The US government wants developers to stop using C and C++

Re: CISA may well be for the chop

Under Trump V2.0

JUst make all your apps supplied to the US Gov do two things.

1) Play the Jan 6th anthem on startup

2) Start every message with 'Trump is God'

And you will be safe... for the time being, as long as you are a White Male, born in the lower 48.

Re: It's not the language, it's just the way it's "talking"

This is correct.

The precise issue is that C the language is not "memory unsafe" because it doesn't do memory management, the libraries and apps do that.

So it is in fact the libraries and apps that are not memory safe.

Anyone writing some version of "C isn't memory safe" instantly loses a chunk of credibility.

Anyone writing some version of "C/C++ isn't memory safe" instantly loses most of their credibility.

Re: It's not the language, it's just the way it's "talking"

The problem is the PROGRAMMERS and PROJECT MANAGERS themselves! They don't comment or even perform Systems Analysis on ANY of their code!

Back in MY DAY, we had an actual Systems Analyst / Code Editor who usually led a set of multiple teams of 10 programmers whose team leads were specified to enforce a SINGLE CODING style that EVERYONE adhered to that included ENFORCING function names that made sense i.e. Save_File(); Save_Record(); Get_Record(); Get_Square_Root(); Get_Cube_Root(); Set_File_Position_In_Bytes(); etc. so that everyone code's was all the same style with the beginning and ending brackets properly positioned and corresponding to the start and end of programming blocks.

Then the Analyst ENSURED when the coders submitted ALL functions that each one ensured all local variables had zeroed-out or properly-initialized starting and ending values AND that proper exception-handling blocks were implemented to ENSURE that every function would return a valid default value or a properly defined error code that ALWAYS was handled by a master error-handling routine. Each function was ALSO tested to ensure minimum and maximum range limits which were clipped-to, rolled-over or error-handled within underflow or overflow exception-handling routines!

We also made sure that almost ALL functions were re-factored BY HAND to ensure that each function was 100 lines of code or less that called OTHER well-tested functions to ensure source code readability and lowering code complexity. At the top of each function, the programmer was FORCED to comment and describe the underlying mathematics AND underlying logic of the function using plain English and to detail its final purpose and HOW it worked at the lowest level. The Systems Analyst was to be MADE to understand the code itself from the comment itself and if he couldn't understand HOW it worked, the comment was revised until he could AND the source code function was tested to ENSURE it actually MATCHED what the comment said it did!

Within each code block comments, you could NOT simply repeat the function name itself but had to make a logical comment that described WHY we called or coded the specific sub-routine or sub-block in the way we did. Then, when all this coding was done to create an application such as a Fast Program Trader App, we TESTED the code on worst case scenarios that overloaded and underloaded network communications, disk reads/writes, memory reads, writes and memory allocations/deallocations and ENSURED that hardware and software failures would allow the code to FAIL GRACEFULLY and allow the logging and saving of interim or end-user data that could be easily recoverable so as to not waste further time or money. Even if there was a catastrophic hardware failure, we could always use the data logs and automatically recover to just before the failure happened and re-use the recovered data as-is or redo and correct it using a different mode of processing.

The Systems Analyst also made sure that they found the most COMMONLY USED functions from everyone's code that became part of a master common functions library that EVERYONE USED in the same manner using the same parameter style and naming convention so that we could reduce the coding footprint and better test for common failure points. Code that DEPENDED on those common function was rewritten and recoded to conform to the master common functions library conventions. In 99.99% of cases, those common functions were used in the same manner by programmers over and over again but written in a different style, so the Systems Analyst ENSURED that those functions were REDUCED to a well-thought-out-parameter-list that ended up as a single callable common function!

Coding projects FAIL due to bad management! A systems analyst that has serious code editing chops AND knows how to RE-FACTOR the source code of many individually written functions into a single common function library are literally worth their weight in GOLD! We also learned to figure out that an app only has SEVEN TASKS to accomplish:

1) End-User Interface for Web, Mobile and Desktop usage

2) Application Management User Interface for Web, Desktop and Mobile usage

3) Common local machine and network-based File Processing and Database Record Input/Output routines

4) RAM memory allocation, block memory usage/counting routines and in-memory

data management and in-memory and disk-based garbage collection routines.

