I do not see what this has to do with Unix. The problem is not that programs interoperate or handle text streams, the problem is a) the supply chain issues in modern web-software (and thanks to Rust now system-level) development and b) that web applications do not run under user permissions but work for the user using token-based authentication schemes.

"endless list of CVE" seems rather exaggerated for coreutils. There are only very few CVEs in the last decade and most seem rather harmless.

I would say the least thing the scientific community needs is the packaging mess of Python introduced also on the lower level via Rust.

According to my experience, all the "zero-cost abstractions" from C++ most of the time make it more annoying to maintain and/or understand the code, especially with respect to resource management, introduce compatibility issues at the toolchain level, and - even when looking perfect in toy benchmarks - are often not even zero-cost (e.g. all the bloat the templates generate often hurts).

Even without Fil-C I do not think it is even clear that new software should be written in Rust. It seems to have a lot of fans, but IMHO it is overrated. If you need perfect memory safety Rust has an advantage at the moment, but if you are not careful you trade this for much higher supply chain risks. And I believe the advantage in memory safety will disappear in the next years due to improved tooling in C, simply by adding the formal verification that proves the safety which will work automatically.

Memory safety is absolute table stakes when it comes to formal verification. You can't endow your code with meaningful semantics if you don't have some way of ensuring memory safety.

That's far from trivial in Rust because of 'unsafe' blocks. There are approaches to verifying unsafe code in Rust, but formally verifying a Rust program is still likely to be significantly more complex than formally verifying, say, a Java program.

(And before someone says it: no you don't only have to verify the small amount of code in 'unsafe' blocks. Memory safety errors can be caused by the interaction of safe and unsafe code.)

At least you can grep for unsafe/system/unchecked in several alternative systems languages.

For C and C++, we have to hope the static analysis tool actually found all possible spots.

Despite the way it is going on as a drama between WG21 and community, C++ might eventually get Ada style profiles in C++29, lets see how it plays out.

Then you also would have something to grep for, [[profile:...]]

C? Same business as usual.

Grepping for unsafe blocks doesn’t help that much for formal verification, because you have to verify all of the code.

The easiest way to see this is to note that ‘unsafe’ itself doesn’t have any semantics, so it can’t possibly allow anything to be proved that couldn’t have been proved otherwise.

It helps finding locations for possible flaws outside the type system soundness.

Now if we go discussing formal verification in general, even something like Dafny or Lean may fail, if the proofs aren't correctly written for the deployment scenario.

Just like one may still die while wearing helmets, airbags, and security belts, yet the casualties amount is much worse without them.

It helps a human armed with only a tool as crude as grep. But if Rust didn't have the requirement to mark unsafe operations with the 'unsafe' keyword, that information could trivially be added back automatically. If you're doing correctness proofs of realistic Rust code, you'd better already have tools that are at least capable of looking through your codebase for any instances of raw pointer access, etc.

There's a lot of mythology around Rust unsafe blocks. They're a useful lint, but they don't alter the fundamental safety properties of the language.

The mythology of unsafe blocks goes all the way back to ESPOL on Burroughs, still sold nowadays by Unisys, for customers that want OS security as the number one feature, before anything else.

It was also adopted by several systems and application programming languages outside C geology, until C# came to be, which is probably the first curly brackets language with unsafe code blocks.

The first error naysayers make on the eyes of SecDevOps, thus losing credibility points, is to focus too much on Rust, and too little on history of secure systems.

The first fundamental rule is to reduce attack surface, on C, and C++ (until and if profiles come to be), it is all over the place.

I don't see folks that usually post on HN or Reddit going to buy Astrée licenses, or integrate Frama-C into their development process.

I am not sure what point you're trying to make. Who are the 'naysayers', and what are they saying 'nay' to? And what do they have to do with anything I commented on?

Anyone that downplays unsafe code blocks as it was a Rust invention, available nowhere else.

Then uses it as argument, that since Rust has unsafe, there is no benefit over using C or C++ with a plain static analysis tool, but a basic one, because they are unwilling to actually use the ones people pay for on high integrity computing certifications.

Your comment to me seemed a bit going towards that direction.

Hmm, no, my comment didn't say any of those things. Specifically, I did not comment on (and do not care if) unsafe blocks are a Rust invention, and I made no comparison between Rust and C or C++.

Maybe I misunderstood the point being made, then. Sorry about that.

https://news.ycombinator.com/item?id=47814965

Indeed, and this is why people who care about this are also proving memory safety in C. The issue is that we do not have good open-source tooling that specifically focuses on formal verification of memory safety in C.

The same risks as everyone that uses system installers for their C and C++ binary libraries, without spending one second looking into source code.

The commercial world of C and C++ is pretty much focused on binary libaries, and in many occasions access to source code is extra.

These are not the "same risks" at all.

> simply by adding the formal verification that proves the safety which will work automatically

"simply" and "formal verification" are usually oxymorons, never mind "automatically"

Fair enough, but I have seen how it works and for just temporal memory safety, it could be simple.

What makes you think that one can not add an explicit bound check in C?

It's trickier than it looks because C has mutable aliases. So, in C our bounds check might itself be a data race! Make sure you cope

Bounds checks have nothing to do with data races. GP is right, you can add bounds checks. Either using macros or (in C++) with templates and operator overloading.

Alas, in C or C++ you have mutable aliasing, so I'm afraid you do incur a potential data race because your bounds might alias. Be careful out there.

Also remember that in C++ you may get a reference in these cases and if you keep that reference rather than using it immediately now you also have a potential TOCTOU race because the reference was only valid when you did the bounds check.

True, but you do incur potential data races _everywhere_. There's no relation to bounds checking specifically.

Ah, maybe I should have made the example clearer

With mutable aliasing the length might change even though the data you care about did not, and so adding the check means incurring a race which did not previously exist and which certainly the naive C programmer cannot see...

We can definitely mitigate this in the type system for most real world scenarios, but you don't mitigate problems you don't know about, so knowing is what's important.

Depending on what you are doing, yes. But the statement I responded to "your only choice is crash" is certainly wrong.

If you can correctly add all the required explicit bounds checks in C what do you need Fil-C for?

Same reason any turing complete language needs any constructs - to help the programmer and identify/block "unsafe" constructs.

Programming languages have always been more about what they don't let you do rather than what they do - and where that lies on the spectrum of blocking "Possibly Valid" constructs vs "Possibly Invalid".

For temporal memory safety.

I do not know how Fil-C handles this, but it could raise a signal that one can then catch.

Reminds me of a commercial project I did for my old University department around 1994. The GUI was ambitious and written in Motif, which was a little buggy and leaked memory. So... I ended up catching any SEGVs, saving state, and restarting the process, with a short message in a popup telling the user to wait. Obviously not guaranteed, but surprisingly it mostly worked. With benefit of experience & hindsight, I should have just (considerably) simplified it: I had user-configurable dialogs creating widgets on the fly etc, none of which was really required.

The problem is not that society is too complexity but extremely unequal distribution of money. Those few that have most of it usually did not earn it by providing a useful service to society and for them it becomes a random investment game without consequences which creates additional winners that also never produced something useful.

There is something fundamentally wrong with Windows or Visual Studio that it requires ugly solutions.

At least you can use the compiler/linker without them.

XML is already terrible. But the main problem seems to be that they created something similar but incompatible to make.

> Completely different set of command line options from gcc and clang, but that's fine.

Clang does have clang-cl with similar command-line options.

This is fitting for something simulating cargo, which is a huge supply chain risk itself.