This thread devolved into a debate over C versus Rust or other memory-safe languages.
1. Blaming the language instead of the programmer will not lead to improved program quality.
2. C will always be available as a user's language. Users will still be write programs in C for their own personal use that are smaller and faster than ones written in memory-safe. languages
3. Those in the future who are practiced in C will have a siginificant advantange in being able to leverage an enormous body of legacy code, of which a ton is written in C. Programmers in the future who are schooled only in memory-safety languages may not be able to approach C as a learning resource, and may in fact be taught to fear it.
There is a tremendous amount of C code that DOES NOT contain buffer overflows or use-after-free errors. It is amazing how easily that work is ignored in these debates. Find me a buffer overflow or use-after-free in one of djb's programs.
> 1. Blaming the language instead of the programmer will not lead to improved program quality.
I disagree. Blaming the language is critically important. Tony Hoare (holds a turing aware, is a genius) puts it well.
> a programming language designer should be responsible for the mistakes that are made by the programmers
using the language.
[...]
> It's very easy to persuade the customers of your language that everything that goes wrong is their fault and not yours. I rejected that...
[0]
> Users will still be write programs in C for their own personal use that are smaller and faster than ones written in memory-safe. languages
Users will always write C. No they won't always be smaller and faster.
> 3. Those in the future who are practiced in C will have a siginificant advantange in being able to leverage an enormous body of legacy code
Much to society's loss, I'm sure.
> and may in fact be taught to fear it
Cool. Same way we teach people to not roll their own crypto. This is a good thing. Please be more afraid.
> There is a tremendous amount of C code that DOES NOT contain buffer overflows or use-after-free errors.
No one cares. Not only is that not provably the case, nor is it likely the case, but it's also irrelevant when I'm typing on a computer with a C kernel, numerous C libraries, in a C++ browser, or texting someone via a C++ app that has to parse arbitrary text, emojis, videos, etc.
> Find me a buffer overflow or use-after-free in one of djb's programs.
No, that's a stupid waste of my time. Thankfully, others seem more willing to do so[1] - I hate to even entertain such an arbitrary, fallacious benchmark, but it's funny so I'll do it just this once.
Guess who is "rolling your crypto" for you. The same guy who is the subject of your "fallacious benchmark". He writes in C. The problem with software is not the languages (seems a new one is created every month), it is a lack of competence in using them. (Over)Confidence is very commmon, competence not so much. I am thankful that Dennis Ritchie created C; I appreciated his humility and I do not blame him for others' mistakes.
It's not a lack of competence because evidence shows that even the most competent C programmers can't write C without security issues - literally every nontrivial security-relevant product that has been written by great C programmers has had them, their competence apparently was not sufficient. I'd argue that nobody, including Dennis Ritchie, is "competent enough" to write secure C - even the best people slip sometimes in ways that (in C!) cause exploitable holes.
"The same guy who is the subject of your fallacious benchmark. He writes in C" and that crypto code, which we used was more secure than rolling our own, but it still is riddled with security bugs because he writes in C (e.g. Heartbleed) - and despite the fact that those particular bugs have been fixed, that code still isn't trustworthy enough just because it's written in C, likely has more issues undetected and needs to be rewritten and replaced eventually with some not-C solution that can remove a whole class of bugs accidentally causing arbitrary code execution. Sure, you'll still have logic bugs - but a logic bug in iMessage image parsing has much lower consequences than a memory safety issue in that same image parsing.
I think you are misattributing the source of Heartbleed. Can you point out the security issues in NaCl. It is written in C. According to this "no one can write C" logic, there must be bugs because "no one can write C". https://nacl.cace-project.eu/
The other bizarre aspect of this logic is that not only is the author of the code irrelevant but apparently the task is, too. It would appear to apply to, e.g., even the most simple programs. The only factor that matters is "written in C". I use sed every day. It's written in C. Show me the bugs. I will probably be dead before someone finds them. Will I be using a "memory-safe" sed before then.
OK, but I didn't say that no one can write C without bugs. I said that blaming languages is good, that we'll all lose due to people continuing to use C, that C programs aren't inherently smaller and faster than other languages, and that people should treat writing C as they would treat writing crypto.
