1. 41
  1. 33

    I think that’s missing the point I was trying to make. Even if 75% of them happened due to us using C, that fact alone would still not be a strong enough reason for me to reconsider our language of choice (at this point in time).

    Ironically this is missing the point that memory safety advocates are trying to make. The response the post got is less about Stenberg’s refusal to switch languages (did anyone actually expect him to rewrite?), and more about how he is downplaying the severity of vulnerabilities and propagating the harmful “we don’t need memory safety, we have Coverity™” meme.

    curl is currently one of the most distributed and most widely used software components in the universe, be it open or proprietary and there are easily way over three billion instances of it running in appliances, servers, computers and devices across the globe. Right now. In your phone. In your car. In your TV. In your computer. Etc.

    So in other words, any security vulnerabilities that affect curl will have wide impact. How does this support his argument?

    1. 12

      (did anyone actually expect him to rewrite?)

      I don’t think rewriting in a safe language would be the problem. I have ported a couple 50k line codebases, between objc, java, and cpp and the rewrite wasn’t the hard part. It’s the tooling. Even using supported languages it’s a ton of work to get the build systems to work well. Good luck getting your newish but safe language code base playing nice with the build systems for the big three platforms, consistently, fast, and with good developer support for e.g. debugging and logging and build variants.

      cURL isn’t popular because it’s written in C, per se, it’s popular because it runs freaking everywhere and very nearly just works.

      I think if you want safe language adoption you should go to the people that are choosing to use cURL and talk to them, and work on their barriers to adoption. cURL is C.

      1. 3

        He has the benefit of being able to promote the virtues of a working and widely used program versus some vaporware.

        1. 14

          I’m having trouble understanding what you’re trying to say. He has a popular project, ok, and?

          1. 7

            I think he’s saying the project owner would say the good they’ve done outweighs the bad. That’s the impression I got from OP.

            1. 7

              What he’s saying is we’re comparing a tangible C program to a Rust program that does not exist. Faults of C notwithstanding, vaporware has all the attributes of the best software—except for that existence problem.

              1. 5

                Nah, if that’s all he wanted to say he wouldn’t have made such a big fuss about how popular his software is. He shoehorned that paragraph in there in an attempt to lend credibility to his arguments. Later he tries this again by implying that his detractors don’t code, or something:

                Those who can tell us with confidence how to run our project but who don’t actually show us any code.

                All of that is bunk. If maintaining a popular piece of software implied security expertise then PHP’s magic quotes would have never seen the light of day.

                1. 1

                  I’m explaining Victor’s comment, not the OP. You lost the plot.

              2. 2

                Obviously, he knows what’s best, and knows everything, duh. /satire

          2. 21

            The Curl project should continue using C. I hope curl is still alive and healthy in 10 years.

            However, I also hope that an alternative to curl written in a safe language will appear and be more popular than curl in 10 years.

            Ok, we actually have to distinguish a little here. There should be something more popular than curl the command line utility in 10 years. For curl the library, it is just as fine if every memory safe language has its own library and all together they are more popular than curl.

            1. 14

              I’m kinda surprised by this post because I don’t recall anyone really suggesting he rewrite the project in language X (or “you should have written it in X in the first place”, which is also a point he refutes). There may have been such comments, but they either would be rare/downvoted or on venues which I didn’t really look at. The reddit and HN discussions, and the discussions on Tony’s followup post, seemed to gravitate towards just being annoyed that memory safety was not being taken seriously.

              This post still doesn’t take memory safety seriously, with comments like “Using another language would’ve caused at least some problems due to that language,” that attempt to erase the huge gap of problems caused by C vis a vis other languages. The original post had this same fault, classifying everything as “logic bugs” (everything is a logic bug, but the question is if the language can (a) protect you from making that bug, and (b) stop letting that bug RCE your box or leak your RAM to the internets.).

              1. 10

                If we then have had 40, 50 or even 60 security problems because of us using C, through-out our 19 years of history, it really isn’t a whole lot given the scale and time we’re talking about here.

                Time seems like kind of an odd measure. Is it ok if echo has 60 CVEs when it’s been around for 50 years?

