Not really!

Showing that a present system has issues does not imply in any
way that a proposed new system (or major change) will fix the
said problems! This is a common fallacy that people fall for.
Many people. Many many people :-)

Nor does it say anything about the cost & disruption of making
such a change, or how long will it take for the change to realize
the promise.

I did a quick check to see how code size has increased (just
focusing on the kernel):

Snapshot LoC
R2.1.0: 464163
R3.1.0: 1036969
R4.1.0: 1364739
R5.1.0: 2183960
R6.1.0: 2718891
R7.1.0: 3396813
R8.1.0: 4029778
R9.1.0: 5436430
R10.1.0: 6268965
R11.1.0: 7902854
R12.1.0: 8216741
R13.1.0: 8900711
R14.1.0: 9769864
current: 9899932 (as of this morning)

On average about 775K lines are added per release, with a couple
of increases over a million. So even if *all* the new code that
gets added is in Rust and is totally bugfree, it will take a
further 12-13 years before the bugprone C code goes down to 50%.
[By then Rust may not longer be a hot language but that is for
another thread (or async/await)]

The point being, even if you add Rust, there is a long term need
to "do better" in the C code.
This would be about as quixotic as DARPA's TRACTOR program
(TRanslate All C code TO Rust)! No such AI exists today. Any
auto translated code needs to be hand checked. I suspect you're
better off teaching the AI about the common code bugs in C and
how to fix them or at least detect them.



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Is that a joke? Do you have any evidence? It sounds like wishful
thinking to me.

When I explain to my young colleagues that learnt to code in Java and
Rust how K&R C function definitions "worked", their eyes open wide in
amazement.
I'm not sure that I follow your argument. Are you saying that you can
build memory safety into C code and that if someone doesn't so they are
a bad programmer? What's the point - why not just use a memory safe
language?

A+
Paul





--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Paul Floyd wrote in
<9adc3619-bc38-4fe7-bf16-***@gmail.com>:
|On 05-09-24 19:45, Steffen Nurpmeso wrote:
|> Alan Somers wrote in
|
|>|The real takeaway here is that C is no longer sufficient for writing
|>|high quality code in the 2020s. Everyone needs to adapt their tools.
|>
|> I *totally* speak against this.
|> Quite the opposite i claim that C was safe already fifty years
|
|Is that a joke? Do you have any evidence? It sounds like wishful
|thinking to me.
|
|When I explain to my young colleagues that learnt to code in Java and
|Rust how K&R C function definitions "worked", their eyes open wide in
|amazement.

Yes, OpenBSD has started using prototypes in perl lately.
I still do not do that in the rare cases i use perl.
I came over (Basic, DOS batch, J(ava)Script) perl, JAVA, C++ to
C and never used prototype-less C myself, K&R, you really, really
have a point here.

Despite that it is unfortunate but true that prototypes in C and
also C++ not seldom do not tell the truth because bit enumerations
are missing, and so you have integers of various widths as "bit
carriers" through which completely unchecked bits are then passed.

Or at least in C, which does not support "easy super-class cast"s,
you also very often have to dumb-cast to meet prototyped
arguments, which is then an error shall the assumption break at
a future time. (For example, assume stupid name hierarchy
IOStream{bla;};
OutputStream{IOStream super;bla;};
TextOutputStream{OutputStream super;bla;};
and in order to call a function which takes IOStream* you likely
will brute-force cast a TextOutputStream instead of writing
&TOS->super.super, for which, it is clear, you also have a naming
rule in place.)
*Or* you have to create a dedicated macro series which does the
cast proper, then also using C-style aka manually stricked [RT]TI
aka type information, i think GTK uses this.
In short, object hierarchies and casting etc never was on the
agenda of ISO C, which results in aggressive and dangerous casts.
You know, there quite some relief could have been achieved very
easily, best even explicit, with say a new "super" or "base"
keyword (super is C++ so that it bad).

|> ago, it is just that the occasional one does not realize it.
|> *Nothing* prevents you from using a string object instead of
|> direct memory accesses, a vector object instead of arrays managed
|> via realloc(), and all that. *Nothing
|> If *you* do not do that that is your fault and you are a bad
|> programmer; moreover, you should not be allowed to vote in
|> a democratic environment (surely you do not read all the
|> magazines and newspapers, and watch or hear to policital
|> emissions, in order to build yourself a *real* opinion), be
|> enabled to drive a car, and what else not.
|
|I'm not sure that I follow your argument. Are you saying that you can
|build memory safety into C code and that if someone doesn't so they are
|a bad programmer? What's the point - why not just use a memory safe
|language?

