Realistically the only improvement to the spec is changing fs races from undefin...

aw1621107 · 2024-03-13T02:50:54 1710298254

> Unspecified behaviour would require the standard to give a set of possible outcomes

I don't think there is a requirement that the possible unspecified behaviors are enumerated. The current C++ draft [0] states possible behaviors are "usually" enumerated, but "usually" is not "always", and there's no explicit direction that those behaviors are the only allowable options.

There's also the definition from the C89 spec which doesn't even have that language, only stating that the standard imposes no requirements on the unspecified behavior [1].

[0]: https://eel.is/c++draft/intro.defs#defns.unspecified

[1]: http://port70.net/%7Ensz/c/c89/c89-draft.html#1.6

kllrnohj · 2024-03-12T22:43:15 1710283395

Or put another way, find a language, any language, that defines all possible scenarios of a file system race condition in a multi threading & multi process system. It's not possible to do such a thing, and of course nobody does. They just avoid using the term "undefined behavior" even though it absolutely is.

Which makes this whole thread absolutely absurd. It's the worst possible example of Rust vs. C++ CVE as the language doesn't get an opinion here at all in the first place

nindalf · 2024-03-13T12:08:58 1710331738

No, it's an excellent example.

Rust issued a CVE, an immediate point release with a fix for the issue and a blog post explaining the problem and what they did.

2 C++ implementations fixed the issue, but no CVE or blog post. No point release either AFAIK.

You harp on the fact that this is undefined in all languages. Yeah sure. But some languages take the report seriously and communicate that to their users. They don't hide behind "spec says UB" or "it's the file system's fault". They take accountability and fix it. Other languages don't because that's the prevailing culture there.

That's what you're missing when you're trying to make it seem like there's no difference between Rust and C++. There's a vast difference in how each community takes security. That's why its meaningless to compare the number of CVEs in both languages. Even if C++ reduced the number of CVEs by 90% it still would not be as secure as Rust because 1 C++ CVE is not the same as 1 Rust CVE.

kllrnohj · 2024-03-13T15:13:37 1710342817

You're moving the goalposts so fast you could be competing with C++ for prioritizing performance over soundness.

Reminder that your original claim was:

> The problem definitely exists in C++, but it's not acknowledged as a problem, let alone fixed.

Now it's degraded to just "but there wasn't a CVE or blog post!" which isn't even that relevant to the broader argument of Herb's that all the language guarantees don't prevent logic bugs (hence how Rust was able to have this CVE in the first place). There's a point of "good enough" for the language itself.

Nobody is making any argument that CVE count is the best or optimal metric for anything

nindalf · 2024-03-14T13:32:43 1710423163

I didn't move the goalposts. I was going off my recollection at the time, which was a discussion around the Rust blog post and CVE. Here's a comment from me a day ago saying "I stand corrected" (https://news.ycombinator.com/item?id=39680754).

> Nobody is making any argument that CVE count is the best or optimal metric for anything

Except, you know, Herb Sutter in the article we're supposedly discussing. He's arguing that it's possible to compare Rust and C++ CVEs and that C++ would be just as good as Rust if the CVE counts were similar. If you took the trouble of addressing the substance of my comment that Rust and C++ CVEs aren't comparable, rather than exulting in being technically correct because you found a mistake, you would have realised that.

You're welcome to assume bad faith of me, but that was the substance of my comment. I'm sorry I didn't keep in touch with every commit made to C++ compiler repos and I spoke out of turn. But I never moved the goalposts - those were always fixed on the issue that comparing CVEs between a language that takes security seriously and one that doesn't is a dumb idea.

kllrnohj · 2024-03-14T17:07:57 1710436077

> Except, you know, Herb Sutter in the article we're supposedly discussing

"Saying the quiet part out loud: CVEs are known to be an imprecise metric. We use it because it’s the metric we have, at least for security vulnerabilities, but we should use it with care. This may surprise you, as it did me, because we hear a lot about CVEs. But whenever I’ve suggested improvements for C++ and measuring “success” via a reduction in CVEs (including in this essay), security experts insist to me that CVEs aren’t a great metric to use… including the same experts who had previously quoted the 70% CVE number to me. "

-Herb Sutter

That's from the article we're discussing and you knew that because you also acknowledged that:

> The author concedes that CVEs are not a good metric to measure by, but implies that maybe C and C++ have too many CVEs that shouldn't actually be CVEs and that the C++ community should take more control of CVEs being filed. This is ominous, and makes me fear we might start to see fewer C and C++ CVEs because issues will be closed as "intended behaviour" or "won't fix", like the filesystem issue above.

So you know that Herb isn't arguing that CVEs are ideal. You instead took a wrong baseline assumption (that C++ didn't care about the FS issue) and turned it into some weird claim that the result will just be the C++ community refusing to fix or acknowledge CVEs in order to drive the count down.

You're arguing two conflicting ideas:

Point 1: C++ is bad because there's no one ensuring CVEs & blog posts are filed for issues

Point 2: C++ is bad because a central CVE would just let them hide the issues they're desperate to hide

Despite your only evidence for either of these being something you made up entirely, as you eventually reluctantly admitted.

nindalf · 2024-03-14T17:31:52 1710437512

Those points aren't contradictory. C++ is actually so terrible that

1. They're underreporting CVEs as of today. You acknowledge that a CVE should have been filed for the FS issue but it wasn't. I say it wasn't because the community has a cavalier attitude towards security and they didn't think it was worthy of a CVE. Nothing you've said contradicts this

2. Herb Sutter argues that there should be more control over what CVEs are filed because he's not happy with the ones being filed today, which may merely be bugs and not vulnerabilities. This may make the situation worse, with even fewer CVEs being filed. That's juking the stats.

Herb does acknowledge that CVEs aren't ideal, but the entire article is based on getting the number of CVEs in C++ down to a level comparable with Rust. He wouldn't have set that as a goal if he truly thought CVEs were meaningless.

By the way, I'm still waiting on the link for the fix in MSVC. Or did you give up on it because you saw steveklabnik's comment where he links to an MSVC maintainer saying there's no point fixing it in MSVC without changing the spec? (https://old.reddit.com/r/cpp/comments/151cnlc/a_safety_cultu...).

> something you made up entirely, as you eventually reluctantly admitted

I didn't make up anything, nor did I admit anything. My information was outdated, and I said I was wrong. You're accusing me of lying when I didn't, which make it hard to interact with you.

I say only this. Don't harp on a mistake I made and admitted to, and instead address the substance of what I said.

1. CVEs between languages aren't comparable (you don't dispute this).

2. C++ community should have filed CVEs for this issue but didn't (you don't dispute this).

3. The lack of CVEs indicates that they have a much lower standard for security.