Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Programming

White House Urges Devs To Switch To Memory-Safe Programming Languages (infoworld.com) 228

Tontoman shares a report: The White House Office of the National Cyber Director (ONCD) urged tech companies to switch to memory-safe programming languages, such as Rust, to improve software security by reducing the number of memory safety vulnerabilities. Such vulnerabilities are coding errors or weaknesses within software that can lead to memory management issues when memory can be accessed, written, allocated, or deallocated. They occur when software accesses memory in unintended or unsafe ways, resulting in various security risks and issues like buffer overflow, use after free, use of uninitialized memory, and double free that attackers can exploit.

Successful exploitation carries severe risks, potentially enabling threat actors to gain unauthorized access to data or execute malicious code with the privileges of the system owner. "For over 35 years, this same class of vulnerability has vexed the digital ecosystem. The challenge of eliminating entire classes of software vulnerabilities is an urgent and complex problem. Looking forward, new approaches must be taken to mitigate this risk," ONCD's report says. "The highest leverage method to reduce memory safety vulnerabilities is to secure one of the building blocks of cyberspace: the programming language. Using memory safe programming languages can eliminate most memory safety errors."

This discussion has been archived. No new comments can be posted.

White House Urges Devs To Switch To Memory-Safe Programming Languages

Comments Filter:
  • Nooooo (Score:5, Funny)

    by Anonymous Coward on Wednesday February 28, 2024 @11:01AM (#64275742)

    Liberals coming for my compiler! Guns are next!

  • The '90s called. (Score:5, Interesting)

    by smoot123 ( 1027084 ) on Wednesday February 28, 2024 @11:20AM (#64275784)

    They'd like to have their buffer overflow angst back.

    I mean, they're not wrong but surely this is common knowledge by now. No one codes in C without realizing memory management and buffer overruns is a problem.

    Seriously. Go fix some real problems like standardizing password complexity rules or encouraging developers to use alternatives to passwords.

    • Re:The '90s called. (Score:5, Interesting)

      by serviscope_minor ( 664417 ) on Wednesday February 28, 2024 @11:26AM (#64275810) Journal

      No one codes in C without realizing memory management and buffer overruns is a problem.

      Plenty of people do, especially the JuSt DoNt WrItE bUgS crowd.

      Back in the real world something like 70% of CVEs are memory related fuckups. Clearly, lots of people are writing in C who don't get this stuff correct. Any claim to the contrary flies in the face of evidence.

      Writing safe C code is very expensive and people are less productive doing so. Compare SEL4 (safe C) to OpenBSD (merely very good C) to Linux (C). Which one are you actually going to use?

      • Re: (Score:2, Interesting)

        by Anonymous Coward

        >Plenty of people do, especially the JuSt DoNt WrItE bUgS crowd.
        Regrettably so. I still occasionally encounter people who look at C as a "real programmer's" language and who have disdain for memory safety constructs, which are seen as nerfing a language.
        IMO this kind of overconfidence is both juvenile and counter to the engineering ethos of having public safety in mind.

      • by mysidia ( 191772 )

        Why don't we Amend the C language to make the fuckups harder?

        Add these features

        1. Automatic initialization of newly-defined variables to 0. For example char buffer[256] creates a character variable, And automatically initializes it to all zeros.

        2. Automatic tracking of pointers. When an object is free()'d with free(pointer), then the runtime should Automatically zero all variables that pointed to that object.

        3. Automatic tracking of the Boundary address of the object pointed to by a pointer.

        char

        • by SchroedingersCat ( 583063 ) on Wednesday February 28, 2024 @01:01PM (#64276114)
          Static analysis tools and modern compilers will warn about static boundaries if it can be traced. The problem is millions of lines of existing code. Everyone want to party and do new exciting things - no one want to stay and cleanup.
        • Mostly performance.

          Just to pick the low-hanging fruit here, your automatic initialization of a 256 char buf takes a lot of cycles. Later on, the function may not even need to access the buffer, or it might only need to write part of it.

          This is the kind of thing the Rust guys gave a lot of thought.

          So let's say instead that at compile-time, char buf[256] generates a compiler warning: WARNING. DECLARED array of raw char. It still compiles, but it warns.

          Instead, let's add zchar to the language. This does

        • Program in MISRA C. select abd use a functional safety development process that ensures bidirectional traceability. And leave the people who want to use vanilla ISO C alone.

        • 1. Automatic initialization of newly-defined variables to 0. For example char buffer[256] creates a character variable, And automatically initializes it to all zeros.