Because Floyd means pink not paul, hah!
But answering your question i would say it does not make much of
a difference to me -- *if* i can go the way i want -- regarding
safety, but a lot regarding runtime and infrastructural overhead.
For example most of the development time i compile with tcc that
is 334640 bytes and links to almost nada.

#?0|kent:built$ ll tcc#20240731-1.pkg.tar.zst
-rw-rw---- 1 ports ports 273285 Aug 3 22:11 tcc#20240731-1.pkg.tar.zst

#?0|kent:built$ ll gcc#14.2.0-1.pkg.tar.zst
-rw-rw---- 1 ports ports 67854914 Aug 1 21:59 gcc#14.2.0-1.pkg.tar.zst

#?0|kent:built$ ll clang#18.1.8-1.pkg.tar.zst
-rw-rw---- 1 ports ports 74166358 Jun 22 21:26 clang#18.1.8-1.pkg.tar.zst
#?0|kent:built$ ll llvm#18.1.8-1.pkg.tar.zst
-rw-rw---- 1 ports ports 136797237 Jun 22 23:57 llvm#18.1.8-1.pkg.tar.zst
#?0|kent:built$ ll compiler-rt#18.1.8-1.pkg.tar.zst
-rw-rw---- 1 ports ports 3378581 Jun 23 00:02 compiler-rt#18.1.8-1.pkg.tar.zst

Unfortunately pcc is dead, it detected things that clang and gcc
did not (via warning options etc). tcc is very bad in such.

And then there is other overhead. For example if you have
a vector type then in JAVA an at() (iirc) access always asserts
the offset, and throws an ArrayIndexOutOfBoundsException (iirc) if
that is invalid. If you do that in C, you can ASSERT() the
offset. Or, if you know that the offset could be invalid, either
create a at_checked() or what accessor or add the check in your
code.

Or, if you have a string and want to resize it, you can check
against overflow, inline, and let the compiler optimize away most
the nonsense that effectively there is, for example

INLINE boole n_string_get_can_book(uz len){
return (S(uz,S32_MAX) - ALIGN_Z(1) > len);
}
INLINE boole n_string_can_book(struct n_string *self, uz len){
return (n_string_get_can_book(len) &&
S(uz,S32_MAX) - ALIGN_Z(1) - len > self->s_len);
}

Or, you compact memory allocations by allocating an object plus
additional room for whatever, one of the posted CVEs was like
that, ie do "buf = &(sp = ALLOC(sizeof(*sp) + LEN))[1]".
This is not possible if you have to live with language managed
objects, may they be safe.
Except for C++, which is (much too) flexible, and allows one to
create stuff like for example

#define su_MEM_NEW_HEAP(T,VP) new(VP, su_S(su_NSPC(su)mem::johnny*,su_NIL)) T
via
inline void *operator new(size_t sz, void *vp, NSPC(su)mem::johnny const *j){
UNUSED(sz);
UNUSED(j);
return vp;
}
via
struct johnny;
(ie *unfortunately* overloading works like that only).
and then the reverse via

#define su_MEM_DEL_HEAP(TP) su_NSPC(su)mem::del__heap(TP)
#define su_MEM_DEL_HEAP_PRIVATE(T,TP) (su_ASSERT((TP) != su_NIL), (TP)->~T())
via
template<class T>
static void del__heap(T *tptr){
ASSERT_RET_VOID(tptr != NIL);
tptr->~T();
}

In general all shit, unfortunately. Anyway with that you *can*
create aka manage objects in whatever memory chunk you want.

