Jump to content

Template:Did you know nominations/Rustls

From Wikipedia, the free encyclopedia
The following is an archived discussion of the DYK nomination of the article below.Please do not modify this page.Subsequent comments should be made on the appropriate discussion page (such asthis nomination's talk page,the article's talk pageorWikipedia talk:Did you know), unless there is consensus to re-open the discussion at this page.No further edits should be made to this page.

The result was:withdrawn by nominator,closed byNarutolovehinata5talk00:56, 10 September 2024 (UTC)

Rustls

The project's crustacean mascot
The project'scrustaceanmascot
Created byDreamyshade(talk). Number of QPQs required:1.Nominator has 6 past nominations.

Dreamyshade(talk) 21:48, 22 August 2024 (UTC).

  • Not a good hook. Makes no sense to the average person with no CS education. Many technical articles are not suited for DYK. (t·c)buidhe07:01, 25 August 2024 (UTC)
  • Pinging two editors regarding possible hooks here given they are DYK regulars who specialize in tech articles.Narutolovehinata5(talk·contributions) 01:14, 30 August 2024 (UTC)
Fixed pings:@Maury MarkowitzandDigitalIceAge:Narutolovehinata5(talk·contributions) 01:14, 30 August 2024 (UTC)
The hook is a little confusing to me because it's making it sound like Rustls wasn't written in Rust to begin with, i.e. it's a pre-existing library that's justnowbeing adapted to Rust. I think if the hook were shorter, it would be more interesting. Something like "... thatRustlsaims to improveinternet securityby replacingmemory-unsafesoftware libraries? "DigitalIceAge(talk) 02:49, 30 August 2024 (UTC)
@DigitalIceAge:That might still be too specialist if the reader doesn't know what "memory-unsafe" means in this context. I asked for feedback over atWP:DISCORD,andHilstsuggested that theLike other TLS implementations, a computer user may use Rustls without being aware of it, as an underlying part of an application or websitepart has promise. Maybe that could also work?Narutolovehinata5(talk·contributions) 03:09, 30 August 2024 (UTC)
I suppose. I don't think the concept of "memory safety" is particularly arcane or technical, but we could simplify the hook even further: "... thatRustlsaims to improveinternet securityby replacing software libraries that are vulnerable tosecurity bugs?"DigitalIceAge(talk) 03:23, 30 August 2024 (UTC)
ThanksNarutolovehinata5for pitching in! I don't have a citation for "a computer user may use Rustls without being aware of it", so I don't think we can use it as a hook. (I included it in the article even without a citation because I believe it'sWikipedia:Common knowledgeabout low-level software libraries like this one, at least among people in the software field.) I believe that it's possible for non-specialists to find this topic somewhat interesting, as long as we do a decent job of writing about it, which is why I tried to include bits of context in the article itself. I likeDigitalIceAge's simplified hook.Dreamyshade(talk) 03:44, 30 August 2024 (UTC)
I still don't think the original hook is too specialist. But if I had to pick, I'd go with DigitalIceAge's as well.Maury Markowitz(talk) 14:38, 30 August 2024 (UTC)
@Buidhe:Does DigitalIceAge's proposal satisfy your concerns? If it does, this should be ready for a full review.Narutolovehinata5(talk·contributions) 07:45, 31 August 2024 (UTC)
  • Not surprising or interesting that they come out with better software that is more secure and less prone to bugs. (t·c)buidhe12:14, 31 August 2024 (UTC)
@Dreamyshade,DigitalIceAge,andMaury Markowitz:Seems it's back to the drawing board then.Narutolovehinata5(talk·contributions) 00:00, 1 September 2024 (UTC)
"... thatRustlsaims to replaceOpenSSL,an internet security library which is widely used by servers but is memory-unsafe? "
"... thatRustlsaims to replaceOpenSSL,which suffered fromHeartbleed?"
DigitalIceAge(talk) 00:57, 1 September 2024 (UTC)
@Narutolovehinata5:I say the current hook is good as-is and do not need new ones.Maury Markowitz(talk)
I think the first one is workable, tho I wonder if we can get a cited percentage number for the websites/servers that use OpenSSL (.i.e. more than 90% servers on the internet or 450 million websites on the internet)? I think the shock value is the fact the magnitude of OpenSSL adoption (and consequently the mammoth task that ISRG/Rustls faces in changing that).Sohom(talk) 23:33, 2 September 2024 (UTC)
It seems tough to find a strong source for how many servers use OpenSSL. The originalHeartbleed siteestimated it by looking at Netcraft's Web Server Survey and adding together the Apache and Nginx sites, andNetcraft still publishes that survey,but these days you can use Apache or Nginx with Rustls instead of OpenSSL.This Akamai post from 2022said "Approximately 50% of monitored environments had at least one machine with at least one process that depends on a vulnerable version of OpenSSL", but that's not a total count of OpenSSL in use, and that's a bit old anyway.
I also don't know if it makes sense to describe OpenSSL as "memory unsafe". It's had a lot of memory safety problems, but the current version may or may not have memory safety problems.
An interesting thing to me is that several US and non-US government agencies have advocated for"Secure by Design"software engineering, including using memory safe languages. So that's a potential direction for a hook, but I've only seen that referenced in connection to Rustls in press releases like the ones cited in the article,this one from ISRG,andfrom SIDN.Dreamyshade(talk) 01:51, 3 September 2024 (UTC)
I think using press-releases as a basis for a hook is kinda shaky. This might need workshopping but how about something like:
... thatRustlsaims to replaceOpenSSL,a security library that has been used tosign certificatesfor over 223 million websites?
(The 223 million figure comes from a research paper published by Lets Encrypt in 2019 (which uses OpenSSL)[1])Sohom(talk) 05:07, 3 September 2024 (UTC)
We'd need to do a bit of synthesis to make that claim, since that article doesn't say that Let's Encrypt uses OpenSSL. AndLet's Encryptis just one certificate authority, although ISRG says it's the world's largest certificate authority. All of that is related to an interesting bit of information in the article, that ISRG runs Let's Encrypt and plans to replace OpenSSL with Rustls this year — but my only citations are press releases from ISRG, which aren't great citations for a hook, and it's also not a great hook because ofWP:CRYSTALBALL.Dreamyshade(talk) 18:08, 3 September 2024 (UTC)
  • I'm willing to withdraw this nomination, out of respect for the efforts of DYK volunteers. I think it's a neat little article, but it's tough to figure out a hook for it that can get consensus approval. Thanks all!Dreamyshade(talk) 23:59, 9 September 2024 (UTC)