                1. 2

                  It would only be useful with a comparison point. We would look at a FOSS project of similar or greater complexity that’s considered security-focused to see how many CVE’s were found or exploitable. We have quite a few out there to consider that were around a long time. I doubt they’ll have 60+ CVE’s.

                2. 7

                  I’m starting to wonder how difficult it would be to approximate how curl is used around the world.

                  curl clearly has a lot of functionality baked in which would take a lot of development to duplicate, but if it turns out 95% of use cases simply dump an HTTP served file to disk, perhaps another tool can be written in the likes of Go or Rust which could meet most of the use cases fairly quickly.

                  Edit: Found this - curl-to-go

                  1. 2

                    Oh, that’s really neat to see. One of my investigations a while back was conversion of shell scripts that stuck around for significant time to a HLL with lots of automated verification. A series of them that would’ve been piped can get faster or secure IPC w/out manual work. It gets compiled into native code for a speed boost, too. Scheme was along those lines. One or two of the examples on this site is about how I visualized the comparison part looking minus security or formal stuff.

                    Also, good to have an efficient, safer implementation of key functionality in Curl. Such things are good projects by themselves.

                    1. 1

                      Good find!

                    2. 5

                      I think he does miss one point though….

                      C forces you to carve an awful lot of infrastructure by hand.

                      Even C++, which is a lot better is awful. I mean, there isn’t even a standard, out of the box URI class.

                      Ruby on the other hand comes with batteries included… and yes, there have been CVE’s by the score in the ruby libraries over the years…. but that is because people have been looking and care and fix them.

                      If I were to write any of those classes by hand I would create my own supply of CVES!

                      1. 8

                        This whole “controversy” is dumb, IMO.

                        People who don’t like that curl is written in C don’t have to use it.

                        It’s a waste of everybody’s time to sit around making demands on somebody else’s project. If C is so unsafe and terrible, then go off and write your own in something else.

                        If it’s not so dangerous that you won’t stop using it then stop complaining.

                        1. 6

                          On the contrary, I do have to use it. As the article proudly says, it’s embedded in millions of programs and devices. So I’m using curl whether I like it or not, and whether I even know about it or not. Just like when I connect to a website I don’t get a choice of whether I want to use OpenSSL or not.

                          One valid point the complaints are making (alongside some silly and invalid points) is that the software ecosystem is so messed up that both of these can be true: that C is the only reasonable language to write something like curl in, and that using C guarantees the resulting code will have a bunch of dangerous errors as long as it’s written by humans.

                        2. 6

                          The author is making two points worth countering. First is myth C was only choice at the time. Ada and Wirth’s languages existed that stop lots of CVE’s. You could also get a safe-lang-to-C-lang compiler for at least two. Podesta actually wrote CVSup in Modula-3 just a year before curl’s release. So, enough bullshit about availability.


                          Other one is what I sense to be main argument: the wide deployment justifies whatever decisions they made. The library, if free and high quality, would probably have gotten plenty of uptake. The compiler-generated source in C probably a lot less. Bragging on execution is fine do long as author is honest that they jusf didn’t care about security as much as other priorities. Now, their choice of language or development methods combine with a large userbase to amplify the damage done. More justified in mitigating C’s risks somehow now more than in the past.

                          1. 11

                            The modula3 decision for cvsup then became this enormous albatross around the project. Freebsd went so far as to write a minimal m3 implementation only capable of running that one program, but still not enough to save it. So with hindsight, I wouldn’t claim that modula3 was the better choice.

                            1. 2

                              Thanks both of you for sending me on a trip down memory lane!

                              The limited compiler only for compiling CVSup was ezm3:


                              John Polstra was the name of the guy who wrote CVSup.

                              1. 1

                                I was thinking about that as I wrote the comment. It’s why I only focused on generated C source instead of Modula source. You will get less contributions and integrations if you use an unusual language. The safest or most powerful languages also get the least.

                                Small ecosystems have formed for them on occasion that started with a company or a handful of people pitching in. That’s happened with BASIC’s and Pascal’s.

                            2. 4

                              I remember asking someone if he used OCaml for a ultra-high-reliability system (with hard deadlines) that he was building, and he said that he preferred to use C, proven when possible. If you use OCaml, you may be less likely to have errors in user code (or, it is more likely to say that some very-low user error rate deemed acceptable is achieved more quickly in C than in OCaml) but you’re also sitting on top of a very good but complex runtime. Often, they don’t even like to use dynamic memory management, and malloc/free is a much simpler runtime than what Ocaml or Haskell provides.