And, to me, i use objects whenever i can, which consist of other
objects, etc, and then i delete (or destruct, say) the objects
i hold, and they delete (or destruct, anyway) they consist of, and
in the end there is no memory leak. Memory leaks or buffer
overruns i usually do not produce.
But i *do* produce logical errors like

su_idec(): FIX: signed negative overflow would return S64_MAX
- else
+ else{
res = U64_MAX;
- rv &= ~su_IDEC_STATE_SEEN_MINUS;
+ rv &= ~S(u32,su_IDEC_STATE_SEEN_MINUS);
+ }

or

a_colour_mux(): HORRIBLE FIX! Assign correct pointer (Χάρης Καραχριστιανίδης)..
- }else
+ }else if(a_COLOUR_TAG_IS_SPECIAL(ctag))
cmp->cm_tag = ctag;
+ else
+ cmp->cm_tag = NIL;

and in that latter, indeed, a big fat C++ constructor that simply
initializes all members *even though* it directly thereafter sets
them to other values would have avoided it. (But these are so
*horrible* things that i often try to circumvent the condition by
creating specialized constructor which result in a partial
initialized object, which would then, i think, not be possible in
a "safe" language, at least easily.)

|A+
|Paul

Trio sang "Los Paul" (du mußt im voll in die Eier hauen, eh, "you
have to hit him hard in the testicles") over fourty years ago.
They meant Paul Breitner by then, but, still..

--End of <9adc3619-bc38-4fe7-bf16-***@gmail.com>

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It’s very hard to get good apples to apples comparisons here but the main thing to remember is that C and Rust compile down to the same instruction sets. For spatial safety, you have basically two cases:

- Things where the size is statically known and so all accesses are in bounds if their offsets are known.
- Things where the size needs to be carried around with the object.

There is nothing magic in C here. You either have fixed-sized things and a compiler will be able to statically bounds check (though will typically only warn for invalid ones) or you carry the length around and check it. The difference is that Rust or C++ can express both of these in the type system and so will always insert bounds checks for any access where they cannot be proven to be redundant.

The cases where you will see a difference are the ones where the safety depends on some extrinsic property that the programmer knows but which cannot be expressed in the type system. In C, you will do an unchecked access. In Rust, you *can* do unsafe things with raw pointers, but usually you won’t, and so you’ll get bounds checks that are redundant. Assuming, of course, that the assumption that the programmer made is correct and remains correct as the code is refactored. Which it often isn’t, and then you get security vulnerabilities.

David



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Agreed...

And use code analyzers/static analyzers..

I have not worked with Coverity recently, but when we did, it was pretty
good what it found & reported.
We had to convince that the $50K/year or $100K/year price tag, what ever
it was, was worth it because Coverity would do for a price per year what
we could not hire anyone to do for us with the same consistency, speed,
and accuracy.

There are several others.

More and more, these type of tools are being integrated into modern day
compiler tool-chains.

Use them!

The new Windows sudo tool is a good example of this. It was written in Rust and, as far as I know, no one has found any memory safety errors. Some large categories of potential vulnerabilities were eliminated by construction, which is great. Unfortunately, that didn’t stop it having a terrible security architecture that allowed remote privilege elevation. You don’t just need competent Rust programmers, you need competent Rust programmers who are domain experts.

David



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I check it from time to time hoping to find anything about
sys/dev/dpaa2, but no issues there reported. I wonder whether Coverity
configured in a specific way not to get any code from CURRENT.

I used to check it, years ago. But I gave up. The UI is too hard to
use and false alarms are both too frequent and too hard to suppress.
Plus, it's a real drag that I can't run the tool myself. Instead, I
need to wait for the next scheduled run.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

sigh. now i am back.

ske-***@pkmab.se wrote in
<***@berenice.pkmab.se>:
|Alan Somers <***@freebsd.org> wrote:
|> In fact, of all the C bug fixes that I've been involved with (as
|> either author or reviewer) since May, about three quarters could've
|> been avoided just by using a better language.
|...
|> To summarize, here's the list of this week's security advisories, and
|> also some other recent C bug fixes of my own involvement:
|
|After checking several of these examples, I'm wondering what the code
|would have looked like in some "better language", where those bugs would
|have been avoided?

Examples. I find the absolute opposite after checking four.
Ie, if you implement some SCSI command

-
- /*
- * struct scsi_sense_data, which is currently set to 256 bytes, is
- * larger than the largest allowed value for the length field in the
- * REQUEST SENSE CDB, which is 252 bytes as of SPC-4.
- */
- ctsio->kern_data_len = cdb->length;
- ctsio->kern_total_len = cdb->length;
+ ctsio->kern_data_len = ctsio->kern_total_len =
+ MIN(cdb->length, sizeof(*sense_ptr));

This is a super clear logic error, that even says the comment,
which did not care for security related impacts. It came in as
part of a tremendious super large patch "Add the CAM Target Layer
(CTL)." (130f4520cba830cc6da47c9f871fed78710a4709) in 2012, 34000
lines of code additions. There were a couple of fixup commits.
It seems to have been sponsored, but i have no idea of review or
anything. Compared to the WireGuard stuff, for example.
Now i had to look more deeply why the commit says three bytes
whereas the naive eye counts four. (Maybe NUL terminated.)

