Bugs Rust won't catch

Original Article ↗ Hacker News Discussion ↗

Rust, Unix APIs, and Filesystem Safety

  • Many comments stress that Rust’s std::fs mirrors low‑level Unix syscalls, so it prevents memory bugs but not filesystem logic bugs (TOCTOU, symlink races, etc.).
  • Several argue std::fs nudges users toward path-based APIs when secure code often requires handle/dirfd-based APIs (openat, openat2), which Rust mostly relegates to unsafe or third‑party crates.
  • Others counter that these syscalls are inherently tricky and platform-specific; a better high‑level, Rust‑style abstraction is needed rather than just exposing raw *at calls.

uutils Coreutils Rewrite and Audit Findings

  • The Rust rewrite of coreutils (uutils) started as a learning project, not initially intended as a drop‑in replacement.
  • The security audit uncovered many bugs: TOCTOU races, misuse of signals (e.g., kill -1), incorrect path handling (rm ./), lossy UTF conversions, and chroot/NSS interactions.
  • Some see these as “rookie Unix mistakes,” especially compared to decades-hardened GNU coreutils; others note it’s impressive how few issues there were given the project’s origins.

Ubuntu/Canonical Deployment Controversy

  • Strong criticism of Canonical for planning to ship uutils as default in an LTS despite fresh, serious bugs.
  • Several argue a rewrite should remain optional for years, with exhaustive tests and benchmarks, before even proposing replacement of core components.
  • Some users say this erodes trust in Ubuntu and consider switching distros.

Licensing and Clean-Room Constraints

  • uutils’ MIT license and stated avoidance of reading GPL’d GNU code are seen as hindering correctness, since they can’t easily inherit decades of hard‑won fixes.
  • Debate over whether the primary motivation is “pro‑business” relicensing versus technical improvement.

Rust’s Guarantees and Misconceptions

  • Repeated clarification: Rust eliminates many memory-safety bugs in safe code but does not promise bug‑free software.
  • Some complain about overzealous Rust evangelism; others say critics attack a strawman, as most Rust users know it only tackles certain bug classes.
  • Discussion of unsafe as a tool: Rust’s model is to encapsulate small unsafe sections behind safe APIs, sharply reducing the audit surface.

Testing, Fuzzing, and Unix Quirks

  • uutils runs GNU’s test suite and differential fuzzing, but commenters note these don’t cover many Unix semantic edge cases or security properties.
  • Coreutils maintainers emphasize performance and subtle behaviors (e.g., inode comparisons vs path resolution), and how decades of field experience encode non-obvious constraints.
  • Broader lesson: rewrites must account for undocumented “tribal knowledge” in old systems, not just type safety.