A bit of the discussion Dan was involved in revolves around taming the
compiler itself,
Rust's compilation model itself is intertwined with its execution
model. To compile source code, you must first compile and execute a
file called
build.rs, so it will
will compile + execute a process. Further there are "procedural
macros" which compile to a shared library then the compiler itself
will dlopen that shared library and
call some entry point into the procedural macro. Both these cases can
generate source code which will subsequently be compiled to form the
compilation output.
Fancy IDE's like to check your source code and helpfully display
errors in it, which entails all of the above. Lately they want to do
this when you merely open a file,
and a likely way in which developers read sources to discover whether
they actually trust the code in question. I think many people
rightfully believe opening some source code shouldn't imply
execution of processes written by the source author or any dependency therein.
There are projects like Watt, to run proc macros in wasm,
https://github.com/dtolnay/watt
And the author of the cranelift compiler backend has had a sporadic
but multi-year effort to compile the rust compiler to, and run it in
wasm.
https://github.com/bjorn3/rust/tree/compile_rustc_for_wasm4
The rust std library when compiled for various platforms are not all
alike, rusts std library for WASI (a wasm implementation) lacks much
of the ambient authority which the compiler relies on),
and so porting it is a somewhat painful exercise. I haven't followed
the effort to compile rustc to wasm to have a good estimate at how
much of the port would overlap with a cap-std implementation...
(alternately said, how much of a rustc ported to cap-std would "just
work", when compiled to wasm). Given the similar limitations of
cap-std to the std impl provided for WASI, (and assuming the future
work on std::process,
and the "Speaking of WASI" aspects of the blog post). It seems likely
to me though that it would lessen the effort for porting rustc to run
on wasm,
along with other capability architectures which in the future could
have an implementation of cap-std... while also running natively on
non-capability OS's and at the very least, not being in any worse of a
security situation than these compilers are currently.
I don't place much faith in the people going through the effort to
actually audit sources, when I don't believe anyone should trust the
tools they might be using to actually read those sources,
no matter how much I trust the person performing the audit to not act
maliciously...
> To view this discussion on the web visit
https://groups.google.com/d/msgid/cap-talk/255376A4-89ED-4953-B260-3F18CACCA93D%40gmail.com.