Docs on available tools and when to use them

[vakaras]

It seems that most issues on this repository are about improving tooling. However, I think that it is also important to teach the community how to use these tools efficiently. Are there any plans to prepare documentation that introduces in a single place the tools available, explains when they should be used, and at least links to the documentation on how to use them? Maybe, it would be good to explain not only how to use specific tools, but also have links to more generic tutorials such as this one on fuzzing?

[Shnatsel]

I am very hopeful about something like Clippy containing knowledge on anti-patterns instead of a guide. Simply because nobody cares about a guide, while clippy is right there.

However, high-visibility info on proper processes and available tooling would be great. For example, cargo-asm is something a lot of people want but many do not discover. I didn't back in the day. There's a Rust 2019 goals post calling for writing exactly cargo-asm.

But there is definitely room for other resources, such as Rust Fuzz Book and perhaps an "optimizing without unsafe" guide.

[DevQps]

@vakaras I currently created an issue with all the security related project and tools here: #30 . However we're still trying to find a good place on where to publish this list. We should probably add some rationale on what each project does and why it is useful as well. EDIT: If you have any idea's let us know :)

[vakaras]

@DevQps Thank you for compiling this list. I think it is a really nice starting point from which at some point we could try to build a “security cookbook”.

[DevQps]

@vakaras I think so as well! It might be nice to also have a list of relevant articles / pre-RFCs. The only question that remains is: Where to publish them? It would be nice if newcomers do not have to spend too much time looking for a list like this. You have any idea's where we could put this?

One option would be to add a new file to our repository and put a link in the README? Or would that bloat the README?

[vakaras]

Currently, the README contains the goals that this working group wants to achieve. However, I think it would be good to have some information in the README about how this group is moving towards these goals (if I understood correctly, that was your idea in #31?). Maybe there we could also give a link to the list of tools?

[DevQps]

@vakaras That was the general idea of #31 indeed! But I currently only listed the work items, and it feels like it would be a bit too unclear for a beginner. Some information about how we move forward to the goals in a more general sense would be nicer I think! Do you have any suggestions on how to approach this?

I can make a PR that adds a README link to the projects (I will create a separate document for that then). With a bit of luck I will be able to do that tomorrow or this evening if you think that's a good idea!

[vakaras]

@DevQps Sorry, for the late reply. I have missed your message.

But I currently only listed the work items, and it feels like it would be a bit too unclear for a beginner.

Yes, also I am not sure if it would not be better to have a label for each goal and simply add a link to each goal that shows all issues tagged with the corresponding label.

Do you have any suggestions on how to approach this?

Not really. Maybe, we could elaborate each goal a little bit to make it clearer what is meant?

I can make a PR that adds a README link to the projects (I will create a separate document for that then).

To me personally that sounds like a good idea. Of course it would be good hear also from others.

[DevQps]

@Shnatsel

@DevQps Sorry, for the late reply. I have missed your message.

But I currently only listed the work items, and it feels like it would be a bit too unclear for a beginner.

Yes, also I am not sure if it would not be better to have a label for each goal and simply add a link to each goal that shows all issues tagged with the corresponding label.

Do you have any suggestions on how to approach this?

Not really. Maybe, we could elaborate each goal a little bit to make it clearer what is meant?

I can make a PR that adds a README link to the projects (I will create a separate document for that then).

To me personally that sounds like a good idea. Of course it would be good hear also from others.

@vakaras Thanks for your reply. I wonder: @Shnatsel What do you think about this?

[Shnatsel]

https://github.com/rust-secure-code/rustsec-projects is the first stab at this, thanks to @DevQps

[DevQps]

@Shnatsel I think we can close this one now right!

EDIT: Unless @vakaras feels like we should add some other kind of things, like tutorials and stuff.