The ones from OpenSSL and ctld are more complex. But the libnv is
pretty clear again, it even uses strnlen() (urgh).

|E.g for the "use after free" or "unitialized memory" examples.

Examples. You are just saying.

|To me, several of those bugs seem fairly complex, and not just a
|question of having bounds checking for arrays or a borrow checker
|for pointers, or something simple like that.

Two of four.

|But maybe the bugs could have been detected[.]

yes, maybe. I doubt it.

|[.] and prevented if the
|code would have been forced to be expressed in a completely
|different manner by some other language? Or what is your vision
|of how that would be accomplished?

Actually yes. String objects.
I mean it is easy to say that, but if you look at the SCSI thing,
one would normally do things like eg

we_parse_THIS_SCSI_COMMAND([.]u8 *buf, u16 len){
...
/* C99 */{
struct a_mmc_cmd_x42_resp_data_head *dhp;

^argument etc of THIS_SCSI_COMMAND

dhp = R(struct a_mmc_cmd_x42_resp_data_head*,buf);
buf += sizeof(*dhp);
len -= sizeof(*dhp);
}
...
irp = R(struct a_mmc_cmd_x42_isrc_resp*,buf);

Unfortunately it was forgotten for one of many use cases, where
a byte buffer of reality matches a structure of a language
abstraction. How could a different language aid here.

|You seem to be saying that certain examples would be solved by
|a better language, and certain ones would not, so I suppose you
|do have some vision of how that would work.

And *i* am saying that for example the nvlist could have been done
very safely in C, if instead of strnlen() etc something more sane
would have been used. Like a string object. But it is more
typing work etc. *That* of course, yes.

|I'm just curious to learn more, since it is not obvious to me,
|and thus all the more interresting.

This is all very unspecific. I have also seen quite a lot of
things. What should be the answer to this unspecific question,
except continuation of this thread?

|/Kristoffer Eriksson
--End of <***@berenice.pkmab.se>

In support for that swedish hm virgin, yes, sweden is not a clean
country for sure.

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Steffen Nurpmeso wrote in
<***@steffen%sdaoden.eu>:
...

hihihi saw the Somers .. but wanted to add

|Ie, if you implement some SCSI command
..
| we_parse_THIS_SCSI_COMMAND([.]u8 *buf, u16 len){
|...
| /* C99 */{
| struct a_mmc_cmd_x42_resp_data_head *dhp;
|
|^argument etc of THIS_SCSI_COMMAND
|
| dhp = R(struct a_mmc_cmd_x42_resp_data_head*,buf);
| buf += sizeof(*dhp);
| len -= sizeof(*dhp);
|}
|...
| irp = R(struct a_mmc_cmd_x42_isrc_resp*,buf);

This thing tested the lengths accordingly, of course.

...
|very safely in C, if instead of strnlen() etc something more sane
|would have been used. Like a string object. But it is more
|typing work etc. *That* of course, yes.

Now Option<Box<Vec<u8>>> or Vec::with_capacity(262144) is not that
much shorter than doing something in C proper types at hand
provided. (Btw C object constructors usually initialize their
types, too, .. that is why they are called constructors.
Of course: you need these objects, stdlib has none, but FILE,
which is horrific. Vec<u8>, hmhm...)

..etcetcetc.

--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I'm having trouble following your English, but you seem to be missing
the point. The point is not whether the bugs can be fixed in C; of
course they can, after all we just did. The point is that safe
programming languages make it nearly impossible to create the bugs in
the first place. For example, a language that uses RAII everywhere
makes it nearly impossible to allocate a structure without
initializing it. Nearly impossible to leak memory, too.
Again, I don't know what you mean. But it looks like a personal
attack to me. Please try to keep your discourse on the public mailing
lists respectful.

-Alan


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

I wanted to quickly drop a link to this HN thread:

https://news.ycombinator.com/item?id=41458508

The article covers how Rust is employed for bare-metal firmware in
Android. I thought it might be an interesting read for those following
this thread.