          Because not all memory accesses are accesses to memory.

          2. Automatic tracking of pointers. When an object is free()'d with free(pointer), then the runtime should Automatically zero all variables that pointed to that object.

          That should do some fun shit with DMA controllers.

          Has it occurred to you that maybe you don't really understand all the use cases for the language?

        • >2. Automatic tracking of pointers. When an object is free()'d with free(pointer), then the runtime should Automatically zero all variables that pointed to that object.

          Thats expensive at run-time, both in time and the amount of runtime code needed to manage it. It's impractical in C as a language to track all holders of a pointer. If it was easy then garbage collectors would be easy.

          3. Automatic tracking of the Boundary address of the object pointed to by a pointer.

          Also expensive. Each operation spends extra code validating the access.

          These are things that Rust already does - but when used in embedded or real time system, programmers usually turn off these checkers. These are things C++ also does, if you use the new types. The "new" C language would a

      • No one codes in C without realizing memory management and buffer overruns is a problem

        I heard the same in the 80s. I expect it was also claimed in the 70s. :-)

        There is no licensing or proficiency testing for obtaining a compiler. They will literally give them to anyone, which the predictable results.

    • Re: (Score:2, Redundant)

      I mean, they're not wrong but surely this is common knowledge by now. No one codes in C without realizing memory management and buffer overruns is a problem.

      So you are confirming that C is not memory safe as the White House alleges then? And your solution to the problem is what? Do nothing?

      Seriously. Go fix some real problems like standardizing password complexity rules or encouraging developers to use alternatives to passwords.

      Well that's a red herring and false dichotomy in one. They are suggesting possible ways to mitigate Problem A. You've dismissed it by complaining about Problem B.

      • by mysidia ( 191772 )

        So you are confirming that C is not memory safe as the White House alleges then?

        Ultimately everything backs up to a CPU that is not memory safe.

        High level languages can Add a lot of safety features, But high-level languages are also slow,
        All the extra features of high-level languages add cost which can be so high that many things can't be written in a high-level language.
        Because HLLs add ineffiencies; which lose you Time, performance, and of course energy efficiency.

        For example, the last thing you want i

        • Ultimately everything backs up to a CPU that is not memory safe.

          And whoever said that the recommendation was everything must be 100% memory safe? No one. Some languages like Rust offer better memory protection than others like C. That is the recommendation: use languages that offer better memory protection.

          High level languages can Add a lot of safety features, But high-level languages are also slow, All the extra features of high-level languages add cost which can be so high that many things can't be written in a high-level language. Because HLLs add ineffiencies; which lose you Time, performance, and of course energy efficiency.

          The recommendation is to use more memory safe languages. The recommendation is not to switch everything to high level. For example, Rust can be used for low level programming.

    • Seriously. Go fix some real problems like standardizing password complexity rules or encouraging developers to use alternatives to passwords.

      NIST already did that about 7 years ago. [nist.gov]

    • by darkain ( 749283 )

      "Seriously. Go fix some real problems like standardizing password complexity rules or encouraging developers to use alternatives to passwords."

      Spoken like someone far outside of the infosec space.

      There is literally an organization inside of the United States Federal Government that does just this:
      https://pages.nist.gov/800-63-... [nist.gov]

      • by mysidia ( 191772 )

        The standard is woefully out-of-date and needs to be rewritten.

        Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters

        The entire 8-character namespace can be brute forced with many of the password hashing schemes in use for verifiers; an attacker with a GPU farm can exhaust the whole of 8 character MD5 hashes within about 10 minutes.

        They should have recommend that memorized secrets Not b

        • an attacker with a GPU farm can exhaust the whole of 8 character MD5 hashes within about 10 minutes.

          So use a different hash algorithm. If you're using MD5 for anything, you're asking for a beating.

          They should have recommend that memorized secrets Not be used as a primary authentication factor.

          That's the only authentication mechanism that is easily changed when compromised. It has it's role in modern authentication precisely because of that quality. Demanding it be removed only shows that you value convenience more than actual security.

          SSH's Public key challenges; Push-based authenticator apps

          Both of these requires the authentication keys to be on an internet connected device. Insecure.

          Smart Cards with a PIN+Challenge, FIDO2 security keys

          These require the device holding the authentication keys to be direct

    • by Darinbob ( 1142669 ) on Wednesday February 28, 2024 @04:30PM (#64276928)

      The snag is that the Rust missionaries are persistent in their proselytizing. Get just one advocate on your team and suddenly the VP is holding meetings to investigate the Rust idea...