                              I think that functional languages are very good when you need regular high reliability (e.g. six 9s, not “never goes down”) and your time budget supports a merely-long thorough project, but when you need near-absolute reliability and have an almost unlimited time/resource budget, proven C (or, at least, C that has been checked and discussed and viewed by many pairs of eyes, as I’m not aware of formally-proven numerical algos being a thing beyond trivial cases) still wins.

                              1. 8

                                Im not sure about your analysis on functional side for most high-integrity niches. The C one is right but incomplete. The proof is that the vast majority of safety-critical products are done in the C language. A niche of them are done in Ada and embedded Java for more safety or maintainability.

                                The C preference comes from a combo of available talent, available compilers, tons of tools for verifying C in various ways, and standardized subsets of C like MISRA that work well with top tools. So, it’s actually easy to eliminate almost all coding errors with the amount of talent and tooling they put into those products. Most failures are bad specs or requirements.

                                Still haven’t learned functional programming but follow what its practitioners say. Ocaml and Haskell are popular in non-real-time apps for easily boosting QA & maintainability. In high-assurance, they’re great for verified, reference implementations since they work well with provers. What seems lacking is predictability of execution patterns (eg real-time), simple/zero runtimes like C/Ada/RT-Java, easy manipulation of bits, easy interrupt handling, tooling for analysis/testing like C/Ada, great IDE’s, or certifying compilers. I’ve seen pieces of each in various work but most of this needs to get intetrated before they’ll get used widely in high-assurance or do six 9’s in real-world situations.

                                Erlang is closest to goal given its capabilities plus successful deployments in real-time, high-integrity applications.

                                1. 6

                                  On this topic, I found this video very interesting. It is a talk given by Gerard Holzmann, head of the Lab for Reliable Software at JPL, author of the spin model checker, and head of the team that wrote the software for the Curiosity Mars rover. The talk addresses how they wrote it, with particular emphasis on automated checking and static analysis to help them with code reviews, and he touches on the ‘why C?’ question:


                                  1. 4

                                    That was a nice vid. The part that jumped out at me, aside from the picture at the end, was the triaging of bugs when they were getting overloaded. That was fine. Then he said when there were hardly any due to the team doing a great job he would turn a knob to hit them with more. This was to keep them from getting too comfortable. It came off as both wise precaution and a cruel reward for progress. ;)

                              2. 2

                                Daniel Stenberg’s posts lately keep reminding me of this few lines from n-gate.com:

                                You know what’s cool? Running on billions of devices curl from A to Z

                                Daniel Stenberg is here to tell you how important curl is, because telling people how important curl is happens to be his full-time job.

                                1. 24

                                  That’s about the shittiest comment to have and to promote.

                                  It undermines the credibility on the authority on the subject curl by stating their position as a paid employee.

                                  Why does making a living with your FOSS project have a stigma, while other projects have struggle with funding?

                                  Seriously, thinking like this is the reason why I strongly err towards keeping my work in cycles where money is not a problem.

                                  1. 12

                                    Thank you.

                                    A lot of FOSS is folks doing unpaid work, which has somewhat transformed into a badge of honor these days. Which is I guess okay; I like to talk about my not-for-job FOSS work too. But folks doing paid FOSS work are somehow often considered “not leet enough” (I’m exaggerating here a bit) or “too corporate”. Somehow if FOSS work was done as part of your job it is given less merit.

                                    Overall IMO this is quite harmful to the ecosystem; we should be very welcoming of the concept of paid FOSS work and strive to make it a norm. It also helps supplant any inequality in the system due to having the time to work on FOSS for free, which folks struggling to make ends meet can’t do.

                                    Fortunately, this attitude doesn’t seem to be too widespread, just endemic to certain subcommunities. In particular newer communities like Ruby and Node seem to be very happy with paid FOSS work being a thing.

                                    Also reminds me of https://twitter.com/ag_dubs/status/829850842815668225

                                    1. 6

                                      It undermines the credibility on the authority on the subject curl by stating their position as a paid employee.