If you have problems accessing the blogpost you can use this archive
link:
https://archive.is/HitH8


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

Hey Baptiste et al,

I'm including the email I sent to this list last week below.
Unfortunately, due to having to clean up some fraudulent financial
activity last weekend, I didn't make any progress. I'm hoping to split
my time this weekend between working towards my OSCP cert and this
work.

==== BEGIN ORIGINAL EMAIL ====
So, to those thoughts, in list form (in no particular order):

1. Use of Rust compiler toolchain support will be for userland
components in an opt-in fashion. Meaning, all userland components
written in Rust will be optional.
2. It does not make sense to perform a vendor import of the Rust
compiler toolchain and standard libraries. All Rust code in the src
tree must be built from an external toolchain.
3. I believe the notion of an external toolchain could be abstracted
such that we can support any optional userland component written in
a language supported by that external toolchain. This would imply
that other alternative languages could be supported with minimal
work (Zig, TypeScript, Python, Java, etc.)
4. We could provide auto-detection mechanisms for determining which
external toolchains are available, their language support, etc. The
initial proof-of-concept would likely be limited to Rust to save on
time and complexity.
5. As the work matures, and perhaps as a requisite for eventual
inclusion, we could land support for more than Rust. This might be
a step too far, but hey, it's one of the thoughts I had.
6. So all of this wrapped up means that:
A. This is NOT a call to rewrite everything in Rust. This work will
only permit NEW, OPTIONAL components to be written.
B. Other languages/toolchains/ecosystems could be supported, not
just Rust.
C. Initial focus is on userland components. Rust in the kernel is
out of scope for this initial proof-of-concept.
D. I would like to see Rust in the kernel. That would be a good
next area of focus once userland support reaches some level of
maturity.

My first goal will be to get a better understanding of
src.git/Makefile and src.git/Makefile.inc1. As I study that, I'll also
study your work, Alan. I really appreciate the time you have taken. I
might reach out to you and Warner directly for further questions.
==== END ORIGINAL EMAIL ====

I feel like I should elaborate on item 6.A a little bit. It would be
cool to see some utilities rewritten in Rust (bhyve would be a great
candidate), but my work will focus only on new (completely optional)
utilities solely to get some momentum going.

I should also note that this likely will expand FreeBSD's existing
notion of an external compiler toolchain. If I understand correctly,
though, the existing external toolchain support targets C/C++ code.
I'd like to expand that to support !(C || C++), beginning with Rust.

So, for the community reading between the lines, I'm hoping to make
this support languages/ecosystems other than Rust. That includes
Ada/SPARK, Python, Java, or even Brainfuck for the true masochists.
;-)

I'm starting with Rust, though, because that's what appeals most to
me. Hopefully, as time progresses, others can expand that work even
further for those additional languages/ecosystems.

${LIFE} does tend to be a bit chaotic and unpredictable at the moment,
so I can't promise timeframes--which is why I usually use the word
"hope" when talking about what I would like to accomplish within a
given weekend/month/etc.

Let's see how this goes. :-)

Thanks,

--------
Rust is what all the cool kids run right now, which they will deny,
claiming that Rust Is Simply Superior in replies to this email,
despite this prediction.

But as I said in an email a couple of days ago: We should not
anoint some particular subset of programming languages or other.

We should answer the question "What is FreeBSD?" in a way which
does not contain a very short and controversial list of "approved
programming languages".

A pkg-based FreeBSD will allow the Rust people to write good code
for FreeBSD in Rust, and C, C++, Go, Lua, OBERON or Ada can freely
compete with them, without causing year-long slug-fests on the
mailing lists.

And if the INTERCAL people want to write FreeBSD kernel code in
INTERCAL, they get to maintain whatever it takes for their
compiler to grok the interfaces to the kernel, likewise for
any other language.

Poul-Henning


PS: I'm disappointed you did not mention Ada with SPARK.
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
***@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

CHERI does indeed look interesting. Another thumbs up there for David
Chisnall, I really hope that his endeavours take off.

ARM's MTE uses similar techniques (though less pervasive and less secure
as I understand it).

JF Bastien published a paper based on default initialization
https://www.open-std.org/JTC1/SC22/WG21/docs/papers/2022/p2723r0.html
I think that is a great idea.