      This is not a new idea to throw out decades of code and start from scratch (the minor increase in quality will more than pay for the multi-year total conversion project). Way back when on an embedded project one new employee who was currently learning Java was adamant that we convert a working project on a 50 person team to be Java. On an 8086, for a real time system, when there were not native code compilers for Java. We disagreed because it was utterly impractical; could not be done, would be too expensive, etc. He refused to listen to any of the reasons and went and quit, started his own company doing Java, and at a Java One conference he gave a key note address where he badmouthed the previous company. In some people the zealotry takes a firm hold and won't let go. And I see that attitude in many Rust advocates.

      The snag for me is that anything with a long list of "pros" but no "cons" is indistinguishable from a scam. I'd trust a Rust a lot more of its missionaries would just admit that it's not perfect.

  • by Fons_de_spons ( 1311177 ) on Wednesday February 28, 2024 @11:21AM (#64275786)
    How is the NSA going to do its job when all programs are memory safe?
  • by swillden ( 191260 ) <shawn-ds@willden.org> on Wednesday February 28, 2024 @11:24AM (#64275804) Journal

    There will be slashdotters who argue that unsafe languages are perfectly fine, you just need to hire competent programmers. They're idiots. Well, that's not really fair; they're not so much idiots as people who don't want to learn something else trying to defend their skillset. But if there's one thing we've thoroughly proven in software development over the last few decades it's that even the most competent programmers make mistakes. This shouldn't surprise anyone -- we're human! But this is why we build tools to help us.

    Most software development has already switched to managed languages that use run-time bounds checking and garbage collection to avoid huge numbers of pitfalls. These languages are more efficient with developer time, which is far more valuable in most cases than machine time, so nearly all application development has moved to them. Javascript, Java, C#, Python, Go, etc.

    But some software, especially system software, really does need higher performance and more predictable execution times than you can get with managed languages with GC. Until recently, Modern C++ (C++ that relies heavily on RAII, eschews naked pointers almost entirely, etc.) has been our best option for writing high-performance, tight code with minimal risk of serious memory management mistakes or bounds errors. It still requires discipline, because you have to follow the Modern C++ guidelines. Tooling can help to detect when you stray from them.

    Rust is, I think, a better solution for this context.

    I write security-critical code, code that uses cryptography to bootstrap core security features for the world's most popular consumer operating system (Android). We've been experimenting with and using Rust for the last 3-4 years, and it's just plain better. Once engineers learn the language well, they get stuff done as fast or faster than with C++ (which is in turn much more efficient in terms of developer time than C), and there are far fewer bugs. Obviously there are basically no memory bugs or integer overflow bugs, and Rust also helps to avoid some concurrency bugs. We're using it both in "big system" configurations (Linux, i.e. normal Android) and in tiny embedded environments, such as in the Titan M secure element. The latter is more difficult, because many of the libraries aren't available in "noalloc" configurations ("noalloc" means no heap, basically; all memory allocation is static), but it's getting better and is actually somewhat easier to work with than C++ in very constrained environments.

    If you do low-level microcontroller development, OS development, game engine development, etc., you should give Rust a serious look. If you do application development you should use a managed language.

    • by AsmCoder8088 ( 745645 ) on Wednesday February 28, 2024 @11:46AM (#64275858)

      As you say, Modern C++ allows for one to adopt the primary selling point of Rust: memory safety. Furthermore, because C++ has been around for ages, developers have access to a much higher breadth and depth of libraries and frameworks (e.g., Eigen for linear algebra). So, there does not really seem to be any particular advantage to using Rust.

      • Except that you should not use C++ for the all the use cases as Rust or C. Rust is an alternative to C for use in low level programming in cases that should never use C++. For example, the Linux kernel and most other kernels like BSD and Windows are written in C not C++.
        • The language could be safe, but all those block pointers to pass non-trivial amounts of data to OS still exist. So the OS must be that way, too, and still couldn't trust the block was free and clear.

          • I did not read that anyone said that this recommendation automatically ensures that all code is safe forever. The recommendation is to use more memory safe languages to help with the problem. In bad weather, it is suggested that people drive slower to avoid accidents; that does not mean accidents never occur when it is good weather.
        • by mysidia ( 191772 )

          Windows uses a lot of C++. Also; there was recently some Patch request about changing the Linux kernel to C+;
          that could possibly happen soon

          • Not for the kernel it does not. Programming for Windows and Linux can be in C++. Programming the kernel of Windows, BSD, and Linux is in C. I have heard that Windows is currently developing parts of the kernel in Rust. Linus Torvalds has pretty much said no to C++ in the kernel. They tried it once and it was a disaster.
          • Also; there was recently some Patch request about changing the Linux kernel to C+;
            that could possibly happen soon

            I take it that was a language compromise between the C programmers and the C++ programmers?

