[tor-dev] Tor in a safer language: Network team update from Amsterdam
gunner at aspirationtech.org
Sun Apr 2 16:01:49 UTC 2017
Thanks for making these points. They made me realize that this initiative:
Might not be on folks' radars.
It was an outcome of the last Reproducible Builds Summit in December .
It just does a good job of articulating problems and proposed some
possible collaborative steps forward.
On 04/01/2017 06:54 PM, zaki at manian.org wrote:
> Rust seems like the best available choice for Tor in a safer language.
> Rust has several issues with securely obtaining a Rust toolchain that
> the Tor community should be attentive to.
> Rust is a self hosted compiler. Building Rust requires obtaining
> binaries for a recent Rust compiler. The Rust toolchain is vulnerable to
> a "trusting trust" attack. Manish made a prototype and discussed future
> The Rust toolchain is built by an automated continuous integration
> system and distributed without human verification or intervention.
> Rust's build artifacts distributed by the RustUp tool are only
> authenticated by TLS certificates. RustUp Github issue 241 discusses a
> mitigation to address some of these concerns but development seems to be
>  https://manishearth.github.io/blog/2016/12/02/reflections-on-rusting-trust/
>  https://github.com/rust-lang-nursery/rustup.rs/issues/241
> On Fri, Mar 31, 2017 at 2:23 PM Sebastian Hahn <sebastian at torproject.org
> <mailto:sebastian at torproject.org>> wrote:
> Hi there tor-dev,
> as an update to those who didn't have the chance to meet with us in
> Amsterdam or those who haven't followed the efforts to rely on C less,
> here's what happened at the "let's not fight about Go versus Rust, but
> talk about how to migrate Tor to a safer language" session and what
> happened after.
> Notes from session:
> We didn't fight about Rust or Go or modern C++. Instead, we focused on
> identifying goals for migrating Tor to a memory-safe language, and how
> to get there. With that frame of reference, Rust emerged as a extremely
> strong candidate for the incremental improvement style that we
> considered necessary. We were strongly advised to not use cgo, by people
> who have used it extensively.
> As there are clearly a lot of unknowns with this endeavor, and a lot
> that we will learn/come up against along the way, we feel that Rust is a
> compelling option to start with, with the caveat that we will first
> experiment, learn from the experience, and then build on what we learn.
> You can also check out the session notes on the wiki (submitted, but not
> posted yet).
> The real fun part started after the session. We got together to actually
> make a plan for an experiment and to give Rust a serious chance. We
> quickly got a few trivial things working like statically linking Rust
> into Tor, integrating with the build system to call out to cargo for the
> Rust build, and using Tor's allocator from Rust.
> We're planning to write up a blog post summarizing our experiences so
> far while hopefully poking the Rust developers to prioritize the missing
> features so we can stop using nightly Rust soon (~months, instead of
> We want to have a patch merged into tor soon so you can all play with
> your dev setup to help identify any challenges. We want to stress that
> this is an optional experiment for now, we would love feedback but
> nobody is paid to work on this and nobody is expected to spend more
> time than they have sitting around.
> We have committed to reviewing any patch that includes any Rust code to
> provide feedback, get experience to develop a style, and actually make
> use of this experiment. This means we're not ready to take on big
> patches that add lots of tricky stuff quite now, we want to take it slow
> and learn from this.
> We would like to do a session at the next dev meeting to give updates on
> this effort, but in the meantime, if team members would like to start
> learning Rust and helping us identify/implement small and well-isolated
> areas to begin migration, or new pieces of functionality that we can
> build immediately in Rust, that would be really great.
> So, for a TLDR:
> What has already been done:
> - Rust in Tor build
> - Putting together environment setup instructions and a (very small)
> initial draft for coding standards
> - Initial work to identify good candidates for migration (not tightly
> What we think are next steps:
> - Define conventions for the API boundary between Rust and C
> - Add a non-trivial Rust API and deploy with a flag to optionally use
> (to test support with a safe fallback)
> - Learn from similar projects
> - Add automated tooling for Rust, such as linting and testing
> Alex, Chelsea, Sebastian
> : Will be visible here
> tor-dev mailing list
> tor-dev at lists.torproject.org <mailto:tor-dev at lists.torproject.org>
> tor-dev mailing list
> tor-dev at lists.torproject.org
Executive Director, Aspiration
Aspiration: "Better Tools for a Better World"
Read our Manifesto: http://aspirationtech.org/publications/manifesto
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 473 bytes
Desc: OpenPGP digital signature
More information about the tor-dev