5) Security and Encryption of saved and sent data packets and security/encryption of in-memory blocks and end-user/customer fields and records

6) Exception Handling, End-user Logging and Management Access Logging plus Graceful Failure application handling

7) Actual application-specific end-user data processing, complex math and bitwise manipulation and more-specific data logic and data fields handling

Number SEVEN was always the hardest to do BUT we got smart enough to ALWAYS have and save a master library of well-tested common routines within our common functions library that could be used over and over again on different projects. We never had to buy or licence EXTERNAL object-code libraries but rather made our OWN INTERNAL MASTER LIBRARY that was used for DECADES!

And BECAUSE we separated out the major functions of any given application into the above seven layers, it was EASY and FAST to update to new technologies such as mobile phone/tablet-specific HTML-5 web-front-ends and massively parallel GPU-based back-end grid-processing! We ended up working on 150+ applications with some over ONE MILLION LINES OF APPLICATION-SPECIFIC CODE that all used the same library made since the early 1980's that has been and will be updated until this day in 2024 and beyond! The new guys even said just how good and well-tested those common routines were done for use in even their largest coding projects!

Even when security changed from 256-bit AES encryption to Quantum Computing-Resistant encryption (i.e. Anti-SHOR's algorithm encryption!), it literally took less than one week of new code writing and three weeks of testing to ensure ALL the older programs and newer programs could switch easily and quickly to the latest in data security! None of the upper-level code or user interface code needed to be re-written, just the encryption routines themselves which could STILL call the legacy routines to ensure that older encrypted data could still be accessed and re-encrypted/re-formatted using the NEW routines! The end-users had no idea ANYTHING changed since the production executable code changeover was done on the beginning of a long-weekend and then tested for the extra two days before it was let loose on the employees and customers! It went smooth as silk DUE TO PROPER SYSTEMS ANALYSIS and proper code and application implementation management!

The coders can now concentrate on the complex application-specific data processing itself and the types of results needed for that processed data. User interfaces, file and record Input/Output and memory handling is all taken care of by the common functions library and is so WELL-ABSTRACTED that it runs on older hardware AND the latest hardware and on MULTIPLE operating systems. The code was so well written and tested that we made this all possible even for today's programmers who STILL use all our code!

My manager was one of the BEST I have ever seen and no wonder he got to retire after 40 years of management as a mid-single-digits multi-millionaire! He well-earned that money! And I notice the NEW SYSTEMS ANALYSIS GUY is just as good because he is now just as well-trained! I can see they pay him enough to stay AND let him manage such that the company will do very well for another 40 years!

V

Re: It's not the language, it's just the way it's "talking"

RUST is WOKE.

Re: It's not the language, it's just the way it's "talking"

But this is the entire problem now.

Developers are increasingly lazy and few appear to have any concept of security, testing regression testing.

The more you dumb things down the worse it gets because the entire process becomes tied to the latest fad that is spewed out of university Computer Science courses.

Sure the hackers are getting smarter but the number of holes is also getting larger and the rank stupidity of development teams getting worse. Until there is real accountability for the shite (mostly from Agile teams) that is pushed out nothing will change.

The only side effect now appears to be:

"we will do better next time"

"This was a one off" (that similar things have happened passes the morons by).

"It was a sophisticated attack"

"No sensitive data was compromised" (We have not yet found it on the dark web for sale)

I might be sceptical around this but I have been in IT for too long the mistakes are simply getting too numerous to count and the quality appalling.

Re: Is this a bandwagon I see before me?

No... Just Rusty

Re: Which language do you think is used to implement all those memory-safe languages?

Go is written in Go.

The early ones were bootstrapped in C; just like C was boot strapped in machine code.

Re: Which language do you think is used to implement all those memory-safe languages?

No they aren't.

.NET has been written in C# for some years now.

Prior to that Delphi was written in Delphi from the start. (mentioned becuse it had the same creator as C#)

And Go is written in Go.

Re: Which language do you think is used to implement all those memory-safe languages?

Rust handles out-of-memory similar to C, an allocation function returns an Err Result. The code would then need to act accordingly.

Re: Which language do you think is used to implement all those memory-safe languages?