            • I do not doubt there was a request. I doubt Linus would ever change the kernel to C+ or C++. After all Linux just moved from C89 to C11 in 2022 so I do not see moving to C+ or C++ anytime soon. The Linux kernel has to work on a wide range of hardware some of which has a lot of legacy code. It would be a major undertaking and not much benefit. After all the kernel does not allow for Rust either; they are only experimenting with drivers being written in Rust.
      • As you say, Modern C++ allows for one to adopt the primary selling point of Rust: memory safety.

        No, Modern C++ allows you to get most of the benefits, but not all, and only with additional effort and additional risk as compared to Rust.

        Furthermore, because C++ has been around for ages, developers have access to a much higher breadth and depth of libraries and frameworks (e.g., Eigen for linear algebra).

        Somewhat. Rust makes it very easy to call C libraries, and Google is sponsoring a project to make interoperability with C++ easy.

        So, there does not really seem to be any particular advantage to using Rust.

        I disagree with this completely. And note that I've been writing C++ for over 30 years and I'm actually very fond of the language.

      • Eigen for linear algebra

        https://www.nalgebra.org/ [nalgebra.org], FYI.

    • by Dusanyu ( 675778 )
      That’s the problem this article and the conclusion are so hard to not to agree with the comments are going to end up as just silly as a rule.
    • by dfghjk ( 711126 )

      "Most software development has already switched to managed languages that use run-time bounds checking and garbage collection to avoid huge numbers of pitfalls"

      False.

      "...so nearly all application development has moved to them."

      Only a small fraction of "software development" is "application development".

      "If you do low-level microcontroller development, OS development, game engine development, etc., you should give Rust a serious look."

      Matching the tools to suit the job is what you should always do. Dependin

      • Matching the tools to suit the job is what you should always do. Depending on the job, Rust may be of no benefit at all.

        But the poster is not advocating switching to Rust blindly. The suggestion is to determine if Rust is suitable for their use cases. Maybe it is not. Maybe it is.

      • "Most software development has already switched to managed languages that use run-time bounds checking and garbage collection to avoid huge numbers of pitfalls"

        False.

        "...so nearly all application development has moved to them."

        Only a small fraction of "software development" is "application development".

        No. Most software development is at the application level, not the system level, or on bare metal (though this latter category is a lot bigger than most realize). And my statement that most application development has moved to managed languages is correct. The data is easy to find.

        "If you do low-level microcontroller development, OS development, game engine development, etc., you should give Rust a serious look."

        Matching the tools to suit the job is what you should always do.

        This statement is nearly a tautology, but I find that most of the time it's stated like this, it's an excuse for not actually using the tool best suited to the job, but instead to use the tool the speaker prefers. In particular,

      • by ranton ( 36917 )

        Only a small fraction of "software development" is "application development".

        I don't think this is correct. I couldn't find a root source for the statistic, but I found many websites claiming about 85% of software development is enterprise application development.

    • Pretty much in agreement. A lot of Rust's syntax makes me want to gouge my eyes out; but that's something you eventually get over, especially if you're young. If I were in my 20s I'd be getting over it NOW because Rust or something like it is the future for systems programming.

      There's no excuse for putting yourself in a situation where you could shoot your foot off, when you've got a language that protects you without compromising performance.

      The real pity is that the C standard's committee dragged their

      • A lot of Rust's syntax makes me want to gouge my eyes out

        thread_rng().gen::<[u8;32]>()

        I mean, how could that possible be clearer? :^)

      • by mysidia ( 191772 )

        I would propose creating a new standard body.. call it D or something.
        Import all of C, and add the minimal changes necessary to close the most common problems.

        Then add optional features to address the rest.

        You can move a Lot faster if you don't need to have a large panel with committee meetings.

        • You'll need another name because D is taken [wikipedia.org]. I think you'll get some resistance if it's not standard C. Yes, the standards bodies are sssssssssllow, but there's that whole psychology of wanting something that's "stable", and has industry buy-in. Is there any way to *quickly* install heavy-hitters from big names and move quickly? I don't think so. It's the never ending tension between small startups and independent devs that can move fast like we need, and large companies that can endorse the ideas and

        • Might be a smaller step to start with a language that already supports some mark up for analysis directives and contracts, such as Ada. We can call the new safety and formala analysis extensions something snappy, like SPARK.

