[GTALUG] A find alternative: fselect

Fri Jun 14 10:34:07 EDT 2019

On Jun 14, 2019, 1:03 AM -0400, Dhaval Giani <dhaval.giani at gmail.com>, wrote:
> > HOWEVER, since Rust code is intrinsically much, much safer than C code, stability of API is much more legitimate a characterizer of the version that you want than bug-fixes (and bug-fixes are almost never security/safety related).
>
> Please please please. Bug fixes, specifically the ones that get
> shipped fairly quickly, are almost always security related. Security
> bugs are just a class of bugs.

I was unclear. I completely agree that in the C/Assembly world, bug-fixes are almost always security related. In the Rust world, security bugs are very hard to create (not impossible, but hard), so most *Rust* bug-fixes are bugs for sure, but not security bugs.

> Also, till I see some way of formally verifying, that rust code is
> safe enough that security issues are not possible, remind me to be
> quite sceptical of the claim that Rust code is secure. In the last two
> years, we have seen classes of bugs believed to be impossible.

Even formal proofs of software correctness would not have caught some of those bugs, and the complexity of the hardware and software involved in those bugs arguably make formal proof impossible. So we all work in the realm of probabilities. I’d just like to improve my odds.

> I will accept your claim that in the hands of an average programmer,
> Rust is probably safer, but we have enough experience with C/Assembly,
> that I am going to claim that with someone experienced, they can
> create as secure/safe programs in C, as experienced folks in Rust.

With 45+ years of programming, dozens of programming languages and several hundred thousand lines of code under my belt, I don’t think I’m an average programmer (but then nobody thinks they’re average - the Lake Wobegon effect https://80000hours.org/2012/11/do-you-think-you-re-better-than-average/ - in one study 93% of American drivers thought they were better than average). I have rarely written code that has security bugs in it, but I very much appreciate the fact that the Rust compiler has my back.

What I really appreciate with Rust is that I get better zero-cost abstractions than I would with C++, but with vastly greater safety (and of course, C has essentially no useful abstractions except functions). Those abstractions mean I have a deeper understanding of my code and therefore am less likely to create bugs, and I’m more productive. And even with the abstractions, Rust produces as good code (within fuzz) as C. https://www.apriorit.com/dev-blog/520-rust-vs-c-comparison has a good comparison.

So why would an experienced programmer use C instead of a language that has so much more? Efficiency? a non-argument. Machismo/bragging-rights? go for it. Laziness? understandable, but very short-term. Access to the lowest level of code? Rust does that with “unsafe” code sections that are identifiable with as low-level tools as grep. As the second link points out, there are tools that can do *some* of Rust’s safety analysis for C++ (none for C), but why wouldn’t you want that part of every compile?

I’m not sure this thread is worth my contributing to, as there are so many people that know better, but I am doing so because both as a programming-language professor and researcher, and as a consumer of technology, I would like it if more programmers used better and safer tools, going forward! Go-lang is cool, but its abstractions aren’t all zero-cost. So for me, Rust and Smalltalk are the sweet-spots.

../Dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gtalug.org/pipermail/talk/attachments/20190614/87fb4c79/attachment.html>