Sergey "Shnatsel" Davidoff
Sergey "Shnatsel" Davidoff
It would be nice to be able to detect out-of-bounds reads as well. This is actually pretty easy to implement - just allocate more memory than was requested and clobber...
flate2 creates slices of uninitialized memory in several places. The only two places where it happens when using the Rust backend are [here](https://github.com/alexcrichton/flate2-rs/blob/53e45a68bf47004494ca5c8cf06d197e99aa713e/src/mem.rs#L321) and [here](https://github.com/alexcrichton/flate2-rs/blob/53e45a68bf47004494ca5c8cf06d197e99aa713e/src/mem.rs#L433). This is equivalent to the...
flate2 includes plenty of unsafe code that's only used for interaction C backends, and can be omitted from the Rust backend builds. We should use conditional compilation to leave it...
As we've found in https://github.com/rust-lang/rust/issues/36705, jemalloc has abysmal fork performance in some kernel configurations, notably on recent Ubuntu versions. Even on good configurations system default allocator has about 20% better...
Google has recently created a corpus to facilitate easy and reproducible comparison of fuzzing methodologies, see https://github.com/google/FuzzBench AFAIK it's the first diverse corpus systematically used for fuzzer evaluation. Publishing results...
TL;DR: run `cargo supply-chain update` implicitly from other commands, instead of defaulting to querying the API. If the cache is expired or nonexistent, and `--cache-max-age` allows it, we could download...
We currently only run `cargo build`, `cargo doc` and something like `cargo fmt --verify` on CI. We also need to run the unit tests now that we have them, via...
When downloading data via the crates.io API, we could cache it for later reuse. This would help if the user wants to view both `crates` and `publishers` commands for their...
It would be nice to provide actionable insights in `publishers` subcommand - i.e. whether you can remove a certain publisher by disabling certain features on crates the dependency tree; and...
It would be nice to verify that the recovered information is indeed read correctly by `cargo auditable` and/or the underlying `rustsec` crate, and that it does indeed report vulnerable versions...