    • There will be slashdotters who argue that unsafe languages are perfectly fine, you just need to hire competent programmers. They're idiots. Well, that's not really fair; they're not so much idiots as people who don't want to learn something else trying to defend their skillset. But if there's one thing we've thoroughly proven in software development over the last few decades it's that even the most competent programmers make mistakes. This shouldn't surprise anyone -- we're human! But this is why we build tools to help us.

      Most software development has already switched to managed languages that use run-time bounds checking and garbage collection to avoid huge numbers of pitfalls. These languages are more efficient with developer time, which is far more valuable in most cases than machine time, so nearly all application development has moved to them. Javascript, Java, C#, Python, Go, etc.

      But some software, especially system software, really does need higher performance and more predictable execution times than you can get with managed languages with GC. Until recently, Modern C++ (C++ that relies heavily on RAII, eschews naked pointers almost entirely, etc.) has been our best option for writing high-performance, tight code with minimal risk of serious memory management mistakes or bounds errors. It still requires discipline, because you have to follow the Modern C++ guidelines. Tooling can help to detect when you stray from them.

      Rust is, I think, a better solution for this context.

      I write security-critical code, code that uses cryptography to bootstrap core security features for the world's most popular consumer operating system (Android). We've been experimenting with and using Rust for the last 3-4 years, and it's just plain better. Once engineers learn the language well, they get stuff done as fast or faster than with C++ (which is in turn much more efficient in terms of developer time than C), and there are far fewer bugs. Obviously there are basically no memory bugs or integer overflow bugs, and Rust also helps to avoid some concurrency bugs. We're using it both in "big system" configurations (Linux, i.e. normal Android) and in tiny embedded environments, such as in the Titan M secure element. The latter is more difficult, because many of the libraries aren't available in "noalloc" configurations ("noalloc" means no heap, basically; all memory allocation is static), but it's getting better and is actually somewhat easier to work with than C++ in very constrained environments.

      If you do low-level microcontroller development, OS development, game engine development, etc., you should give Rust a serious look. If you do application development you should use a managed language.

      I won't argue that this isn't a good idea in concept. I'd only argue that the government has as much right to tell us what programming language to use as they do what we eat and drink. They can recommend this, and that's all fine and dandy. But the nature of our government today means some idiot up the chain is going to think this needs to be legally mandated, and even the study of existing languages or "historical" languages will end up being somehow an attack on the state. "If we let the C programs exists

    • by codebase7 ( 9682010 ) on Wednesday February 28, 2024 @05:49PM (#64277136)
      There will be slashdotters who argue that safe languages are the future. They're arrogant buffoons. Well, that's not really fair; they're not so much buffoons as people who don't want to learn from their mistakes trying to defend their laziness. But if there's one thing we've thoroughly proven in software development over the last few decades it's that even the most competent programmers make mistakes. This shouldn't surprise anyone -- we're human! But this is why we strive to learn from our mistakes and do better.

      Most software development has already switched to move fast and break things development cycles and shipping Alpha quality software to ensure record profits quarter over quarter. These development methods are more efficient with shareholder value, which is far more valuable in most cases than the well being of societies that depend on them, so nearly all application development has moved to them. Microsoft, Google, Apple, Meta, etc.

      But some software, especially system software, really does need a proper development cycle that can weed out security bugs and test for regressions. Proper coding can be achieved but it requires dedication, time, and discipline, because you have to resist the urge to release first and patch later. Proper management can help to reinforce this when you stray from it.

      Proper market incentives and legal requirements are, I think, a better solution for this context.

      I write code as a hobby, code that under no circumstances would I consider fit for widespread use in production environments without a thorough audit, and it's just plain better. Once companies learn to actually audit their systems and software, they will get stuff done as secure or more securely than with laze-fair development practices, and there are far fewer exploitable vulnerabilities and unnecessary code bloat. Obviously there are basically no importing entire sets of libraries for a single one-liner statement, and audits help to avoid those bone-headed default password problems. We also don't have to completely deprecate the use of an entire computing concept because some random buffoon decided we couldn't use it properly and thus needed to be forbidden from touching it to save ourselves. (Seriously, noalloc? You do...No, you don't. You just want to cling to the current fad and don't care at all about why your noalloc solution just means some hacker is going to use a different opcode to do the same thing before implementing their own memory management if they so desire....)

