Email or username:

Password:

Forgot your password?
Gankra's posts Post Back to profile
Gankra

this latest edition of "Android team posting nothing but Ws for adopting Rust" is super important because it identifies that:

*you don't have to actually rewrite all your old unsafe C/C++ code to get the benefits of adopting safe languages, in terms of reducing vulnerabilites*

because they identify that most bugs are in new/changed code (with exponential decay!), so if you preferentially write new code in a safe language, your vulnerabilities crater even though most of your code is still unsafe!

security.googleblog.com/2024/0

25 September at 21:27 | Open on toot.cat
22 comments
Félix

@Gankra my professional opinion is that this is correct and you should RIIR mostly only if you need the code base to be safe on a shorter horizon than the half life of your bugs

25 September at 21:44 | Open on tech.lgbt
Gankra

@fay59 eh with this result you still need to riir any component that gets a lot of changes. but like any Haunted components no one touches? fuck it

25 September at 21:46 | Open on toot.cat
lena

@Gankra @fay59 just rewrite parsers and other user-input-related stuff and that already gets you like 90% there

25 September at 23:27 | Open on social.treehouse.systems
Ceolaf

@Gankra @siracusa I THINK I understood that.

Was it snarky? If it was, I think I understood it. If it was not, I am SOL.

26 September at 1:53 | Open on mastodon.social
Sashanoraa 🏳️‍⚧️ :type_slut_verified: :fewwis: :uwunix:

@Gankra I want to introduce Rust at work, but my company's products mostly run on a RTOS that Rust doesn't support.

26 September at 3:05 | Open on social.noraa.gay
scunneen (he/him)

@Gankra Or we could just stop changing code. Which would bring with it the added benefits of not forcing people to buy new computers to keep up with ever increasing software bloat, and not changing the user interface in new confusing ways.

26 September at 5:34 | Open on mastodon.social
Stefan Eissing

@Gankra @bsdphk

„We can simulate the results.“

26 September at 6:27 | Open on chaos.social
Mans R

@Gankra Rewriting the old code is also almost guaranteed to introduce new bugs, just not of the memory corruption kind.

26 September at 7:00 | Open on society.oftrolls.com
Ted Mielczarek

@mansr @Gankra my experience with rewriting existing code (C++, Python) in Rust has overwhelmingly consisted of finding latent bugs in the original code.

26 September at 15:14 | Open on mastodon.social
Mans R

@tedmielczarek @Gankra That just means you haven't found the new ones yet. Also, nothing stops you computing an invalid index in Rust. Simply translating the code won't remove the bugs, only limit their consequences (which isn't a bad thing).

26 September at 15:26 | Open on society.oftrolls.com
Gankra

@mansr @tedmielczarek "i ported the code faithfully and now it constantly crashes on tripped assertions" tends to result in a lot of bugs being removed :)

(also faithfully porting the C code is impossible anyway because of the curse of integer promotion and the like... which is pure upside to lose in the translation and will probably randomly remove several bugs)

26 September at 15:28 | Open on toot.cat
Mans R

@Gankra @tedmielczarek Those assertions will only be tripped if your testing covers those cases, which it probably doesn't, or you would have already found the bugs.

There is also no guarantee that fixing type mismatches won't add bugs as well as remove some. I'd even say it's quite likely, having seen the mayhem caused by people "fixing" compiler warnings in C code without understanding it properly.

26 September at 15:41 | Open on society.oftrolls.com
Mans R

@Gankra @tedmielczarek Don't get me wrong, built-in buffer overflow prevention is great, but wholesale code rewrites are much more risky than people seem willing to admit.

26 September at 15:41 | Open on society.oftrolls.com
Gankra

@mansr you don't need to add any new tests/assertions, boring rust code will slap hundreds of new implicit assertions between unwraps(), bounds checks, and overflow checks and the like

26 September at 15:42 | Open on toot.cat
Mans R

@Gankra If the C code passes your testing, then those tests are unlikely to trip any of the new (implicit) checks. That doesn't mean there are no bugs.

26 September at 15:51 | Open on society.oftrolls.com
Ted Mielczarek

@mansr @Gankra you are moving the goal posts here but sure.

26 September at 16:29 | Open on mastodon.social
Rich Felker

@Gankra Ok but an even better way is to stop writing new code nobody asked for.

26 September at 10:45 | Open on hachyderm.io
Jonathan Hendry

@dalias @Gankra

Even better is to stand up and walk into the nearest forest to live out your days.

26 September at 10:55 | Open on iosdev.space
Eniko | Kitsune Tails out now!

@Gankra is this because older code is going to be more stable and well tested so a lot of the vulnerabilities will have been removed already?

26 September at 11:36 | Open on peoplemaking.games
Go Up