A+
Paul


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It's really not a large movement, though, to get the bare basics done to
evaluate a new language. As stated repeatedly, we don't need the
toolchain for a new language in base and the new language wouldn't be in
the 'default on' path. That's not exactly a huge commitment, then you
talk about where it needs to go from there (preferably as part of
pre-commit discussion, but also ongoing as you want to try and expand).
We'll have to agree to disagree on that, I don't really see much
productive vs. slightly different phrasings of the same arguments.
That doesn't stop anyone from doing the basic xtoolchain integration.
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

We have Clang and friends, devd, zfsd, atf and kyua stuff, dtc, pmc
tools, config, users, and rs as C++ in src. At least some of these
started off as C programs.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

On Tue, 10 Sep 2024 10:11:54 -0500
Angry or not does not at all matter here.
Proceeding wrong direction because of insufficient discussion and
consensus is the waste of time.

Introducing brand-new language(s) into base is quite a large movement.
So my guess is that now is still the time for "brainstorming" before
starting actual and effective discussions.
Again, I think now is still at the time (phase/state) of brainstorming.
Non-chaotic brainstorming is in many cases useless.
What's making it difficult is that Rust is still a "moving goal".
No standards yet. So we have some more time until it settles.
Unfortunately, right, maybe.
But the direction Shawn noted for his PoC seems becoming better than
the start of these brainstorming.
Yes, C++ is already in our base toolchain.
But unfortunately, C++ doesn't seem to be treated as memory-safe
language. [2] So switching to C++ can cause future (governmental)
pressures for rewriting with another language again.

[2]
https://www.techrepublic.com/article/white-house-report-memory-safe-programming-languages/

Regards.

Have you already forgotten groff ?

We used to have groff in src for the man-pages.

Groff was written in C++ and since it was a "bootstraptool",
any breakage was high visibility.

If you look over the commitlogs, you find lots commits like:

commit 504de8da7e199124a8c798b87d22e86bd57adaea
Author: Marcel Moolenaar <***@FreeBSD.org>
Date: Wed May 22 01:04:42 2002 +0000

Don't build doc on ia64. No groff in sight.

and

commit 2d15e757812c1653497b1079e95ef260dc3db1d6
Author: David E. O'Brien <***@FreeBSD.org>
Date: Mon Nov 8 19:00:22 2010 +0000

Back out r214961 for skeleton.c -- it broke the groff build.

and many more, until we finally had enough:

commit 738919c0391b99947b758d85f6a8636be1886fbb
Author: Baptiste Daroussin <***@FreeBSD.org>
Date: Wed Jun 7 23:00:34 2017 +0000

Remove groff from base

All manpages in base are now compatible with mandoc(1), all roff documentation
will be relocated in the doc tree. man(1) can now use groff from the ports tree
if it needs.

Also remove checknr(1) and colcrt(1) which are only useful with groff.

Approved by: (no objections on the mailing lists)

I dont know or think that C++ was the root cause of all this trouble,
maybe even far from, but I think we got vaccinated against C++ in
src just the same.

Poul-Henning
--
Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
***@FreeBSD.ORG | TCP/IP since RFC 956
FreeBSD committer | BSD since 4.3-tahoe
Never attribute to malice what can adequately be explained by incompetence.


--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de

It’s worth thinking about why programming languages exist. Any modern language is Turing complete. In terms of what can be expressed, there is no difference between Rust, C, and C++. The important thing is that there is an infinite set of possible programs and a finite set of desirable programs. The goal of a programming language is to make it easier to express programs in the set of desirable programs than ones that are not in that set. Sometimes this is skewed away from specific sets.

The reason that we care so much about memory-safety bugs is that they allow an attacker to step completely outside of the abstract machine of the program. Unless you embed an interpreter/ compiler in your program, memory-safety bugs are about the only way that an attacker can get arbitrary code execution in your program. The kind of bug where an attacker provides a specially crafted file / blob of network data and then runs code on your machine is typically the worst thing that can happen.

Rust, in particular, skews towards making programs with memory-safety bugs much harder to represent. You can still do it, by using unsafe or relying on unsoundness in the type system as cve-rs does, but you have to try hard.

I consider that a desirable property in a language. I don’t have to think about whether I’ve made these bugs impossible (and, remember, WannaCry cost billions of dollars and depended on a single memory-safety bug), I get that for free and I can focus on other things.

David



--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de