Rust is actually easier to write than C/C++ in a lot ways but it has a steep unlearning curve from C/C++.

I say unlearning because compiler doesn't care about a lot of things that the Rust compiler will punish you for until you stop doing them, e.g. abusing ownership rules, memory safety etc. The advantage however is that once you do learn the Rust way then a lot of the practices are transferable back into C/C++ to make code you write in those languages less unsafe than they were before. I say less unsafe, because the language is always going to be broken but some badness can be mitigated.

I say easier aside from the unlearning because the language is terse, the tools are simple to use, the compiler is friendly stuff like unit testing & package management is built into the tools, async programming is part of the language and code tends to be more portable thanks to a better standard library.

Re: Stop with the useless A better than B crap

If I had them, I would give you 10 thumbs up, as it is you get 2.

Re: Stop with the useless A better than B crap

That can be any language, be it, to name a few, C, C++, Rust, Java, Python, C# or Assembly.

But specifically excludes APL.

_{And probably that thing called "sappeur", which likely is even less mature than Rust, and except for one particular commentard, has never been heard of, much less used, in any commercial project, ever, anywhere.}

Re: Stop with the useless A better than B crap

Well said. Maybe if companies didn't contract out to the lowest bidder, or employ programmers for peanuts, they'd get the results they want without forcing programmers to wear inefficient buoyancy aids.

Re: Stop with the useless A better than B crap

I remember reading an article in a journal from the UK's IEE (now, IET), back in the days when the IEE really was a hotbed of engineering study and standards setting. The article was the results of a study and analysis of real safety critical systems in actual use. This was a very long time ago - early 1990s I think - and I'm afraid I can't remember the title or any reference, and it's pre-Internet.

The systems were mixed - air traffic control, nuclear reactor control, flight control, etc. All stuff that mattered. A variety of languages had been used - C, Ada, even Fortran I think. All had cost a large amount of money, and all had good operational reputation. The systems were studied for two categories - symantic errors per 1000 lines of code (ie.code that was compiled, but wrong against the specification), and operational errors per 1000 hours of operation.

They were all pretty good, but none were perfect. The interesting thing was that the very best was an air traffic control system, written by IBM, in C. The worst was some system written in Ada (I can't remember what it was).

The analysis considered this, and determined that for the IBM ATC system. IBM had rolled out its very best, most experienced A-Team developers, and the dangerous-chainsaw view of C was referenced (if you have a chainsaw with zero safety features, blatantly dangerous to use, you may very well take a lot of care in using it!). The Ada did less well, because they'd had a less experienced team. The IBM ATC system was (I think) also the most expensive...

Modern World

One of the challenges these days is getting anyone to do any coding in anything like a rigourous manner. For a lot of systems that get built these days, there's little expectation of producing a high quality result, and the end users have little faith in getting one. Bugs / system cruddiness has become far too "normal".

Re: Stop with the useless A better than B crap

This is nonsense. Just like technology programming languages have improved too. People have had new insights over the years and the result of this are languages like Java, C# and Rust, which build upon previous improvements like C (which was built on assembly language and the insight that high-level Systems Programming Languages could improve readability and portability).

I keep stressing that C is a Systems Programming Language which is erroneously being used as an Application Programming Language. Rust too makes the mistake that it wants to be memory-safe Systems Programming Language instead of an Application Programming Language.

Re: Why?

Can someone give me a summary of just what about Rust is causing the translation problems?

Effort. Which in turn requires time and resources to train staff and to translate/replicate existing code and potentially maintain duplicate, etc. And that has a significant cost attached to it that is often not granted as generally customers demand fast & cheap.

I'm not saying memory-safe is a bad goal, it is clearly very good, but sometimes it is going to be easier to slap an AppArmour profile around some existing code than to re-write in a safer language and then have to debug the new bugs, etc.

Re: Why?

Another problem is learning Rust in today's Rust community.

You ask noob questions because you're a noob, and you get told you're an idiot, instead of being pointed to a FAQ, documentation, or given helpful advice.

Or you ask "is this the right way to do it?" and the same thing happens.

I heard about Rust, went to the forums and saw that, and that's as far as it went.

Re: Why?