      If you do any programming at all, you should give proper critique and audits a serious look. If you want to be handheld through your programming, you should hire someone else to do it for you.
  • https://cacm.acm.org/magazines... [acm.org] Note the discussion on how they handle recursive structures, adopting an approach from Rust.

  • In situations where one needs to use a very low-level language (think firmware, OS kernels, et cetera), a subset of C++ is used with very few exploitable memory safety issues. In other contexts, there are so many built-in mitigations, that I don't see memory safety as a top security concern and it's now more of a quality issue. Not that I'm suggesting being lax in this area. Just that exploiting a buffer overflow in anything other than kernel code is pretty challenging if the built-in protection features
    • by dfghjk ( 711126 )

      "Just that exploiting a buffer overflow in anything other than kernel code is pretty challenging..."

      Particularly when the code has no buffers to overflow, for example. Throughout my career I have worked on few projects even conceptually vulnerable to memory safety issues. Memory safety is an interest topic for a relatively small subset of computer programming. A highly visible subset that so many thinks is all there is.

    • In situations where one needs to use a very low-level language (think firmware, OS kernels, et cetera), a subset of C++ is used with very few exploitable memory safety issues.

      Which OS kernels use C++? Linux, BSD, Windows, etc. all use C and some assembly. Programming for the OS can use C++ but the kernel itself is not written in C++.

    • If you want dynamic allocation, there isn't really an accepted "subset" I can see. The C++ core guidelines are too generic to give guarantees (Bjarne doesn't even like subsetting and certainly not dialects which abandon backwards compatibility and the standard library, which is what is truly needed) and say SaferCPlusPlus is not exactly an industry standard.

      Relying on ASLR/etc is basically assuming no iOS/Android level exploiters ever look at your code for a couple minutes. If Apple and Google can't keep co

  • Wouldn't it be better if we had better if we had effective application memory protection built into the OS?
  • That's Rich (Score:5, Funny)

    by avandesande ( 143899 ) on Wednesday February 28, 2024 @11:54AM (#64275880) Journal
    The White House weighing in on anything about memory....
  • Lisp (Score:5, Funny)

    by pele ( 151312 ) on Wednesday February 28, 2024 @11:55AM (#64275886) Homepage

    Why do you people keep avoiding lisp for the past 60 years like the plague?

    • Having had to write a program or two in LISP in college, long, long ago, I was glad I got them to work and I'd never have to write in LISP again.

    • Lisp is like entering the AST directly in to the compiler. Some problems map well to that; but a lot don't. Pure functional programming (I know Lips isn't necessarily like that, but it encourages it) also corresponds poorly to a lot of real world situations. Game devs love C++ for this reason--the object life cycle maps really well to things like a monster spawning, interacting with other entities, and getting destroyed. In theory you could shoe-horn that in to a parenthesis delimited AST. It's just a

    • Why do you people keep avoiding lisp for the past 60 years like the plague?

      LISP is fine. I write elisp daily for small tasks. But it hasn't proven to be a very good language for most application spaces. The modern managed languages are easier to work with and provide the same benefits. And LISP is definitely not an alternative to Rust; among other issues, LISP basically requires GC.

    • by drnb ( 2434720 )

      Why do you people keep avoiding lisp for the past 60 years like the plague?

      I had the prolog vaccination.

    • by jd ( 1658 )

      Lots of Irritating Single Parentheses.

      A far better language for many use cases is TCL/Tk.

  • If we can get ChatGPT to spot security problems, couldn't we run it against all our code bases and eliminate a lot of the issues?

    Seems like a very powerful tool for discovering/fixing that kind of thing. If it can be done.

    --PM

    • It sure as hell knows how to create them, and memory leaks. For fun I had it generate some really boilerplate C++ code and spent the weekend debugging it.

  • I will contact my congresstwat and demand he stop Brandon from taking my compiler. Honestly he will eat that shit right up.

  • ..by the turf war of the programming languages, the rubber hose exploitation team is merrily going about its business.

  • by DriveDog ( 822962 ) on Wednesday February 28, 2024 @03:58PM (#64276834)

    How about "Urge tech companies to stop squeezing coders until nobody skilled is willing to write code"?

    That's where the real problem lies. It always comes down to management. Sometimes there's a long lag, but it always goes back there.

Experiments must be reproducible; they should all fail in the same way.

Working...