this post was submitted on 28 Feb 2024
183 points (97.4% liked)

World News

32363 readers
269 users here now

News from around the world!

Rules:

founded 5 years ago
MODERATORS
 

Biden administration calls for developers to embrace memory-safe programing languages and move away from those that cause buffer overflows and other memory access vulnerabilities.

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 41 points 9 months ago* (last edited 9 months ago) (2 children)

Guys, C++ is gonna be dead in a couple of years now. Remember this comment…

…and read it again in ten years.

[–] [email protected] 3 points 9 months ago* (last edited 9 months ago)

Are you the guy who has been posting this same comment every 10 years over the last half century?

(Edit: is joke)

[–] [email protected] 1 points 9 months ago

Where's /remindme when I need it?

[–] [email protected] 32 points 9 months ago

Biden administration has fallen into the Rewrite it in Rust agenda.

[–] ScreaminOctopus 27 points 9 months ago (1 children)

Pretty crazy to reccomend Java as a secure alternative.

[–] [email protected] 8 points 9 months ago (4 children)

Why? What's wrong with safe, managed and fast languages?

[–] [email protected] 14 points 9 months ago* (last edited 9 months ago) (1 children)

Java's runtime has had a large number of CVEs in the last few years, so that's probably a decent reason to be concerned.

[–] [email protected] 3 points 9 months ago

Yep but:

  • it's one runtime, so patching a CVE patches it for all programs (vs patching each and every program individually)

  • graalvm is taking care of enabling java to run on java

[–] [email protected] 7 points 9 months ago

Nothing...

Only that descrition doesn't include Java

[–] ScreaminOctopus 3 points 9 months ago (1 children)

Nothing really, the JVM has a pretty troubled history that would really make me hesitate to call it "safe". It was originally built before anyone gave much thought to security and that fact plauges it to the present day.

[–] [email protected] 2 points 9 months ago

and how much of this troubled history is linked to Java Applets/native browsers extensions, and how much of it is relevant today?

[–] [email protected] 1 points 9 months ago (1 children)
[–] [email protected] 3 points 9 months ago

There's a difference between writing code on a well-tested and broadly used platform implemented in C++ vs. writing new C++.

[–] [email protected] 24 points 9 months ago (1 children)

As you wish. Time to start learning D and D++

[–] [email protected] 12 points 9 months ago

Hey girl, would you like my D or D++?

[–] [email protected] 23 points 9 months ago

Is that nottheonion?

[–] [email protected] 21 points 9 months ago (3 children)

You mean like android running java which is why everyone and their mom bought Israel's Pegasus spyware toolkit?

[–] [email protected] 18 points 9 months ago (1 children)

When was the last time you've heard of a memory safety issue in Java code? Not the runtime or some native library, raw dogged Java.

Memory safety isn't a silver bullet, but it practically erases an entire category of bugs.

[–] [email protected] 11 points 9 months ago

Fair point, even log4j was running java code, not literally hijacking the stack or heap.

That being said, I'm poking fun because C and C++ have low level capabilities of which only Rust offers a complete alternative of. Most of everything else is safe because it comes packaged with a garbage collector which affects performance and viability. I think Go technically counts if you set the GC allocation to 0 and use pointers for everything, but might as well use Rust or C at that point.

I guess I'm just complaining out of all the issues ONCD could point out, they went after the very broad "memeory-safe is always better" when most of the people using C and C++ need the performance. They only offered Rust as a potential alternative in the report with nothing else which everyone already knows. Would be nice to see them make a real statement like telling megacorps to stop using unencrypted SCADA on the internet.

[–] [email protected] 15 points 9 months ago

The apps are (sometimes) Java, but the OS is a mix of languages, mostly C and C++. The Java runtime itself is C++.

[–] [email protected] 4 points 9 months ago (1 children)

I love that Android chose Java so they could run it on different processor architectures, but in the end one architecture won out so Java wasn't necessary any more. I guess they didn't know at the time, but they'd claw back a tonne of efficiency if they dropped the Java VM.

[–] [email protected] 4 points 9 months ago

Java also made it very accessible to the vast majority of existing Java developers.

Way more Java developers than Objective C developers at the time.

I wasn't a fan of learning Objective C when I started learning just as swift was coming out but too new to use.

[–] [email protected] 10 points 9 months ago (2 children)

Meanwhile the report does not really single out C/C++

[–] [email protected] 2 points 9 months ago

What are you talking about? Did you read the report? On page 7 They directly say that C/C++ "lack traits associated with memory safety".

load more comments (1 replies)
[–] [email protected] 9 points 9 months ago (1 children)

Also like it’s the only source of vulnerabilities… in addition a lot of the trendy python libs are developed in C; do we also ditch those?

[–] [email protected] 7 points 9 months ago (1 children)

It is one of the main sources. Like, actually a very substantial fraction is memory related. I think It was more than 50%, granted those are estimates.

load more comments (1 replies)
[–] [email protected] 8 points 9 months ago

Nice. Now I'm waiting for all the Rust or whatever "safe" languages environments for embedded systems to fall from the sky. And please some that actually work on small processors with little memories.

[–] [email protected] 8 points 9 months ago

Rewrite it in Rust

[–] [email protected] 5 points 9 months ago

That's probably a good idea but I can see some proper longevity issues in that one

[–] [email protected] 2 points 9 months ago (1 children)

Shut up Brandon, you can’t even code. This is just propaganda from Big Rust.

[–] Batbro 10 points 9 months ago

I wanted you to know that I laughed and enjoyed this comment, ignore the haters 💛

load more comments
view more: next ›