TechCrunch Urges Developers: Replace C Code With Rust (techcrunch.com) 52
Software engineer and TechCrunch columnist Jon Evans writes that the C programming language "gives its users far too much artillery with which to shoot their feet off" and is "no longer suitable for the world which C has built." An anonymous reader shared Evans' post: Copious experience has taught us all, the hard way, that it is very difficult, verging on "basically impossible," to write extensive amounts of C code that is not riddled with security holes. As I wrote two years ago, in my first Death To C piece... "Buffer overflows and dangling pointers lead to catastrophic security holes, again and again and again, just like yesteryear, just like all the years of yore. We cannot afford its gargantuan, gaping security blind spots any more. It's long past time to retire and replace it with another language.
"The trouble is, most modern languages don't even try to replace C... They're not good at the thing C does best: getting down to the bare metal and working at mach speed." Today I am seriously suggesting that when engineers refactor existing C code, especially parsers and other input handlers, they replace it -- slowly, bit by bit -- with Rust... we are only going to dig ourselves out of our giant collective security hole iteratively, one shovelful of better code and better tooling at a time."
He also suggests other fixes -- like using a language-theoretic approach which conceptualizes valid inputs as their own formal language, and formal verification of the correctness of algorithms. But he still insists that "C has become a monster" -- and that we must start replacing it with Rust.
Yes, replace billions of working C code with billions of lines of code in a new language. What could possibly go wrong?
Well if this guy says so, what doubts could you possibly have left?
He's not suggesting that at all.
"..I am seriously suggesting that when engineers refactor existing C code, especially parsers and other input handlers, they replace it — slowly, bit by bit — with Rust."
He's suggesting that when you refactor a critical piece of C code - in other words you're already going to change it and potentially add brand new C/C++ security issues - you instead use a language with some form of god damn formal verification and some fucking way of validating that you're not op
Yes. Formal verification of most production programs will not happen in my lifetime or yours, or possibly ever, because it's expensive and nobody's paying for it.
The simple fact is that there's a hue and cry about security but nobody really cares about it, because nobody's willing and able to pay what it would take to fix it.
Not only that, but which standard requires that a system have a rust compiler on it? POSIX and SUS (are they the same now?) require a C compiler. In practice I know that many systems have other environments available, but standards matter in some cases and there will be instances where C is an appropriate choice, if not the best or only choice.
I could understand advocating "choose rust instead of C for new projects" or "if you are considering rewriting major portions of a C project then con
I think we should replace c with COBOL, no pointers, no dynamic memory allocation, rounding errors with floats rare and all strings fixed length.
That is just as good an option as any for these crazy "my language is better than your's" posts
Well ain't that a self-confirming statement...
Sorry I am not discussing the anonymous coward behind it, but the statement itself...
"They just show up to post random nonsense and exhibit absurd biases" - that's exactly how I perceive the GP.
Wrong story, numb nuts.
Why now? Why rust? What about Ada? They're not so different that somehow the argument becomes that much better than it was for Ada. I just don't get all this rust hype. But, then again, I'm a C programmer, and I am 100% certainly I won't see C replaced in the systems I work on (cars), so it's a moot point. I would, however, support a move to Ada. My industry would never consider Rust. Pushing it over Ada is actually counterproduction, because it primes the C-suite to see languages pushed as a replacement fo
In part it's a cultural thing. Ada is considered "complex and verbose" (but compare with Java). Ada is, of course, from the DoD, so it's "obviously bad." Most importantly, Ada requires a bit more thought before you jump into the code.
The interesting thing about Ada is that a skilled practitioner learns how to use the language to his advantage. You code so the compiler checks as much as it can, so you can concentrate on things the compiler can't check. When the compiler and you agree the code is correct
Two other issues:
1) having lost the race, there is no longer a viable ecosystem of Ada compilers, tools, etc outside of a few specialized (and very expensive) aerospace and DoD environments. That creates a large chicken-and-egg barrier to its use
2) Back in the day Dijkstra strapped on the 10 most powerful swords and warhammers in human mythology and went after Ada full force. At the time his criticisms seemed on point, but with knowledge of what came after (e.g. Java) his obj
What about Ada?
I came to this story to post this very question.
Or Erlang. Or Ada. Or PL/I. Or... or any of the 23 languages/environments that have been proposed since the Ada/Pascal/C split circa 1975. Yet none of these proposals have taken root. Why not? Seems to me that is just as important a research question as developing Yet Another Correct Compiler for the Unbreakable
Basically, this is an admission that the average programmer is fairly shitty. Then again, you don't want average programmers working on anything important, so by sticking with c, you're not going to get the "rust, rust, baby" programmers.
Yeah.. expert C programmers never write insecure code.
Except for when they do, which is pretty much constantly because true expert C programmers know it's impossible to write any large piece of C/C++ software using it's native features without making at least a few mistakes.
If you're a C programmer, and you don't already know this, then you aren't an expert.
Hire competent C developers and you should be good to go. Hire dumb-asses and sure the future doesn't look bright.
The usual PR stunt of "use my new language that is so good and so simple even a stupid high school teen with an IQ somewhere between stone and plankton in the phylogenetic tree could use it without wrecking anything" is not going to convince anybody here. It's boring at best, and no-one cares about your "advice".
The linux kernel is in its 3rd decade, as most gnu/bsd tools and all of that is written in plain C. They are good and safe. Oh, maybe it's because they are written by competent guys.
The linux kernel is in its 3rd decade, as most gnu/bsd tools and all of that is written in plain C. They are good and safe.
Really? Are you sure [cvedetails.com]?
This is a common argument. What you're really saying is that a small number of elite developers feeling good about themselves is better than good tools that prevent mistakes.
And the response is "No, it's not." We need more people to be able to produce more with fewer mistakes. The number of developers who write production code will always be more than the number of developers who write mistake-free code. The way to get more mistake-free code is to eliminate opportunities to make mistakes.
Shorter version:
I've met a lot of very competent cabinetmakers over the years, but of those who use circular saws 80% are missing at least the tip of one finger. The SawStop technology seems like a good idea to me, although many deride it as "sissy stuff".
In any case, the history of the last 30 years shows that you really can't depend only on having hired the "competent" programmers - there aren'
C was one of the most influential languages the world has ever seen, but all things reach a point where time moves and and they are not good ideas for new projects any more. I don't think we should necessarily go replace every line of C code out there - couldn't if we wnanted to - but for new projects we should use better tools now.
Tools do matter. It's just way way way too easy to write buffer overflows in C, even for highly experienced programmers. History shows that clearly. We need better tools that
How about training developers on security policy, training mgmt on the need for secure code and the balance between acceptible risk and convenience, proper requirement and tests.
So great, you do all of that but your expert C coder still accidentally introduces an off by one error in a complex algorithm that he just didn't catch. It passes peer review, and all of your tests.
So much for all of your training, security policy, proper requirements and testing. You did everything right, but your software is still insecure.
"Rust" isn't a name that inspires confidence. Nor is "Corrosion," "Decay," or "Flatulence."
Hey - I resent your use of that last word!
One is data structures: in C there are no data structures. Any memory can be
C can certainly be extremely problematic in bad hands (increasingly careless attitudes in the programming world, anyone?). Also I don't see the point of using it other than under very specific conditions. But completely replacing it? I don