| ▲ | socalgal2 5 days ago |
| > But: everybody understands that. Everybody does not understand that otherwise there would be zero of these issues in shipping code. This is the problem with the C++ crowd hoping to save their language. Maybe they'll finally figure out some --disallow-all-ub-and-be-memory-safe-and-thread-safe flag but at the moment it's still insanely trivial to make a mistake and return a reference to some value on the stack or any number of other issues. The answer can not be "just write flawless code and you'll never have these issues" but at the moment that's all C++, and Go, from this article has. |
|
| ▲ | blub 4 days ago | parent | next [-] |
| This comment highlights a very important philosophical difference between the Rust community and the communities of other languages: - in other languages, it’s understood that perhaps the language is vulnerable to certain errors and one should attempt to mitigate them. But more importantly, those errors are one class of bug and bugs can happen. Set up infra to detect and recover. - in Rust the code must be safe, must be written in a certain way, must be proven correct to the largest extent possible at compile time. This leads to the very serious, solemn attitude typical of Rust developers.
But the reality is that most people just don’t care that much about a particular type of error as opposed to other errors. |
| |
| ▲ | zozbot234 4 days ago | parent | next [-] | | > ... it's understood that perhaps the language is vulnerable to certain errors and one should attempt to mitigate them. But more importantly, those errors are one class of bug and bugs can happen. Set up infra to detect and recover. > in Rust the code must be safe, must be written in a certain way, must be proven correct to the largest extent possible at compile time. Only for the Safe Rust subset. Rust has the 'unsafe' keyword that shows exactly where the former case does apply. (And even then, only for possible memory unsoundness. Rust does not attempt to fix all possible errors.) | | |
| ▲ | blub 3 days ago | parent | next [-] | | Well yes, only in the safe subset, but the safe subset is the alpha and omega of Rust. Woe to those that use unsafe, for the scorn of the community shall be upon them. :) | |
| ▲ | pclmulqdq 4 days ago | parent | prev [-] | | A not-so-secret secret of Rust is that liberal use of 'unsafe' is pretty much required for certain classes of high-performance code. | | |
| ▲ | aystatic 4 days ago | parent [-] | | imo if you're sprinkling around `unsafe` in your codebase "liberally", you're holding it wrong. In general it's really not that hard to encapsulate most unsafety into a wide-contract abstraction; I’d argue where Rust really shines is when you take advantage of the type system and static analyzer to automatically uphold invariants for you |
|
| |
| ▲ | J_Shelby_J 4 days ago | parent | prev [-] | | > This leads to the very serious, solemn attitude typical of Rust developers. Opposite really. I like rust because I can be care free and have fun. |
|
|
| ▲ | tptacek 5 days ago | parent | prev [-] |
| Again: if you want to make that claim about correctness bugs, that's fine, I get it. But if you're trying to claim that naive Go code has memory safety security bugs: no, that is simply not true. |
| |
| ▲ | saurik 5 days ago | parent | next [-] | | I cannot find anyone in this thread (nor in the article) making the claim you are arguing against, though... the reason for the example isn't "this demonstrates all Go code is wrong", but merely that "you can't assume that all Go code is correct merely because it is written in Go"; now, most code written in Go might, in fact, be safe, and it might even be difficult to write broken Go code; but, I certainly have come across a LOT of people who are claiming that we don't even have to analyze their code for mistakes because it is written in Go, which is not the case, because people do, in fact, share stuff all over the place and Go, in fact, doesn't prevent you from all possible ways of writing broken code. To convince these people that they have to stop making that assumption requires merely any example of code which fails, and to those people these examples are, in fact, elucidating. Of course, clearly, this isn't showing a security issue, but it isn't claiming to be; and like, obviously, this isn't something that would be sent to a bug bounty program, as who would it even be sent to? I dunno... you seem to have decided you want to win a really minute pedantic point against someone who doesn't exist, and it makes this whole thing very confusing. | | |
| ▲ | ngrilly 4 days ago | parent [-] | | The terms correctness (from a PLT perspective) and safety (from a security perspective) are not equivalent and interchangeable. I see them mixed up too much in this discussion. | | |
| ▲ | ralfj 4 days ago | parent [-] | | PLT has used the term "type safety" for a very long time -- so "safety" does not imply a security perspective. And yes it is indeed very different from correctness. But the article doesn't claim that memory safety should imply correctness -- that would be ridiculous, obviously you can write buggy programs in memory-safe languages. The article claims that Go is not memory-safe. | | |
| ▲ | ngrilly 4 days ago | parent [-] | | I was referring to comments mentioning correctness and safety as interchangeable terms. The article doesn’t mix them up. | | |
|
|
| |
| ▲ | const_cast 3 days ago | parent | prev [-] | | I'm not understanding - if you're able to produce segfaults by, presumably, writing to memory out of bounds, what's stopping a vulnerability? Surely, if I can write past an array's bounds, then I can do a buffer overflow of some sort in some situations? |
|
