I've been following the Rust story with some interest and I'm excited about the opportunities Rust brings for sandbox-free, secure system software. However, there are some things that it lacks, that would otherwise make it the obvious choice.
One that I feel is important that has been touched upon by others is having static assurances about code, especially imported libraries. If I use a jpg library, I want to be sure that it isn't going to do be able to do any unsafe operations, use GC or access the file-system or the network. That way, I don't have to trust the code and can instead be assured that it simply cannot perform any dangerous actions. Currently, to do that, I have to inspect the whole library. As a developer without the time to do that, I'd much prefer for the import to be annotated to indicate such things (or, ideally, to be annotated to indicate the allowed dangers). This could be seen, of course, as a precursor to capabilities - reducing ambient authority is a key first step in getting a capability-secure system - but it's also a simple way of getting assurances about code without having to inspect it. Does it seem like a reasonable thing to add? I may be able to find time to work on it, should it be acceptable. Regards, Grant Husbands.
_______________________________________________ Rust-dev mailing list [email protected] https://mail.mozilla.org/listinfo/rust-dev
