On Fri, Jun 29, 2018 at 8:33 AM, Tom Ritter <t...@mozilla.com> wrote:
> > I know that enumerating badness is never a comprehensive solution; but > maybe there could be a wiki page we could point people to for things that > indicate something is doing something scary in Rust? This might let us > crowd-source these reviews in a safer manner. For example, what would I > look for in a crate to see if it was: > - Adjusting memory permissions > - Reading/writing to disk > - Performing unsafe C/C++ pointer stuff > - Performing network connections of any type > - Calling out to syscalls or other kernel functions (especially win32k.sys > functions on Windows) > - (whatever else you can think of...) > <https://lists.mozilla.org/listinfo/dev-platform> > Building on that, is there a list of crates that should *never* be included in Firefox that you could scan for? Such as, anything that is not nss (openssl bindings) or necko (use of a different network stack that might not respect proxies, threading concerns, etc.)? Sort of in the same way that (I assume) you are checking for prohibited licenses in the Cargo.toml. _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