To clarify, I know you may not have said "no one can" but plenty of other HN commenters are saying exactly that on a regular basis. Thank you for refraining from repeating this absurd hyperbole.
C programs are not inherently smaller and faster but in practice this is usually the case. Can you guide me to some Rust programs that are smaller than their C counterparts. The thing that holds me back from experimenting more with Rust is the (apparently) enormous size of the development environment relative to a GCC toolchain.
The number of downlaods from crates.io is questionably large and some of the binaries I have produced were absolutely gigantic. Largest executables I have ever compiled. Crazy.
We do not "lose" if people keep writing in C as long as its the right people. The right programmer for the job. All programmers are not created equal no matter what languages they use. Absent professional certifications and enforceable quality standards, perhaps the world of writing software for use by others needs an ethos something along the lines of "code within your means". Memory-safe languages are great but it seems like they just enable people to become far too ambitious in what they think they can take on. This is no problem at all unless and until they start marketing their grand creation to undiscerning users who are none the wiser. (This is of course the general idea behind the "dont roll your own" meme. However, I do not think it should be limited to cryptography.)
> Thank you for refraining from repeating this absurd hyperbole.
To be fair, I wouldn't quite label it as "absurd", though it is hyperbole. With near-extreme levels of discipline you can write very solid C code - this involves having ~100% MCDC coverage, using sanitizers, static analysis tools, and likely outright banning a few functions. It's doable, especially if your project doesn't have to move fast or has extreme requirements (spaceships).
> Can you guide me to some Rust programs that are smaller than their C counterparts.
Rust has a big standardlib compared to C++ so by default you end up with a lot of "Extra" stuff that helps deal witht hings like unicode, etc. If you drop std and dynamically link your libraries you can drop a lot of space and get down to C levels.
> is the (apparently) enormous size of the development environment relative to a GCC toolchain.
I can't really relate to this. I have a 1TB SSD, 32GB of ram, and an 8 core CPU. My rust build tools are a single command to install and I don't know or care how much space they take up. If you do, I don't really know why, but sure that's a difference maybe.
> All programmers are not created equal no matter what languages they use
While this is true, it doesn't matter practically.
1. We can't restrict who writes C, so even if programmer skill was the kicker, it isn't enforceable.
2. There are lots of projects that invest absolutely incredible amounts of time and money, cutting edge research, into writing safe low level code. Billions are spent on this. And the problem persists. Very very few projects seem to be able to achieve "actually looks safe" C code.
> Memory-safe languages are great but it seems like they just enable people to become far too ambitious in what they think they can take on.
I don't really see how Rust is any different from Python, Java, or anything else in that regard.
If you cannot write safe C and you need memory-safety, why not just use Ada.
Restricting who can write C is another "extreme" idea in line with "no one can write secure C". I will not call it hyperbole but I think its absurd.
What we can do is be more cognizant of who is writing the software we use. (For example, I use software written in C by Robert Dewar, co-founder of AdaCore, called spitbol. A big part of why I use it is because of who wrote it, the code itself and its history.)
Not caring how much space something occupies is not something to which I can relate. I always care. I do not have unconstrained computers. Each has a finite amount of resources and I try to use them in a controlled and efficient manner. That means avoiding lots of large, amorphous software programmers use without question. For me, this works quite well.
Intentionally ignoring who writes the software I use does not make sense to me either. I think in a previous comment you mentioned Heartbleed. It seems that countless people using OpenSSL were relying on it heavily without ever bothering to investigate anything about its source. That to me was strange. We read comments from people who were "shocked" to find out who was managing the project. Total lack of curiosity. They never bothered to look. Not a great recipe for learning.
1. Blaming the language instead of the programmer will not lead to improved program quality.
2. C will always be available as a user's language. Users will still be write programs in C for their own personal use that are smaller and faster than ones written in memory-safe. languages
3. Those in the future who are practiced in C will have a siginificant advantange in being able to leverage an enormous body of legacy code, of which a ton is written in C. Programmers in the future who are schooled only in memory-safety languages may not be able to approach C as a learning resource, and may in fact be taught to fear it.
There is a tremendous amount of C code that DOES NOT contain buffer overflows or use-after-free errors. It is amazing how easily that work is ignored in these debates. Find me a buffer overflow or use-after-free in one of djb's programs.