not dunking on it) is what you write when you're trying to reinforce the idea that it's a thing.
The big question about this project isn't its distribution, it's the core question it posed when it was first announced: are Rust developers going to seriously entertain an alternative "standard library" curated by one developer.
bel8 2 hours ago
One upside I can think is that it is easier to trust and verify one repo than hundreds.
And the chances of a rogue actor or id theft reduce drastically.
foresterre 2 hours ago
> stdx is a monorepo of, as of today, 64 crates
It's quite an, ahem, interesting mix of libraries, including three csv libraries, hyper_utils (but not hyper itself), and a ton of copied crates from other maintainers.
I hope the author has a good way of updating these with upstream fixes (some look out-of-date already), otherwise you may replace one security issue with another.
And the name stdx has been taken on crates.io, more than 11 years ago which can also be equally confusing.
fg137 42 minutes ago
Sounds to me stdx is doing this wrong more than anything else.
NoboruWataya an hour ago
Namespace pollution is an annoying problem in Rust. A while ago I was looking for a crate to help build something to interact with Apache Solr. Great, there's a Rust crate called `solr` on crates.io. And here it is: https://github.com/lambdastackio/solr-rust
There are other examples of crates registered on crates.io with prominent names that are just stubs with one commit from years ago. I'm sure this problem also exists for other languages but it feels worse with Rust, I suspect because of how easy it is to register a crate on crates.io combined with the "rewrite X in Rust" craze.
rdtsc 2 hours ago
> Also, you can only create a crates.io account with a GitHub account
Oh is that true? They tied themselves to Microsoft it seems. What about people who won't or can't use GitHub.
simonask 2 hours ago
As far as I understand, this is purely a result of lack of maintainer resources. Apparently, nobody has been bothered enough by this to contribute the relevant changes.
Keep in mind that all of rustc and libs development takes place on Github.
progval an hour ago
There is some recent progress on https://github.com/rust-lang/crates.io/issues/326
weinzierl 2 hours ago
Yes, unfortunately it is true. Sad, but I could live with that.
What in my opinion is unacceptable is that it requires you to give permission to "read your organization and team membership and private Projects".
I made a separate GitHub account (weinzierl-trusted-publisher) for crates.io which is far from ideal, because it works completely against the idea to build trust for a single unified identity online, but ¯\(ツ)/¯.
g-b-r an hour ago
Multiple free accounts are also against GitHub TOS
weinzierl an hour ago
g-b-r an hour ago
simonreiff an hour ago
Ok, I was curious enough to read look into this, but it makes no sense under the hood. The idea is essentially that:
1. Supply-chain problems affect the Rust ecosystem arguably even worse than npm. 2. `stdx` extends Rust by adding some other stuff in Go that's good for supply-chain security? 3. crates.io does stuff differently than stdx so that's why it's distributed exclusively via git.
But none of the README or article linked by the author or the other article linked in the README explain anything about what the good things from Go are that are actually added, or what the pain point precisely is compared to using crates.io. I think the first proposition is possibly correct, mainly because I know next to nothing about Rust but am all too familiar with supply-chain complaints (as are most of us by now) whether as to npm or Python ecosystems, and there is no principled reason why Rust should be more secure unless the fundamental assumption of trusting external packages to auto-update safely is somehow different in Rust. I assume without loss of generality that perhaps the author is right that Rust's package management ecosystem is no more secure as a supply-chain than Node.js's ecosystem. The second property also might be true too that Go offers some concrete solutions to the problem, though I have no idea if that's correct and wouldn't necessarily assume that to be true.
Still, even assuming all claims to be true, I do not see is any connection between those claims and actual implementation of code, aside from talk about how stdx is AI-friendly and was generated using AI. I just don't get what this does that is any different. You're still trusting a Git repository to be valid. In fact it almost sounds at one point like the author is suggesting that the whole exercise of providing proof of provenance and demonstrating that a particular version was properly published by its author is too tedious and annoying and should therefore be skipped by utilizing a simpler stdx approach to Rust (but I still don't know what that is or why I should trust it!). Is it just me? This makes no sense.
krzyk 2 hours ago
I'm a bit new to rust or npm system.
But I always thought NPM was what the author describes - just a random set of packages with git sources, which I thought was the main issue (leftpad etc.). Isn't that the case?
What about one system that just works and is there for "ages": maven repository?
zdragnar 2 hours ago
NPM doesn't require any version control, it's just a repository for files. The "main" issue (if one could be called such) around leftpad is that the types of ranges that could be specified for grabbing versions was very loose, and many dependencies of dependencies might just grab whatever is "latest".
Then, when someone throws a fit, they upload a broken version to NPM, and everyone downstream is SOL (or the package is given over to a malicious maintainer, or the maintainer is hacked, etc).
Heck, NPM doesn't (didn't?) require a license either. One of my former employers never let us use Webpack 1.x because it depended on something that depended on something that depended on a package from the very early days of NPM that didn't come with a license (it was by isaacs iirc, so it was meant to be public, but the version specified wasn't licensed). It wasn't until webpack 2.x that the versions were updated enough that all of the dependencies were formally open source.
weinzierl an hour ago
stdx is not the best example. The most popular package that is not on crates.io is probably embassy.
Also Debian tries to build and distribute independently from crates.io.
So crates.io is important but is not the (Rust) world.
jamesmunns an hour ago
There's no single "embassy" crate, but all the components (HALs, executor, usb, net, etc.) are all on crates io and have been for a long time.
weinzierl an hour ago
Oh, good to know, thanks!
insanitybit an hour ago
Ignore this and just use `cargo-vet`, you're welcome.
sourcegrift 2 hours ago
More like which stdx?
I appreciate prople's efforts but they are misplaced. If I were passionate about this-- i'd do two things
1) A crates.io alternative which allows namespaces in package names like GitHub or alternatively. Single universal namespace doesn't seem fine (I don't think there would be necessarily changes required on the cargo side if users are willing to use full urls)
2) some kind of trust system so a user can up/down vote a package
3) Take a small one time payment for verifying a package? I don't know how this would work.
jitl 2 hours ago
going where the people aren’t, a well understood strategy
jcgrillo 2 hours ago
I don't get it, maybe my brain isn't wrinkly enough. Two things:
1. What problem does stdx actually solve?
2. Ok, it's a git dep, seems fine? Why is the choice to publish or not publish in crates.io a big deal either way?