The issue is that to convert a C program to a "proper" Rust program you have to approach a lot of things in a different way. Rust is not simply C with different key words.

If you want an analogy, then if you've done much Python programming you have probably seen Python programs that were either directly translated from C or Java, or written by people familiar with C or Java and are just writing their Python program the same way they write a C or Java program. This is a well known phenomenon in Python and is immediately recognizable by people with experience with the language. The end result is something very verbose and slow because the Python language is being used in ways it was never meant to be in order to make it work like a different language.

With C and Rust, there have been multiple machine translation projects, including AI based, but the results have been very disappointing. You simply end up with a C program that is written in Rust rather than a "proper" Rust program, and you probably haven't made much if any use of the memory safety features which you were converting to Rust for. So why bother?

The answer would seem to come down to either completely replacing all existing C and C++ programs with ones written in other language (like that's ever going to happen), or else address the problem in a different way, one that nobody has really come up with yet.

Re: Why?

Rust is both incomplete and unstable.

There exactly one implementation, and there is no standard, or even specification - so there cannot be another implementation.

That doesn't mean it's bad. It means it is not ready.

There are some design decisions that mean it cannot replace C or C++.

1) It cannot replace C because it only supports static linking. All external interfaces are C.

2) Rust cannot ever replace C++, and trying is horrifically unsafe, because it has no inheritance. Anyone claiming you can do that does not understand either language - this was never a goal.

Given another decade, Rust may fix the stability and dynamic linking issues.

Given another decade, C++ will be provably safer than Rust.

Re: Why?

I think at this point a lot of C programmers have seen new programming languages come and go, and they view Rust as just the latest fad. No point in learning it when it'll be gone in another five or six years.

Re: Why?

> Can someone give me a summary of just what about Rust is causing the translation problems?

Data structures and ABIs. Rust has its own way of representing data structures and its own way of calling functions - it needs this as part of its borrow/checker stuff and possibly other reasons.

That means the cross-over between Rust and C/C++ is a pain as there has to be an unsafe conversion in both directions. And in some cases there are no easy conversions so the C function has to adapt and thus all the callers of that C function also have to adapt.

So if you are completely replacing a standalone C/C++ executable *and* all its dependencies at the same time, then no big deal. But, if you are replacing a single source module in a morass of C/C++ then it's much harder as you have to write unsafe Rust wrappers for every C/C++ function called and for every C function you replace. And you may have to adapt some C functions to suit Rust.

This is why Rust in Linux is so hard as essentially every source module in Linux calls many other C functions so replacing even a single source module with a Rust version requires writing a fleet of unsafe Rust wrappers and potentially modifying the C functions to be more amenable to Rust callers.

Even if someone goes to the trouble of writing a bunch of wrappers to, say, the networking stack in Linux, that's not the end of the job by a long-shot. Quite the opposite in fact.

The question arises as to who changes these Rust wrappers when the networking folk want to change their C interfaces? The networking folk argue they don't know Rust, so they can't do it, but if they push their change to the repo, suddenly the kernel build fails due to the now-incompatible Rust wrappers.

So do the networking folk just sit around and hope there is a Rust developer on hand to respond to their every whim? That's a pretty uncomfortable and risky dependency if you're trying to get your code out the door. Or are the networking folk expected to learn Rust so that they can spend time changing the wrappers? And it's not just the wrappers they'll have to change, they have to change the Rust code which calls the wrappers and the associated test programs. And if one of the Rust tests now fails, who debugs and fixes that?

Whichever way you look at it, the C developers end up with brittle dependencies, stalls in their work-flow, more work and possibly a whole other language to learn that they may not want to learn.

In an Open Source project that unwelcome burden is highly likely to disengage many C programmers, not a great strategy where engagement is already a problem. In an Enterprise environment, you can probably coerce your C/C++ programmers to learn enough rudimentary Rust to support the gun Rust programmers writing the cool stuff, but that is a pretty risky manoeuvre unless you are absolutely certain of the cost/benefits.

Which brings up the resource issue. Once you start down the Rust path, the end result is that ultimately you expect to be able to completely replace your C/C++ workforce with a Rust workforce and that 10 years down the road, when your code-base is predominantly converted, that Rust is still popular with the cool kids. If I were a CTO, I'd want to think long and hard about the implications, costs and risks of that little jaunt into the unknown.

