Rust Lang

3 readers

1 users here now

Rules [Developing]

Observe our code of conduct

Strive to treat others with respect, patience, kindness, and empathy.
We observe the Rust Project Code of Conduct.
Submissions must be on-topic
Posts must reference Rust or relate to things using Rust. For content that does not, use a text post to explain its relevance.
Post titles should include useful context.
For Rust questions, use the stickied Q&A thread. [TBD]
Arts-and-crafts posts are permitted on weekends.
No meta posts; message the mods instead.

Constructive criticism only

Criticism is encouraged, though it must be constructive, useful and actionable.
If criticizing a project on GitHub, you may not link directly to the project’s issue tracker. Please create a read-only mirror and link that instead.
Keep things in perspective
A programming language is rarely worth getting worked up over.
No zealotry or fanaticism.
Be charitable in intent. Err on the side of giving others the benefit of the doubt.

No endless relitigation

Avoid re-treading topics that have been long-settled or utterly exhausted.
Avoid bikeshedding.
This is not an official Rust forum, and cannot fulfill feature requests. Use the official venues for that.

No low-effort content

Showing off your new projects is fine

No memes or image macros

Please find other communities to post memes

No NSFW Content

There are many other NSFW communities, let’s keep this related to the language

founded 1 year ago

MODERATORS

admin@lemmyrs.org

erlend_sh@lemmyrs.org

Cackle: A code ACL checker for Rust (github.com)

submitted 1 year ago by tomtau@lemmyrs.org to c/rustlang@lemmyrs.org

5 comments fedilink hide all child comments

Cackle is a tool to analyse the transitive dependencies of your crate to see what kinds of APIs each crate uses.

The idea is look for crates that are using APIs that you don't think they should be using. For example a crate that from its description should just be doing some data processing, but is actually using network APIs.

you are viewing a single comment's thread
view the rest of the comments

[–] wisha@lemmy.ml 3 points 1 year ago (3 children)

Amazing project!

Would be cool if we also have an online database of what APIs each crate uses. This would allow quickly knowing some crates are safe without compiling them (there could be malicious build.rs code) or even seeing the source code at all.

[–] DavidLattimore@lemmyrs.org 2 points 1 year ago (1 children)

Interesting idea. It feels to me though that it'd be a lot of work to check such a database for each of your transitive dependencies, where if you just run cackle it checks them all for you and perhaps most importantly will tell you if there's a change.

Another consideration is that cackle only considers an API to be used if it's in reachable code. This is handy because you can for example use a crate like the image crate, which has functions to read and write images on the filesystem and you don't need to grant filesystem permissions unless you actually use those APIs.

[–] wisha@lemmy.ml 1 points 1 year ago* (last edited 1 year ago) (1 children)

What I meant was that I want exactly Cackle, but I don't want to run it on my own computer. If a crate uses some suspicious API (including transitively), I want to know before I download it.

[–] DavidLattimore@lemmyrs.org 1 points 1 year ago

Ah, gotcha. Cackle checks the APIs used by build scripts before it lets them run, so that might help

load more comments (1 replies)