                                      I don’t understand how it undermines any credibility. He is a paid employee, but AFAIK he is not working on curl full-time. He works for Mozilla around Firefox network code, which includes curl. I think it is nice when people get paid for doing a job they like. But he could work at Microsoft or doing full-time curl consulting for all I care.

                                      It’s just that I don’t really like his last few posts. If they would be posted by someone else they would never receive the same attention. Also they do not spark any interesting discussion. Discussion is quite predictable as a result. He states that he likes C and people respond how much they like/don’t like C. Now there is a followup post that has more of exactly the same. It seems that it all comes to him being an author of curl. Seeing a reaction to the previous post and seeing this one I think he would be a happier person if he would not post them.

                                      I don’t want to undermine him or his work. But this is a technical link aggregator and his last few posts sounds like just a self-promotion, devoid of technical content. The joke was that his public activity seems to be about how curl is important, instead how curl works. So I want to undermine such posts, because I’m here after an interesting content. Not for news cycle, I can go elsewhere to get that if I would want it.

                                      If he would explain some work he had done lately on curl, that could interest me.

                                      1. 6

                                        But that’s precisely the point you linked comment does. It draws light to nothing else then Daniels work relationship and dismisses the talk on that ground. Given the tone of that website and that being literally one sentence, there’s not many other interpretations.

                                        If you want to express something else, then search for another quote or just write the text you just wrote. Instead, you opted for a cheap shot and I’m sorry it backfired.

                                        Dislike his posts on technical grounds, I also don’t find them the best, but going the angle that he is paid for curl work is not it.

                                        1. 0

                                          I do not interpret loosing couple of Internet points as backfiring.

                                          (…) going the angle that he is paid for curl work is not it.

                                          As I stated earlier I don’t care how he earns his living. I’m happy for him that he is able to earn anything for doing a work he likes - more power to him. I really would not have anything against him, even if curl would be GPL licensed and he would sell commercial licenses. And he is not paid full-time for curl work AFAIK.

                                          Given the tone of that website (…)

                                          Satire uses exaggeration.

                                          (…) there’s not many other interpretations.

                                          There is at least one more. I think that you use uncharitable one.

                                          It draws light to nothing else then Daniels work relationship and dismisses the talk on that ground.

                                          The joke would still work if he would work on curl entirely for free as his side-project. The joke would work even if it would end with:

                                          (…) because telling people how important curl is happens to be his favorite hobby.

                                          “Full-time job” is an exaggeration and for me it sounds funnier. It would sound even funnier if he would indeed work on curl for free.

                                          I agree that my comment was devoid of interesting content. In my view similarly to the linked post. I mainly continue this thread, because I’m really surprised by your interpretation of the joke. But now I can see that for some reason more people see it as you do and I’m even more surprised.

                                          I think that n-gate.com author is part of OpenBSD community. As BSD’s use permissive licenses in part to make it easy to use their code in commercial setting I can’t understand why would anyone from BSD community have something against people earning money on FOSS.

                                      2. 1

                                        It seems like an odd description for a talk though. Imagine going to a conference and it’s “Larry Ellison is here to tell you how important Oracle is because people how important Oracle is happens to be his full time job”. That would turn me off.

                                        1. 5

                                          The “description” is the “funny interpretation” of the n-gate.com author, not by a conference.

                                          1. 6

                                            Oh sorry, I don’t know what n-gate is, it just looked like a list of talk descriptions at a quick glance.

                                            1. 11

                                              n-gate is a “joke” website that mainly works by putting other peoples work down and calling you names for touching certain software.

                                    2. 1

                                      Rewriting a project like curl is misguided imo. It throws away so much valuable backwards compatibility and portability. If the internet backseat drivers want to take the wheel … make a new project that is a safer alternative, new projects will use it when it really is a better choice instead of a hypothetical.

                                      1. 0

                                        I think the elephant in the room is that security would not be a problem if we structured our society differently. Early Unix didn’t even have permissions.

                                        The ideal world is a world where you don’t need security, not one where you need a password to take a shit.

                                        So I’m on the side of Daniel Stenberg here. The benefits of curl being available everywhere out weigh the security risk. The world is better for it.