Re: Why?

>Can someone give me a summary of just what about Rust is causing the translation problems?

I gather that one issue is that it won't let you get away with things that are commonly done in C/C++ but are actually quite dangerous. It think this can mean that there's a lot of re-work to do before the code is translatable.

“ Is the US government even helping to fund RedoxOS?”

Alternatively, there is Ada, which is notably omitted from the CISA’s list for no given reason (in the CISA reports).

Obviously, as you allude to, there is limited value in using memory safe languages unless the underlying OS is also memory safe; so not sure if there is a project for a Unix/Linux-like OS written in Ada.

Not saying Ada is better than Rust, just noting it has been around a long time and is required by some other branches of government.

Re: Stop with the useless A better than B crap

@Alain_Williams

Quote: "....Managers want programs produced in as short a time as possible and as cheaply as possible....."

Ah yes:

(1) Keep the PRODUCER COST as low as possible.....

(2) ...and export the problems (and the COST of those problems)...to the customer!!

Fantastic plan!! Keep up the good work!!

Re: Stop with the useless A better than B crap

As any engineer will tell any manager "Products can be had good, cheaply, safe, or soon. Now pick which two out of those four that you want because it is not possible to have all four."

Re: Stop with the useless A better than B crap

"if Microsoft had ensured that its products were properly tested someone else would have beaten them to market and they would not be where they are today"

Nope. M$ got to be where they are today by eliminating competitors who (might) beat them to the market. Sometimes they just assimilated the competition. For others, they abused their market dominance to put rivals like Netscape and Novell effectively out of business.

Testing (or not) had no bearing any of that. Which has always been the M$ way.

Re: Heh

Which is why the real way to improve safety is to continue improving the safety of existing languages.

That way, existing codebases can slowly transition to the "safe" subset, one function, one class, one subsystem at a time.

New languages are exciting and fun, but rewriting an entire something in a new language is almost always an incredibly bad idea. It's expensive, time consuming and absolutely certain to introduce errors.

Which also means writing a new application in a new language is very risky - if Rust gets replaced by Zig* next year, all your Rusty stuff needs rewriting...

_{*I have no idea how Zig compares to Rust}

Re: Heh

Try simply adding support for C++ modules to the toolchain.

That allows building Libs in C++ and linking them to C programs as desired.

Far less traumatic and "big bang" that way.

Oh hi Lottie Dexter, I always wondered what happened to you after the Year of Code.

(Search for the details if you can't remember them, in brief she was the figurehead for a government coding initiative who couldn't code and failed to appreciate what the term meant.)

Re: That's a lot of work for fixing only one class of security issues

Exactly! Can't see them mandating Intel et al to create "immune" processors.

LOL! My old boss STILL has 1990-era 4-cpu VAX-9000 machines (i.e. a 32-bit supercomputer!) in some of his Toronto, Chicago and New York banking sites that STILL runs financial code written in COBOL which STILL works great that is used as an interface to older IBM System-370 and AS/400 JCL-coded applications which have been running since the 1960's! It has taken 35+ Years to move some of those System 370 and AS/400 apps over to VMS COBOL and then to C++, then to JAVA and now to pure HTML-5 front end with Delphi Object Pascal custom-coded RDBMS-based GPU server-farm grid-processing back-ends that DO NOT USE ANY Oracle database technology! It's a completely GPU grid-processing-specific RDBMS using a 5th Generation Multi-Language Query Language so NO MORE SQL needed with a planned simultaneous user connection limit of 16 BILLION end-user initiated batch-jobs spread out over a planned 100,000 set of AMD GPU Server Cards (160,000 financial-trading and spreadsheet-calculation batch-jobs per GPU card with each job using 512 Kilobytes of VRAM)!

