Ranter
Join devRant
Do all the things like
++ or -- rants, post your own rants, comment on others' rants and build your customized dev avatar
Sign Up
Pipeless API
From the creators of devRant, Pipeless lets you power real-time personalized recommendations and activity feeds using a simple API
Learn More
Comments
-
lotd796789dNothing stops a compiler from sneaking in a back door.
Ken Thompson did it in 1984 so it’s already a well established practice.
where does Mozilla fit in? -
lorentz1493989dOr, Rust is the safest in its performance class and the fastest in its safety class so it's gaining adoption. The white house is saying more or less the same thing now the NIST was saying many years ago, and Cloudflare is one of many large companies publishing their performance critical software in Rust which had been in the works since the NIST report or even earlier.
The fact that Cloudflare is deeply embedded in US secret intelligence doesn't mean that they don't have actual technological problems that they need to solve. -
lorentz1493988dThe whole thing received news coverage recently but the events you mention are picked arbitrarily from a very long and gradual process where
- an increasing number of projects are built in Rust
- increasingly important organizations complain about the state of safety and point to the success of these projects as an example that the risk is unnecessary
- these factors compel industry leaders to launch an increasing number of projects in Rust -
lorentz1493988d@jestdotty Memory safety has been a major point of discussion since the 80s and a real exploit used in Pegasus and prevented by Rust is uncovered about twice a year. There are orgs other than intelligence agencies both making and breaking things, and the US government has duties the NSA can't fulfill, such as defensive cybersec for the vast array of contractors and service providers that make the economy work, so I find it absolutely plausible that they're just getting on board with the most plausible solution.
-
CoreFusionX303087dMy gripe with this is that all these super safe languages all have a single point of failure. What if the language implementation itself has a vulnerability?
Sure, they can, and will, prevent noobs from shooting their foot, yet the true question is,
Shouldn't governments and mission critical agencies just hire experienced programmers who just explicitly check shit even if the fucking language pinky swears nothing can go wrong?
Seriously, society is involving. -
lorentz1493987d@CoreFusionX how would you go about checking that rustc or GCC or the JVM or any particular program of reasonable size doesn't have vulnerabilities? You can't ever check that something doesn't have a bug, not automatically, not manually. The closest you can have is automated verification that specific invariants aren't violated.
-
lorentz1493987d@CoreFusionX I guess the language would be less of a SPOF if the recommendations were diverse, but depending on how you read the report they kind of are; the white house isn't forcing Rust so much as bringing it up as an example of the kind of safety they would like to see. There are other languages that have similar features, and the NIST report didn't even mention Rust, just C and C++ as counterexamples, so I really think the concrete suggestion is "stop using C(++)" and not "start using Rust"
-
CoreFusionX303087d@lorentz
That's precisely my point. You can't ever give a guarantee, so the proper way of addressing this is hiring people who *know what they are doing*.
Sure, have the language itself be a safety net, I'm all for it. But the announcement looks like misinformed propaganda, because, while it's true C can't actually provide that sort of safety, C++ does provide smart pointers, atomics, memory ordering and other such primitives since *ages* ago.
And anyone who knows what he's doing *uses* them.
Related Rants
-
dfox31Hey everyone - just a note on rants about politics: we've had a long-standing policy not to really allow any o...
-
akifarfien4We accept that the brain is the most important organ, but really, what organ is telling you that? Fucking Bra...
-
zombieleet10I am a programmer and i have never written bad code
white house props up "memory safe" languages
cloudflare releases all in one network connections library pingora as open source (for rust, a memory safe language)
cloudflare is sus. they were hosting that Ukranian kill-list that was routed through Langley/FBI. when contacted by multiple people, they ignored the violations and complaints to take down the website
SEE IT WAS SUS
so I guess if you can put spyware on the low level and convince everyone to move to it it'll give you an Intel advantage
cloudflare being a CDN sure would give the American gov a lot of metadata to work with
and ofc businesses just want something that works, so on we go
random
conspiracy
politics
rust