Skip to main content

As much as I like Rust, I'm rather skeeved by (the USA) government's sudden interest in "memory safety" and "open source security" and all that. Yes, we need to fix The Infrastructure(tm). But why did it take 1) having a systems-level memory safe language, 2) for the realization that shit can be pwned if it's not memory safe, 3) while never really doing the "taxes should fund free software infrastructure" bit in the past? We have had free C infra for 30 years. Why until now, top-down?
in reply to Federico Mena Quintero

Luis Villa
Luis Villa
partially just bad timing; they really didn’t have anyone who could wrap their head around the whole system (and its risks) until recently. And then, yeah, once you look at it from the perspective of 202x, “solve it all with Rust” looks really tempting.
in reply to Federico Mena Quintero

penguin42
penguin42
There were older safe languages though weren't there? The difference with Rust is that it's still usable as a systems language. I guess there's been funding for lots of safety things over the years; like formal proofs and the type of restricted C standards. But in the end it's perhaps easier for them to promote something that people already like rather than trying to drive something new?
in reply to Federico Mena Quintero

aeva
aeva

depending on what the US government is looking to do, having a mandate for memory safe languages for tax funded work is not unprecedented. The DoD had the Ada mandate in the 90s.

Dare I ask, what is the US government looking to regulate more specifically?

in reply to aeva

Federico Mena Quintero
Federico Mena Quintero

@aeva No idea on specific regulations; I'm just watching news go by along the lines of "it's really important to do memory safety now", "open source infrastructure security bla bla bla" - as if they were Very Important Sudden Problems that couldn't possibly have been addressed before, say, by paying people to maintain free software infrastructure.

I guess this is me saying that I agree with https://steveklabnik.com/writing/memory-safety-is-a-red-herring completely.

Memory Safety is a Red Herring

steveklabnik.com
@aeva
in reply to Federico Mena Quintero

Ian Douglas Scott
Ian Douglas Scott
@aeva Perhaps someone in charge saw companies like Microsoft talking about the importance of memory safety and adopting Rust. And when they asked their security experts, they agreed.
@aeva
in reply to Federico Mena Quintero

aeva
aeva
ah ok. The blog post says there's bills in the US and the EU to establish establish for defense purchasing. I assume that's what people are buzzing about? That sounds much less strict than what the Ada mandate was.
in reply to aeva

aeva
aeva
I think it would be really funny if the outcome here was a very rapidly standardized Safety Critical C++ subset (with a "#pragma unsafe" to reenable everything else, because why not? rust has it) and nothing changing
#pragma
in reply to Federico Mena Quintero

Emmanuele Bassi
Emmanuele Bassi
@aeva when all you have is a void* then everything looks lik
Segmentation fault
@aeva
in reply to Federico Mena Quintero

Firstyear
Firstyear
Its because they're getting ransomwared, thats why its "now" people care. Just happens to correlate to a time when memory safety is growing in importance.
This entry was edited (3 months ago)

Federico Mena Quintero reshared this.