this post was submitted on 27 Jun 2024
35 points (100.0% liked)

Technology

1150 readers
443 users here now

Which posts fit here?

Anything that is at least tangentially connected to the technology, social media platforms, informational technologies and tech policy.

Rules

1. English onlyTitle and associated content has to be in English.
2. Use original linkPost URL should be the original link to the article (even if paywalled) and archived copies left in the body. It allows avoiding duplicate posts when cross-posting.
3. Respectful communicationAll communication has to be respectful of differing opinions, viewpoints, and experiences.
4. InclusivityEveryone is welcome here regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
5. Ad hominem attacksAny kind of personal attacks are expressly forbidden. If you can't argue your position without attacking a person's character, you already lost the argument.
6. Off-topic tangentsStay on topic. Keep it relevant.
7. Instance rules may applyIf something is not covered by community rules, but are against lemmy.zip instance rules, they will be enforced.

Companion communities

[email protected]
[email protected]

Icon attribution | Banner attribution

founded 9 months ago
MODERATORS
[email protected]
35
CISA: Most critical open source projects not using memory safe code (www.bleepingcomputer.com)
submitted 2 months ago by [email protected] to c/[email protected]
4 comments fedilink hide all child comments
 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published research looking into 172 key open-source projects and whether they are susceptible to memory flaws.

top 4 comments
sorted by: hot top controversial new old
[–] [email protected] 10 points 2 months ago (1 children)

First of all, yes CVE generating languages have been here a while, unfortunately. They are very ingrained and difficult to root out.

But most importantly

Ultimately, CISA recommends that software developers write new code in memory-safe languages such as Rust, Java, and GO and transition existing projects, especially critical components, to those languages.

Fucking pay them or write them yourselves. Y'all have endless money. You can of course wait and hope the situation resolves itself, or really it along if you rely on it so much.

Anti Commercial-AI license

[–] [email protected] 11 points 2 months ago* (last edited 2 months ago) (1 children)

Fucking pay them or write them yourselves.

This. Refactoring the whole code is insanely time intensive, even if developers know multiple languages. All these critical components you rely on, you use without any compensation or support and then dare to complain it's not to your security standards. Fix it, or pay for it to be fixed.

[–] [email protected] 6 points 2 months ago

What do you mean? We have our summer intern rewriting the entire Linux kernel in Rust with the help of ChatGPT. They are set to submit the PR by Friday night.

/s

[–] [email protected] 7 points 2 months ago

Rewriting something in rust could create more vulnerabilities. You would be throwing away your well tested code and starting over from scratch in a language you may be less familiar with. A memory safe language doesn't protect against everything.