[Info-vax] Rust as a HS language, was: Re: Quiet?

[Simon Clubley]

On 2022-04-06, Dan Cross <cross at spitfire.i.gajendra.net> wrote:
> In article <624d95fe$0$706$14726298 at news.sunsite.dk>,
> Arne Vajhøj  <arne at vajhoej.dk> wrote:
>>On 4/5/2022 2:05 PM, Simon Clubley wrote:
>>> It looks like Rust has come up with rather unique ways to screw up:
>>
>>I think you have a mysterious understanding of what is unique in
>>programming.
>>
>>(and this is not Rust as such but libraries written in Rust)
>
> Indeed.  I read that quip as a statement along the lines of,
> "tell me you don't know Rust without telling me that you don't
> know Rust."
>

Actually, both of you have missed the point.

My point is that this all-new all-singing programming language that
will save us all (according to its creators) is released with all
these new and unique features that make Rust better than anything
else out there for security (also according to its creators).

People then start using this language to create libraries and manage
to still write code that compromises these new safety features, hence
making the library unsafe, but unsafe in a way that is unique to Rust
because it manages to violate the guarantees that the language says
it gives you.

And before you say it, I know Rust is not unique in this and that is
exactly the point. Just as you have to do when writing code in other
programming languages, you still have to know what you are doing when
writing Rust code or you can still write code that has security issues
within it.

And my attitude-free serious point is this: Rust brings some new ideas
to the table and they are ideas that are worth exploring. But at the
end of the day, it's just another tool with some more features built in
that can help you write more secure code and make it harder for you
to screw up.

Unfortunately, listening to people pushing the general Rust hype, they
would have you believe that Rust is some super-language that will instantly
solve all your security problems, even in code written by novices, if you
just start writing code in it and manage to get your code to compile.

That's not true and it's not true for any language that we have created.
It's just that there are some languages out there that make it a _lot_
harder to screw up in than in other languages and for which you can write
much safer (NOTE: much safer, _not_ safe) code more easily.

But you can still screw up even in those languages if you try hard enough
and if you don't really know what you are doing and that applies to all
languages we have ever created including both Ada and Rust.

Simon.

-- 
Simon Clubley, clubley at remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.