1. 1

    I like the idea, but I have two concerns:

    • a missing environment variable causes a compilation error. Why? Why not just set the variable to NULL when it doesn’t exist? This feels like a misstep to me.

    • I don’t like the conditional statements. I find it very hard to follow the logic.

    The rest I have no complaints about. Also, were I to use this at work, we have two configuration file formats not covered by this tool—XML and Lua (yes, there are a few tools where we use Lua for configuration). Lua output seems like it would be easy to do; XML, I’m not so sure.

    1. 1

      XML is a challenge mostly because there is no single way to know if something should be an attribute or a nested tag. I’m still thinking about the best way to do that one.

      Regarding the environment variable missing causing an error I’m still trying to decide if that is the right call or not. On the one hand it’s nice to know that if you accidentally forget to set a variable you’ll get an error. On the other hand developing a configuration and getting compile errors all the time could get annoying.

      I’m curious about why you think the conditional statements are hard to follow. Sometimes when you’ve been working on something for a while you get tunnel vision so they don’t seem difficult to me, but I appreciate the feedback.

      1. 1

        It’s very indirect. A tradition condition:

        if afield == 'Shawn' then
          afield = 'Sean'
        end
        

        Given that, this:

        let what = 'afield';
        select what, "is the default always required?", {
          Shawn = 'Sean',
          // how do I keep the original value not get the default?
        };
        

        Is the answer?

        let what = 'afield';
        select what,what, {
          Shawn = 'Sean',
        };
        

        Is this the same?

        select 'afield' , afield , {
          Shawn = 'Sean';
        };
        

        Is that the same as my conditional? And why do I need to give the field name instead of the field? (Oh, replace single quotes with double quotes if that’s the syntax—I’m used to Lua). And it’s weird to call it a conditional when all you can do is check for equality.

        1. 1

          It’s closest analog is probably a switch statement in traditional languages which is also a conditional with more power than just an if statement. I tend to like languages not to have too many ways to do the same thing so I didn’t include an if-statement.

          1. 1

            In C, switch only tests for equality. if can do more than just that. In Lisp, cond is similar to switch, but can do more than just equality (less than, greater or equal, etc). But even if you restrict your conditional to just equality, I still find the current syntax clumsy and error-prone.

        2. 1

          For the environment variables, how about a warning if it’s missing?

          1. 1

            How would you feel about a flag that makes the compiler warn if it’s missing and then have the default behavior be to error. Or vice-versa. I want to avoid the case where you are deploying a configuration to prod and didn’t realize that an env variable wasn’t set thus causing an outage. Warnings often don’t prevent that especially in an automated deployment environment.

            1. 1

              As long as I get a way to choose what happens is fine.

        3. 1

          FYI I just implemented a flag in HEAD to disable the compilation error and issue a warning since that seems reasonable to me.

          I’m still thinking about the select and trying to decide if it should be improved.

        1. 3

          Nice work, thanks! Have you seen https://github.com/vstakhov/libucl? It seems to be written in C with bindings for Go, Python, Lua, Haskell, and maybe others? Haven’t used it so far but the general idea and project names seem quite similar.

          Especially things like Kubernetes or and Ansible where you end up with rather large amounts of yaml files got me interested in tooling around such. Alternative source languages with support for Macros, or at least map and filter seem useful.

          Regarding editor support, i found https://github.com/redhat-developer/yaml-language-server nice. It can be used with various editors which supports LSP (even emacs via lsp-mode or eglot) and provides not merely syntax checks but autocompletion and validations against a domain-specific schema. The schema can be provided as a JSON Schema a format with relatively broad support. Kubernetes, for example. I can’t say yet how well usage of json schema to validate yaml documents works in pratice - they have close, but i belive not identical semantics. But the idea of a unified configuration language where apps provide a schema to provide editors with generic validation and completion sounds nice :)

          1. 2

            I have seen ucl. I was looking at it as a way of possibly supporting hcl as an output target.

            I have considered adding a built in ucg language server but I’d like to have a stable syntax and semantics before I do that.

          1. 11

            Of course other people think it’s useful – other people made dhall :)

            1. 3

              Dhall is cool. It has very similar goals to ucg. The provable termination is a nice feature.

            1. 33

              I’ve run into this mentality myself a couple of times, people claim in 2018 that they can write safe C/C++, it’s only those other people that can’t.

              1. 7

                I would claim that 2018 is the best time (yet) for writing memory-safe C++. We have tooling and paradigms now where we don’t need to rely on raw pointers and can make use of things like shared_ptr and unique_ptr. We can utilize the vector class which gives us OOB write protection (via the vector::at method) . We can even look to the design decisions made in Rust and see they draw their roots from modern C++ (think RIAA). All the protections of Rust already exist in C++, and are distinct enough that tooling can catch when developers don’t use them.

