Make uname always safe

[koute]

Currently uname doesn't check for errors and just blindly assumes that it always succeeds. According to the manpage this function can fail, even though no actual errors are defined:

RETURN VALUE
       Upon successful completion, a non-negative value shall be returned.  Otherwise, -1 shall be returned and errno set to indicate the error.

ERRORS
       No errors are defined.

       The following sections are informative.

Looking at the glibc's sources we can see that it indeed could fail if the internal gethostname call fails for some reason.

This code also assumes that every field of utsname is going to be initialized by the call to uname, which apparently is also not true. Even though the interface doesn't expose this field so it's not a problem in practice (although it might be UB since we do call assume_init on the whole struct) the utsname does have a domainname field which glibc doesn't initialize.

The code also assumes that every field is a valid UTF-8 string, which is also technically not guaranteed.

The code also assumes that every field will be null terminated, which might not be true if any of the strings are too long (since glibc uses strncpy which will not null-terminate the string if it ends up running out of space).

This PR should fix all of these problems.

This is a breaking change.

[asomers]

Do you know of any cases where the strings aren't valid UTF-8 ? It is certainly more convenient for the user if we return a &str than a &[u8]. Perhaps do a checked conversion to utf8?

[koute]

Do you know of any cases where the strings aren't valid UTF-8 ?

Not specifically, but e.g. someone could set a non-UTF8 hostname with sethostname which will end up in the nodename returned here.

It is certainly more convenient for the user if we return a &str than a &[u8]. Perhaps do a checked conversion to utf8?

Well, I see three possibilities here:

1. Return a &[u8].
2. Return a &str and panic if it can't be converted.
3. Return a Result<&str, Utf8Error>.

Converting the &[u8] to string on the user's side is just a matter of changing utsname.nodename() to std::str::from_utf8(utsname.nodename())? so it's not that big of a deal, and it's not like this is a super frequently used function. I'd rather not go for (2) because I think libraries shouldn't panic on errors, and (3) feels like a halfway measure.

[asomers]

What if it returns an OsString? Those are allowed to be non-UTF8. See fcntl::readlink for an example. Would that work?

[koute]

What if it returns an OsString? Those are allowed to be non-UTF8. See fcntl::readlink for an example. Would that work?

OsString allocates so that's not great, but I guess &OsStr should indeed work. Done!

[rtzoeller]

LGTM; can you squash and rebase?

[koute]

LGTM; can you squash and rebase?

Done!

[asomers]

bors r+

[bors]

Build succeeded:

• Android aarch64
• Android arm
• Android armv7
• Android i686
• Android x86_64
• DragonFly BSD x86_64
• FreeBSD amd64 & i686
• Fuchsia x86_64
• Illumos
• iOS aarch64
• iOS x86_64
• Linux aarch64
• Linux arm gnueabi
• Linux arm-musleabi
• Linux armv7 gnueabihf
• Linux armv7 uclibceabihf
• Linux i686
• Linux i686 musl
• Linux MIPS
• Linux MIPS64
• Linux MIPS64 el
• Linux mipsel
• Linux powerpc
• Linux powerpc64
• Linux powerpc64le
• Linux s390x
• Linux x32
• Linux x86_64
• Linux x86_64 musl
• macOS aarch64
• macOS x86_64
• Minver
• NetBSD x86_64
• OpenBSD x86_64
• Redox x86_64
• Rust Stable