Fish in a Barrel Memory Safety Bounty Program
github.comSorry, but I'm not seeing how this will help. If I take e.g. libpng and rewrite it in Rust, then it's basically a new project. I don't understand how a patch replacing all existing code will be accepted upstream, or how the many projects using libpng will be convinced to use my new library.
One example: librsvg was rewritten from C into Rust, gradually, while retaining the C API:
https://gitlab.gnome.org/GNOME/librsvg https://people.gnome.org/~federico/news-2016-10.html
(I do not necessarily endorse this, as I find the dependency on a Rust compiler of very recent vintage, to be much more annoying than depending on any decent C compiler from the last 7 years or so.)
But the vastly many more users don't need that compiler right? If you merely write a program to render SVG you don't care, your program just got safer "magically" ? If you run such a program you aren't even aware anything happened, the updated version is apparently safer.
Except for all the corner cases that were covered by the original and are not by the rewrite.
The librsvg author doesn't list any such corner cases.
Perhaps you can list some and why they were casualties of the Rust language rather than reasonable cleanup that would have happened in any rewrite?
It's a great question!
a) It being acceptable to upstream is mandatory to receive a bounty, so a starting point might be: pick projects whose maintainers are sick of dealing with ASAN reports! b) A huge number of people get their libpng or anything else via a package manager like Debian. Debian packages libpng from upstream. If libpng changes something about it's implementation, that'll be reflected in a future debian release.
This is going to be a long process, but we firmly believe the question has to be "how" not "if". If you've got better ideas for how we can promote the transition to memory safe languages, please let us know!
Project coordination with opensource projects is a really difficult problem where you simply can't win. Sometimes a project is just bad and needs an overhaul even if it means 40% of the code has to be thrown out. Sometimes people fork the project but most of the time a project is started from scratch because it means full ownership and therefore a more productive working environment.
The number of times I've seen something that amounts to a 1-3 line code change being discussed for hours is absurd. If you are a new contributor who wants to help out by writing code it often feels like you are making the maintainers work harder than if you had done nothing for the project.
One of the folks behind the bounty here. Happy to answer questions.
I can think of ten security-critical applications/services off the top of my head which are will never accept patches/changes to rewrite some/all of them in memory-safe languages.
I appreciate the goal of using languages better suited to memory-safety, but when I look at CVE lists including the same recurring projects I can't help thinking that the bounties here are not going to help.
(For example imagemagick/graphicmagic, the linux kernel, even wordpress/jenkins plugins, and similar things are regular candidates for security issues - and they're not going to get rewritten/modified-in-place to use rust/golang any time soon.)
WordPress is written in PHP and Jenkins is written in Java. These are already memory-safe languages. Security problems in their plugins rarely if ever derive from memory safety issues.
Bad examples, yes. Sorry!
Pretend I wrote gstreamer, wireshark, or similar.
The kernel maintainers have actively expressed interest in having upstream support for writing kernel modules in Rust!
Which might be eligible for a bounty under this program, but I doubt the kernel itself will have parts of it written in a memory-safe language anytime soon.
Lots of drivers, network protocols, etc. in the kernel, and they're most of the attack surface -- not the scheduler :-)
We have to approach this as a question of how, not if. When we do that, we can change computer security.
> Q: What if the maintainers won't accept the patch?
> A: The Fish in a Barrel Memory Safety Bounty only rewards contributions that are merged upstream. We strongly encourage people interested in pursuing a bounty to work with, not against, open source maintainers and to behave respectfully.
It's good to see this called out specifically, but I can't help but think this is attaching a monetary incentive to badger a project to accept a patch that at the very least requires changes to the project build system
>Partially (or completely) migrate the project to a memory-safe language (e.g., convert one of the decoder/encoders in an image parsing library to Rust)
For this kind of contribution, I'm not sure there'll be too much spam. Eg most of the "Rewrite It In Rust"-kind of spam like [1] is people making suggestions, not actual PRs, because it does actually take effort. But...
>Add bindings making the library usable from Rust or Swift (e.g., adding official Swift bindings to an image parsing library)
... I'm not sure about this one. It could be as mindless as "just run bindgen on the C header, wrap it in a -sys crate" and send a PR. I don't actually understand why that kind of contribution is being awarded though, since having safe bindings doesn't make the actual library any safer. Furthermore, bindings don't need to be contributed to upstream, just like all the Rust bindings libraries today are mostly third-party.
[1]: https://www.postgresql.org/message-id/CAASwCXdQUiuUnhycdRvrU...
Making more things accessible via memory safe languages allows people to more easily transition to those memory safe languages even if they have dependencies that are not themselves memory safe. Boiling the ocean is impractical and memory safety is not all or nothing, so we're interested in encouraging people to find ways to migrate larger and larger pieces.
That said, we will consider level of effort as a component of our judging process when determining eligibility and bounty size.
>That said, we will consider level of effort as a component of our judging process when determining eligibility and bounty size.
I hope for your sake that you do, but just to be clear I don't think anyone in this thread is too concerned about whether you pay out the bounty or not. You can be as loose or as tight with your money as you'd like :)
The concern is from the point of view of the maintainers who will receive spam PRs / patches. Even if you don't pay out for that contribution, it will not unsend the PR / patch in the maintainer's mailbox.
It's $100-$500, that's not even a moderate amount of money for the amount of work required. It seems to me to be more of an incentive, and a nice reward for doing good work that helps people.
Those of us who organized this both have a long history of involvement in open source. If we have even an iota of this becoming a problem, we will a) be incredibly saddened, b) figure out how to restructure the rules to address the behavior we see.
Maybe make it a requirement that the contribution PR / email has to mention https://github.com/fishinabarrel/bounty so that maintainers know who to give feedback to.
Right, there a lot of projects that value the fact that their project builds on a lot of platforms, and that they can support old or strange systems that many memory-safe languages do not target (or only do so "unofficially" with some third-party fork of varying quality). I have met a lot of people who brush this off as "yeah but why should we care about those crufty old things, nobody uses them" but such an attitude does not endear itself well.
Rewriting stuff in memory safe languages would be a worthwhile goal, but then they go on by providing bounties to write Linux Kernel drivers in Rust.
Rust is memory safe only in documentation but not in practise.[1] Rather provide bounties for real memory safe languages. Rust is also neither type safe[2] nor concurrency safe[3].
1: eg https://github.com/rust-lang/rust/issues?q=is%3Aissue+is%3Ao... but this is just the surface. alloca is not only unsafe but also security critical. Rust stack allocates too much unchecked.
2. https://doc.rust-lang.org/reference/unsafe-blocks.html
3. Races as eg with https://doc.rust-lang.org/reference/items/static-items.html?... requiring manual mutexes