                1. 20

                  I agree about it being best time to write safer C++. Ill add C, too, given all the analyzers. Empirical evidence Gaynor references show vast majority of C/C++ code fails to be safe anyway. So a safe-by-default option is better to use with unsafety turned on selectively when necessary.

                  Also, the key aspects of Rust’s memory safety come from Cyclone language. It was a safer C with some temporal safety among other things. Clay was another which had linear and singleton types.

                  1. 15

                    All the protections of Rust already exist in C++

                    Unless you are claiming C++ has a way to ensure data race freedom, this does not seem true.

                    1. 10

                      Smart pointers have been around for more than a decade (in Boost before they got into std::), and STL has been around for ages of course. From the memory safety perspective, the tools have been around for a long time. Perhaps the issue is that none of these things are mandatory.

                      1. 4

                        Halfway there: C++ was built on unsafe-by-default foundation, C, with good protections added that also aren’t mandatory. It evolved from there in a lot of ways I didnt keep up with. I just know that plus its parsing/semantic headaches gave C++ a brutal start if goal was safety on average or high assurance.

                      2. 9

                        (via the vector::at method)

                        Which you have to remember to use instead of the far easier nicer looking []. I’ve seen v.at in a C++ codebase exactly once in my life. As usual, the default C++ is unsafe.

                        We can even look to the design decisions made in Rust and see they draw their roots from modern C++ (think RIAA)

                        True but not sure of the relevance.

                        All the protections of Rust already exist in C++

                        They most certainly do not.

                        tooling can catch when developers don’t use them

                        There are no tools that I’m aware of that guarantee an absence of bugs in a C++ codebase. I’ve used most of them. Bugs still happen. Bugs that don’t happen in safer languages.

                        1. 8

                          All the protections of Rust already exist in C++

                          I’m not sure that’s entirely true, but I could be wrong. I agree with what you are saying about RIAA, but a few other things pop to mind:

                          • Rust tries really hard to ensure you have either only immutable references, or a sole mutable reference. This prevents the old “iterate over a collection and mutate it” problem.

                          • It also forces you to think about sharing semantics across threads (i.e. Sync trait).

                          • In Rust you can design APIs which “consume” their parameters. i.e. you pass ownership to a callee, and it never hands it back. This is useful for scenarios where you don’t want the user to try and re-use a conceptually finalized data structure. Perhaps reuse of the structure could be unsafe for example.

                          I’m sure there will be other examples. And I’m sure the proponents of Rust will provide those in more comments ;)

                          Maybe you can do these kinds of things in modern C++?

                          1. 6

                            Problem with C & C++ is not only about memory safety. Are you 100% sure you have absolutely no chance of a signed int overflow anywhere in your codebase?

                            1. 15

                              Compile with -fwrapv to instantly unlock the same behavior as rust.

                              1. 5

                                To get the K&R C behavior not the house-of-horrors C standard.

                                1. 3

                                  Or better, -ftrapv to trap even errors that Rust won’t catch. (I don’t understand why this wasn’t made the default behaviour in Rust, to be honest; the performance hit should ultimately be negligible, and they already make some choices for safety-over-performance).

                                  1. 4

                                    The reason it is not default in Rust is that performance hit was not negligible.

                                    1. 0

                                      Got some numbers? Part of the problem is probably that the code generator (LLVM) doesn’t handle it very well; but basing a language decision on a current limitation of the code generator doesn’t seem wise. (Especially if it’s a choice between “fail to detect some potentially critical code issue” and somewhat reduced performance).

                                      1. 5

                                        I don’t have the reference for Rust handy, but NIST Technical Note 1860 is one good reference. To quote the abstract:

                                        We performed an experiment to measure the application-level performance impact of seven defensive code options… Of the seven options, only one yielded clear evidence of a significant reduction in performance; the main effects of the other six were either materially or statistically insignificant.

                                        That one option is -ftrapv.

                                        1. 1

                                          That report is specific to GCC, though, which has worse overflow checking even that LLVM.

                                          “In practice, this means that the GCC compiler generates calls to existing library functions rather than generating assembler instructions to perform these arithmetic operations on signed integers.”

                                          Clang/LLVM doesn’t do that. Needless to say, it explains much of the performance hit, but not how it would affect Rust. I’m curious about what the real numbers do look like.

                                        2. 1

                                          (actually, having done some recent ad-hoc tests LLVM seems to do ok, mostly just inserting a jo instruction after operations that can overflow, which is probably about as good as you can do on x86-64. I’d still like to see some numbers of how this affects performance, though).

                                  2. 2

                                    I agree memory safety is not the only kind of security bug, but it is the focus of this article, which is why I focused on it in my comment.

                                2. 4

                                  And how do you know they’re wrong?

                                  We see evidence all the time. Easily preventable bugs in old software everybody used but nobody wanted to make good. Bugs that would’ve been obvious if people had looked at compiler warnings or run a static analyzer, but nobody did..

