Date: Thu, 12 Sep 2024 20:18:18 -0400 From: Joe Schaefer <joesuf4@gmail.com> To: Pat Maddox <pat@patmaddox.com> Cc: David Chisnall <theraven@freebsd.org>, Alan Somers <asomers@freebsd.org>, Chris <bsd-lists@bsdforge.com>, Warner Losh <imp@bsdimp.com>, FreeBSD Hackers <freebsd-hackers@freebsd.org> Subject: Re: The Case for Rust (in any system) Message-ID: <CAOzHqc%2BfakrYQkdPSORYvChFL1JNtLZAS3AQM0GpJ0Em0cCgpw@mail.gmail.com> In-Reply-To: <b0d17cd4-e5af-41a1-8b50-df5f43989258@app.fastmail.com> References: <CAOtMX2g_om8mW-xB855LNOHa8C0T5X0WtgMPc0TTr6TwiMEicw@mail.gmail.com> <A9A99648-EA30-4C63-A88B-3E9CC7CCFF35@freebsd.org> <CAOzHqc%2By_NO9BG2ZAoKr9oA7iWU25nNFT1-y2Ug1%2BJZoCMpMSQ@mail.gmail.com> <b0d17cd4-e5af-41a1-8b50-df5f43989258@app.fastmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
--000000000000a4bc9f0621f52995 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable -Werror, valgrind, coverity, fuzzers, etc. CI is a thing. On Thu, Sep 12, 2024 at 7:59=E2=80=AFPM Pat Maddox <pat@patmaddox.com> wrot= e: > I think you have those reversed. > > I would say that a compiler that notifies you of errors is more empatheti= c > than one that doesn't, inasmuch as the compiler's designers' empathy is > expressed through the tool. > > Knowing that we will write errors and can benefit from automated checks > expresses humility to me. > > The safety net of such checks allows us to explore new ideas. > > C's "don't want memory errors? don't write none" approach is clearly more > hostile and requires strict adherence to the rules. > > Pat > > On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote: > > On the other hand, it is foolish to expect a programming language > > itself to be more thoughtful and wise than the engineers who need to > > solve a computational problem in the here and now. > > > > It=E2=80=99s like banking on building an empire based on process enforc= ement, > > civility, diversity of preferred quota stereotypes, and obedience; > > instead of empathy, humility, diversity of thought, and ingenuity. > > > > Rust is in the former camp; C the latter. All progress in this fad > > based universe leads to the same joy-free outcome of forever changing > > our toolchain to keep up with industry norms that treat professionalism > > in computer engineering as a market commodity. > > On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall <theraven@freebs= d.org> > > wrote: > >> On 12 Sep 2024, at 00:14, Alan Somers <asomers@freebsd.org> wrote: > >> > > >> > "Memory safety =3D=3D restrictive training wheels" is just a common > >> > misconception. > >> > >> It=E2=80=99s worth thinking about why programming languages exist. Any= modern > language is Turing complete. In terms of what can be expressed, there is = no > difference between Rust, C, and C++. The important thing is that there is > an infinite set of possible programs and a finite set of desirable > programs. The goal of a programming language is to make it easier to > express programs in the set of desirable programs than ones that are not = in > that set. Sometimes this is skewed away from specific sets. > >> > >> The reason that we care so much about memory-safety bugs is that they > allow an attacker to step completely outside of the abstract machine of t= he > program. Unless you embed an interpreter/ compiler in your program, > memory-safety bugs are about the only way that an attacker can get > arbitrary code execution in your program. The kind of bug where an attack= er > provides a specially crafted file / blob of network data and then runs co= de > on your machine is typically the worst thing that can happen. > >> > >> Rust, in particular, skews towards making programs with memory-safety > bugs much harder to represent. You can still do it, by using unsafe or > relying on unsoundness in the type system as cve-rs does, but you have to > try hard. > >> > >> I consider that a desirable property in a language. I don=E2=80=99t ha= ve to > think about whether I=E2=80=99ve made these bugs impossible (and, remembe= r, > WannaCry cost billions of dollars and depended on a single memory-safety > bug), I get that for free and I can focus on other things. > >> > >> David > >> > >> > --000000000000a4bc9f0621f52995 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable <div dir=3D"auto">-Werror, valgrind, coverity, fuzzers, etc. CI is a thing.