I would say probably there is about 15 MILLION LINES of COBOL code still running on the eight still-running multi-user VAX-9000 supercomputers which can STILL in the Year 2024 handle over 1000 simultaneous commodities trader users each on a VAX VMS Operating System back-end. It's considered MISSION-CRITICAL CODE which means it CANNOT be shut down for any reason and has been in CONTINUOUS operation 24/7/365 since 1990 (34 YEARS!). There is a 20 YEAR ongoing project to convert that 15,000,000 lines of mission-critical COBOL code to highly-abstracted Delphi Object Pascal back-end and a now pure HTML-5 front-end! It is expected to be finished by late 2028 with a full TWO YEARS of beta-testing so six more years to go until the 2030 Release Date with the same 50 well-experienced programmers assigned to the conversion job (i.e. 375,000 lines of code each to convert) since 2008!

What a code conversion job! I wish them well! I KNOW they will succeed but it is DEFINITELY a slog to do as each programmer has to convert and TEST at least 50 lines of code per day from Monday to Friday for 20 YEARS! That is a VERY AMBITIOUS PROJECT even when using semi-automated code conversion tools!

V

Re: Bandwagon a Bandwagon

Be sure to also ask AI to create a comprehensive test suite (with bindings for both languages) as well.

Then make it a requirement that both codebases pass the test suite.

Obligatory FORTRAN text here ….

Re: This gives us coders cover with front office people

They will still get the blame!

Re: The issue with rust

> ...rust is memory safe...

Rust is mostly memory-safe. But not entirely, of course.

Re: The issue with rust

That would be Java or C# then.

Re: The issue with rust

I agree. I love Rust but I hate the syntax which to me, in this world of almost universal C-like syntax languages, is different merely to be different.

Re: Perspective

A lot of older and embedded code just doesn't use dynamic memory so is inherently memory safe.

Unfortunately dynamic memory is a must if you're working with objects, there's just no other way to create instances of an object. Since everything has to be built around objects (regardless of whether this is architecturally appropriate for the application, the tools we use demand that its so) then all programs have to use dynamic memory with all the little gotchas and idiosyncrasies that come with it. I personally don't like using malloc pools in real time code for anything critical because you just can't determine when pool housekeeping operations are going to be performed unless you manage your use of memory as if it was a static resource.

Re: Perspective

I personally believe AI can help in porting those millions of lines of COBOL code to Java or C#. I hate the AI hype just a much as the next guy, but I really believe AI can help relieve some of the drudgery here and cutting down the lead times 2 orders of magnitudes.

Porting code is currently more or less manual work, which takes too long and is therefore prohibitively expensive. AI can make this feasible.

Re: The Smithsonian is doomed.

I down voted you because, while your post looks interesting, it was too painful to read. With run-on sentences and no paragraphs to organize a sequence of thoughts, I just couldn't get through reading it.

If you write code for a living, hopefully this is not how you write code. If it is, I pity the person having to code review or maintain your code. If you don't write code for a living, please don't start until you improve your organization of thoughts.

Sorry for the criticism if English is not your primary language, but your post is a good example of poor communication skills. Please take a little bit more time to put your thoughts in some kind of coherent form so the rest of us can understand your thoughts.

I am probably going to get flamed for this, big time, but it had to said.

The one for which "compilation" is basically syntax checking as you don't find out until run time what it's going to do - or not going to do ?

How do you know you can trust the cash the USG gives you isnt fake ?

Re: Safe C++

That's Safe C++. Let's not mix them up, C's sitting this one out.

Re: Safe C++

You're right !

Safe C++ will gain traction as this is on everyone's table right now. The effort of moving to Rust would me massive in all respects. Safe C++ will allow a gradual and this is important, in-place upgrade of existing code on a per module or even per section basis.

I also believe that C++ would have been a way better language for additional inclusion in the Linux kernel than Rust. It would have allowed a slow, rupture-free transition without api-bridges, drama and duplicated effort. Even the smallest C++ subset using only RAII with guaranteed destruction on scope-end would have been a huge benefit. No need to use exceptions, new/delete, templates or the STL. Heck, C doesn't even have references.

After a switch to a C++ compiler this new subset could have been introduced anywhere in the code, existing or new without having to have an api, separate tool-chain, etc. No drama, no hassle, immediate benefit.

So yes, i'm with you. Rust will be remembered as the language that inspired C++ to become safer.

Re: Safe C++

So far there is just a paper -- and statements from influential committee members that other venues should be checked first. It will probably be decades before this gets accepted, if at all. Thatv the author recently wrote that Safe C++ should be a vehicle to off-ramp code to rust and around use the rust standard library is probably not going to help I am afraid.

