A security audit of Rust Coreutils found 70 CVEs.

jens@social.finkhaeuser.de

@icing But doesn't the borrow checker make me a flawless dev? I thought it pwomised... 🥺

modrobert@infosec.exchange

@icing sudo apt-get install coreutils-from-gnu

onelikeandidie@mastodon.social

@icing damn some of these CVEs are really boring and super niche. Also why rewrite in rust if you're just gonna use `.expect()` in your error handling???? (Taking about https://www.cve.org/CVERecord?id=CVE-2026-35348 )

f4grx@chaos.social

@icing real CVEs or slop CVEs?

lucebac@infosec.exchange

@icing I believe that people may not have understood what rust does and what it doesn't. Rust may make code more robust but it can't prevent faulty algorithm implementations on a logical level.

shaknais@mastodon.social

@f4grx

Path resolution failures for one don't seem slop.

(www.cve.org)

ftranschel@norden.social

@icing Yeah I mean this notion that because it’s rust it cannot have vulnerabilities is just so ludicrous in the first place - sure rust algorithmic type safety reduces certain types of bugs but not others ‍️

tymwol@hachyderm.io

@icing c'mon, if you do any rewrite, in any language, you would expect bugs and vulnerabilities. You always can stick with the old thing and don't touch it, so you don't break it, but "don't touch it" is not always a wise long-term strategy.

addison@nothing-ever.works

@icing@chaos.social I find this take really unhelpfully dismissive. The rewrite is a good thing, and will eradicate a bug class nearly entirely (one that GNU coreutils continues to have in the meantime). It will have lots of bugs, and I'm happy an audit found them (even if many of them are boring). Ubuntu should not have pushed this into production this early, but that does not invalidate the objective of the rewrite.

icing@chaos.social

@addison If you code a system utility with the expectation that all file names are valid utf-8 or crash, you lack some vital domain knowledge.

I blame Ubuntu for following the "Rust is safer" hype and causing real pain and damage for people deploying this on their systems.

The CVEs are just the current red flags here. I checked the project some months ago and they had passed *most* of the existing GNU test cases. And had contributed none new of their own. That is willful ignorance.

addison@nothing-ever.works

@icing@chaos.social It's easy to assume malice when incompetence is a sufficient explanation. The assumptions are being tested, and I'm sure the audit results will bring more critical eyes to the software. People want this change, and have good reason for it. There are constructive ways to address that, including, if you find the tests lacking, contributing some tests.

icing@chaos.social

@addison Incompetence is my impression of this project. If you read "malice" into it, that is your own spin on things.

As to your suggestion of contributing to open source that runs the world myself, I am pretty busy on that one for the last decade.

rewik@kind.social

@icing The "let's rewrite it in Rust" project at my workplace is going great. Then again, the old project was written in python 2 so I guess that's not a high bar to clear.

addison@nothing-ever.works

@icing@chaos.social "willful" suggests malice, not incompetence.

And yes, I know who you are In the same way I'm sure you are annoyed by RIIR comments, I am annoyed by people holding superiority over new Rust projects that are trying to do good in the world. Hubris is part of the developer process. Given the scope of the project, 70 mostly uninteresting bugs is unsurprising, and suggesting that it is a good reason to reject this work on face is really disingenuous.