用Rust重構核心開源軟件吧,谷歌願意給你錢

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"重構核心開源軟件吧,谷歌願意給你錢。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2 月 17 日,谷歌博客發佈了一則公告,表示將提供資金讓開發者一起重構各類核心開源軟件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"開源項目是所有現代數字基礎設施的根基,其重要性不言而喻。谷歌認爲內存安全漏洞是困擾無數系統的實際威脅。最近一項研究發現,每年通過安全更新解決的漏洞中,約 70% 屬於內存安全問題。另外一項針對 curl 命令行工具安全問題做出的分析則表明,使用內存安全語言能夠徹底解決全部 95 種 bug 中的 53 種。以 curl 改造項目作爲模板,谷歌希望能重構更多的由其他語言編寫的核心開源軟件。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"事實上,由不安全語言編寫的軟件中往往包含難以察覺的 bug,極有可能導致嚴重的後續安全隱患。爲此,谷歌公司擴大了與互聯網安全研究小組(ISRG)的合作關係,希望共同使用內存安全語言重構各類核心開源軟件。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"去年 12 月份,谷歌啓動了一個名叫“Criticality Score”的項目,目的是爲每個開源項目生成一個關鍵評分,來評估現有開源項目的重要性。評估指標包括項目的年齡、個人貢獻者和組織的數量、用戶的參與度以及項目依賴性等。谷歌表示鑑定這些關鍵項目是改進開源項目安全性計劃的第一步,谷歌的 OpenSSF 組織將會爲這些項目維護者提供一些資源。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/ea\/ea963ba70d261c5cc26b81e92834c677.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"今年這次重構計劃,谷歌更爲直接地表示將提供給大家資金,以推進其他核心開源項目的改造。但是到底是由誰來改造,是否一定是原始維護者,谷歌並沒有明確說明。有網友提出疑問,如果由原開源項目之外的人員進行重構,那麼資金是否就是提供給這些新開發人員(看起來是新的就業機會呢)。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"對此,ISRG 的執行董事解釋說:“我們計劃將開源軟件遷移到內存安全語言上,ISRG 作爲中間人協調資金。我們選擇項目,並與開源維護人員 \/ 開發人員一起制定計劃,我們會爲其籌集資金。一旦有人(例如 Google)爲項目提供資金,ISRG 就與項目開發人員 \/ 維護人員簽訂工作合同。在某些情況下,可能開源維護者會參與,但我們希望能找到承包商來完成實際的工作。”"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"並且他再次提到了兩個以前的改進項目。其中,curl 的改進,ISRG 直接資助了 curl 的作者;httpd 的改進,谷歌(通過 ISRG)資助了 httpd 提交者。ISRG 執行董事預測,未來大多數情況下,這些資金將主要流向項目維護者 \/ 開發人員。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不過,谷歌花錢推動重寫開源軟件的行爲,也被一些網友質疑爲“以安全名義劫持開源項目”。最初的開源項目維護者是跟谷歌和 ISRG 無關的第三方,而改造項目卻是由谷歌選擇自己信任的開發人員進行。並且最後用戶還得從谷歌改造版本和原始版本中進行選擇,如果改造項目更成功,那麼在道德上相當於竊取了原始作者的作品。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/wechat\/images\/c9\/c9b7c3174c31abc9c2b9b98039cee492.png","alt":null,"title":null,"style":null,"href":null,"fromPaste":false,"pastePass":false}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"谷歌大力推廣 Rust"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"谷歌認爲當前正是使用內存安全編程語言預防此類 bug 的好時機。在此之前,他們也取得了一些成果:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"blockquote","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"迄今爲止,我們的免費 OSS-Fuzz 服務已經在 375 個開源項目中發現 5500 個因內存安全錯誤引發的漏洞。我們還組織起相應的 Bug 賞金計劃,希望通過經濟獎勵的方式鼓勵更多人使用這項模糊測試服務。我們也發佈了 Syzkaller 等項目以檢測操作系統內核中的 bug,並通過 gVisor 等沙箱緩解 bug 檢測期間造成的實際影響。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"作爲相關工作的重要起點,面向 curl 的 HTTP 與 TLS 後端正在接受 Rust 語言改造,Apache httpd 也即將迎來全新 TLS 庫。作爲互聯網的重要網關,這些代碼庫的安全水平將直接決定全球數百萬用戶的數據安全性。"}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,Rust 被普遍認爲是一種關注內存安全的系統編程語言,同時結合了對性能的低程度控制與現代語言特徵。因此,谷歌一直希望能夠擴展 Rust 在谷歌中的應用,並且已經開始在那些對內存安全和性能要求極高的設置中使用了 Rust,包括將其用在關鍵的 Android 系統中。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"目前,谷歌正在使用 Rust 或對 Rust 生態系統有貢獻的項目包括:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Android 中的操作系統模塊,包括藍牙和 Keystore 2.0"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"低級別的項目,例如 ChromeOS 中使用的 crosvm 虛擬機監視器和驅動程序(QEMU 的替代方案)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"爲使用 Rust 的開源項目做出的貢獻,例如 Mercurial 源代碼控制系統"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"固件的 FIDO 安全密鑰支持"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此外,還有許多其他項目正在評估 Rust 在新的庫或產品中的使用情況。一些例子包括:軟件國際化項目,ICU4X部分新實驗操作系統 FuchsiaGPU 字體渲染的研究"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其中也包括谷歌所支持的 Rust 項目及其維護者:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在 curl 中添加 Rust 代碼"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"與 ISRG 合作,將 Rust TLS 模塊添加到 Apache HTTP 服務器項目"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"在 Rust 的推廣上,谷歌不遺餘力,還在今年 2 月 8 日,聯合 AWS、華爲、微軟和 Mozilla 五家企業,宣佈成立 Rust 基金會,並承諾在兩年的時間裏,投入 100 萬美元的預算,用於 Rust 項目的開發、維護和推廣,致力於爲那些管理和開發該項目的維護者提供支持。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"谷歌表示,“基於谷歌在 C\/C++、編譯器和工具鏈方面的長期投資,我們很高興成爲 Rust 基金會的成員。我們期待更多地參與到 Rust 社區,尤其是在整個行業的關鍵問題上做出更多努力,包括與 C++ 的互操作性、協調安全審查和降低 crate 更新的成本,並繼續增加我們對現有 Rust 項目的投資”。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"無論如何,谷歌提供資金,讓開發人員用內存安全語言重寫開源軟件,以提升目前互聯網的整體安全度,看起來也不是一件壞事。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"延伸閱讀:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"link","attrs":{"href":"https:\/\/security.googleblog.com\/2021\/02\/mitigating-memory-safety-issues-in-open.html","title":"","type":null},"content":[{"type":"text","text":"https:\/\/security.googleblog.com\/2021\/02\/mitigating-memory-safety-issues-in-open.html"}]}]},{"type":"heading","attrs":{"align":null,"level":5}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章