You are also unerlaubt the effort involved from going from unsafe to safe C++. It needs a new typ of references, new move semantics, an entire new standard library with new vector and option types and lots more (or straight out using the stabdard library from rust), and requires rearchitecting the entire codebase to be more like rustbthan C++.

There is also no Safe C proposal at all, this is all C++ only.

Re: Is Go really memory-safe?

Odds are that's happening at a C library boundary. Possibly intentionally.

Re: Don't forget about Coq

"Program verification with Coq should discover vulnerabilities even in C program."

Coq and similar verification systems can be used to prove absence of certain vulnerabilities, but it is not an entirely automatic process. In all but the simplest cases, it requires considerable manual work and even re-coding programs to be better behaved. And it often uses a lot of compute resources.

Part of the reason for this is that absence of vulnerabilities is an undecidable property it at least one program in the language in question can have vulnerabilities. For example, it any program can follow a pointer to freed memory, deciding if any given program can do this is undecidable. Sure, you can often show that programs do or do not have these, but doing it in general for all programs is not possible. And as programs increase in size, the probability that it escapes proof increases.

The only reasonable way to guarantee against specific vulnerabilities such as read-after-free is to ensure that they can never happen in any program. This requires new languages and not attempts to prove absence of vulnerabilities in programs written in languages that allow such vulnerabilities.

The only other alternative is to reduce the computational power of programming languages to make the properties decidable for all programs, i.e., using languages that are not Turing complete. And even then, decidability does not imply effective decidability. Deciding a property may take extremely long time, even if you are guaranteed to eventually get an answer.

Re: Temporary fix

"C and C++ were designed to be close to a machine model (single core, flat memory) that was outdated 20 years ago"

Outdated it might be if your concept of coding stretches no further than what's running on a desktop/server or similarly well-endowed piece of hardware. Outdated it most assuredly is not if your concept of coding includes the myriad of embedded systems and the equally extensive choice of single core flat memory model microcontrollers on which to base them...

Says who ?

Because nearly all the big AI tools have warnings about how they could be wrong...

Aren't C# and Java about as old now as C was when they were created?

Exactly

Most complaints about a language are mostly always about thats too much typing, because im too fucking lazy too type a ew extra words or lines.. but i will. happily type much more on social.

Re: A country

Nothing about Vlad ?

Linus literally writes and MAINTAINS the ENTIRE KERNEL of Linux itself! He is literally the MOST IMPORTANT PERSON in all of programming and OS development alive today! He ain't going ANYWHERE soon except through illness and/or death or forced-retirement!

A program failing completely on an illegal memory operation is still safer than one that continues to operate with a corrupted working set.

I've not looked into Rust too deeply but I believe that in general the design philosophy is to make such illegal accesses impossible in the first place (for example all "variables" are immutable unless you expressly tell the compiler otherwise, only one variable can "own" point to a given data point at a time so that double-frees should be difficult to cause, etc). I do know that it's possible to turn off memory safety when absolutely necessary, but if you do then you're back into the same situation you are with C-type languages and you're going to get no help from the language.

Of course it won't be 100% foolproof, and you can turn off memory safety features if necessary, but it probably will catch most of the errors that occur due to programmer mistakes and improper peer review of the code.

That is actually a serous question

So what exactly does it do in Rust, and how is that safe?

That is actually a serous question. What actually does happen?

* Does the whole program crash immediately?

* Does it throw an exception?

* Does it just block the access and blindly continue?

The answer to this is extremely important in a production system. And the impact of the resolution will cause an issue depending on the function of the actual package.

* Game

* Word processor

* Banking

* EFTPOS

* Retail POS

* Realtime - industrial process control

* Realtime - nuclear reactor

* Realtime - fire control platform

* etc

So will someone who know rust please indicate how it will respond?

Re: Retired C programmer and *nix admin

Lets be fair most programmers are lazy fuckers who write shitty code. The Rust and java runtimes are written by far more capable programmers who will do a better job.

Exactly.

Most people in all discipines are lazy fuckes who cant be trusted, programming and bugs are mostly caused by this basic fact.