= </div><div><br><div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_a= ttr">On Thu, Sep 12, 2024 at 7:59=E2=80=AFPM Pat Maddox <<a href=3D"mail= to:pat@patmaddox.com">pat@patmaddox.com</a>> wrote:<br></div><blockquote= class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left-width:= 1px;border-left-style:solid;padding-left:1ex;border-left-color:rgb(204,204,= 204)">I think you have those reversed.<br> <br> I would say that a compiler that notifies you of errors is more empathetic = than one that doesn't, inasmuch as the compiler's designers' em= pathy is expressed through the tool.<br> <br> Knowing that we will write errors and can benefit from automated checks exp= resses humility to me.<br> <br> The safety net of such checks allows us to explore new ideas.<br> <br> C's "don't want memory errors? don't write none" appr= oach is clearly more hostile and requires strict adherence to the rules.<br= > <br> Pat<br> <br> On Thu, Sep 12, 2024, at 4:07 PM, Joe Schaefer wrote:<br> > On the other hand, it is foolish to expect a programming language <br> > itself to be more thoughtful and wise than the engineers who need to <= br> > solve a computational problem in the here and now.<br> ><br> > It=E2=80=99s like banking on building an empire based on process enfor= cement, <br> > civility, diversity of preferred quota stereotypes, and obedience; <br= > > instead of empathy, humility, diversity of thought, and ingenuity.<br> ><br> > Rust is in the former camp; C the latter.=C2=A0 All progress in this f= ad <br> > based universe leads to the same joy-free outcome of forever changing = <br> > our toolchain to keep up with industry norms that treat professionalis= m <br> > in computer engineering as a market commodity.<br> > On Thu, Sep 12, 2024 at 3:52=E2=80=AFAM David Chisnall <<a href=3D"= mailto:theraven@freebsd.org" target=3D"_blank">theraven@freebsd.org</a>>= <br> > wrote:<br> >> On 12 Sep 2024, at 00:14, Alan Somers <<a href=3D"mailto:asomer= s@freebsd.org" target=3D"_blank">asomers@freebsd.org</a>> wrote:<br> >> > <br> >> > "Memory safety =3D=3D restrictive training wheels" = is just a common<br> >> > misconception.<br> >> <br> >> It=E2=80=99s worth thinking about why programming languages exist.= Any modern language is Turing complete. In terms of what can be expressed,= there is no difference between Rust, C, and C++. The important thing is th= at there is an infinite set of possible programs and a finite set of desira= ble programs. The goal of a programming language is to make it easier to ex= press programs in the set of desirable programs than ones that are not in t= hat set. Sometimes this is skewed away from specific sets.<br> >> <br> >> The reason that we care so much about memory-safety bugs is that t= hey allow an attacker to step completely outside of the abstract machine of= the program. Unless you embed an interpreter/ compiler in your program, me= mory-safety bugs are about the only way that an attacker can get arbitrary = code execution in your program. The kind of bug where an attacker provides = a specially crafted file / blob of network data and then runs code on your = machine is typically the worst thing that can happen.<br> >> <br> >> Rust, in particular, skews towards making programs with memory-saf= ety bugs much harder to represent. You can still do it, by using unsafe or = relying on unsoundness in the type system as cve-rs does, but you have to t= ry hard.<br> >> <br> >> I consider that a desirable property in a language. I don=E2=80=99= t have to think about whether I=E2=80=99ve made these bugs impossible (and,= remember, WannaCry cost billions of dollars and depended on a single memor= y-safety bug), I get that for free and I can focus on other things.<br> >> <br> >> David<br> >> <br> >><br> </blockquote></div></div> --000000000000a4bc9f0621f52995--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAOzHqc%2BfakrYQkdPSORYvChFL1JNtLZAS3AQM0GpJ0Em0cCgpw>