                                  1. 24

                                    And how do you know they’re wrong?

                                    I don’t know about @szbalint, but I know they’re wrong because of ample experience with people who think they can write safe C code and can’t. I literally have never met or have worked with an engineer I’d trust to write C code, myself obviously included.

                                    I’ve been compiling all C and C++ code with -Wall for at least the last 15 years, and the last 10 with -Wall -Wextra -Werror. I’ve used free and paid-for static analysers on production code. Tests, extensive code reviews, valgrind, clang sanitizers, the lot.

                                    The end result were bugs, bugs, and more bugs, many of them security vulnerabilities. This problem isn’t solvable with developer discipline and tools. We’ve tried. We’ve failed.

                                    1. 2

                                      Has your experience with D been much better? I’ve been able to segfault D because I didn’t realise that SomeClass c; generates a null pointer. I really wish the language were modified to make this impossible without some extra attributes like @trusted.

                                      That’s the only way I’ve managed to really “crash” D, though. The rest of the time I get pretty stack traces at runtime whenever I mess up, much more controlled and predictable error-handling.

                                      1. 1

                                        Has your experience with D been much better?

                                        Vastly so.

                                        I’ve been able to segfault D because I didn’t realise that SomeClass c; generates a null pointer.

                                        That’s not considered an issue in D. Variables are all default-initialised so you’ll get a crash at the point where you forgot to assign the reference to a new instance. Deterministic crashes in the face of bugs is a good thing.

                                        1. 1

                                          A segfault is a pretty obscure thing, and I’m not sure it’s even exactly “deterministic”. Are all arches guaranteed to react the same way to dereferencing a null pointer? It’s not like it’s raising a D NullPointerException, if such a thing even exists, so I don’t get a stack trace telling me where the problem is, unlike every other D “crash”.

                                          I still don’t understand why making this segfaulting easy is desirable. It feels like an obvious rake to step on.

                                          1. 1

                                            A segfault is a pretty obscure thing

                                            To a scripter, maybe, but not to a systems programmer.

                                            and I’m not sure it’s even exactly “deterministic”

                                            Some are, some aren’t. The deterministic ones are of the good variety. Always crashing because of an unitialised reference is ok. Getting a segfault somewhere else in your app isn’t.

                                            It’s not like it’s raising a D NullPointerException, if such a thing even exists

                                            It doesn’t exist, or rather, its version is to just segfault.

                                            so I don’t get a stack trace telling me where the problem is, unlike every other D “crash”.

                                            % coredumpctl gdb
                                            % bt
                                            

                                            If you’re not running systemd then run the program again under gdb. Since it always crashes in the same place you’ll get the same result. If you’re on Windows you open the debugger right there and then and look at the backtrace.

                                            It feels like an obvious rake to step on.

                                            It isn’t, it always takes me 30s to fix.

                                      2. 2

                                        I don’t know what your use involves, but sometimes using e.g. Coverity is not much better than never using it. All those things have to be done in the context of a comprehensive build and test system and always done on every checkin. And there is no substitute for good programmers with solid education. I have met a number of really excellent C programmer who produce solid, trustworthy code.

                                        And, as always in such discussions, none of these assertions make sense without a “compared to”. People write unsafe C code, compared to which people who write what?

                                        1. 2

                                          using e.g. Coverity is not much better than never using it

                                          Not in my experience.

                                          And there is no substitute for good programmers with solid education.

                                          Few and far between.

                                          I have met a number of really excellent C programmer who produce solid, trustworthy code.

                                          I have not. And that includes meeting compiler writers and C++ luminaries.

                                          People write unsafe C code, compared to which people who write what?

                                          To people who write code in Ada, Rust, …

                                        2. 1

                                          The end result were bugs, bugs, and more bugs, many of them security vulnerabilities. This problem isn’t solvable with developer discipline and tools. We’ve tried. We’ve failed.

                                          Then why is it that when the bugs that relate to language level issues are dissected in the public, they nearly always seem like they’d be prevented by discipline & disciplined application of tooling?

                                          1. 4

                                            Even the best programmers have an error rate. Much lower than novice programmers, but it’s still there.

                                            1. 1

                                              You are stating the obvious here.

                                              The question is, why aren’t these errors being caught when it is so easy to do?

                                              1. 6

                                                The nature of the tooling seems like a prime candidate answer to that question. In C and C++ you often need to opt into constructs and static analyses in order to guard against memory safety bugs. Just look at all the tortured defenses in this thread alone. It’s some combination of “oh just use this particular subset of C++” all the way to “get gud.”

                                                In memory safe languages the tooling generally demands that you opt out in order to write code that is susceptible to memory safety bugs.

                                                It’s just another instance of “defaults matter.”

                                                1. 0

                                                  I think we’re going in circles here. None of what you say is evidence that people can’t write safe code. You’re just saying they (most of them) won’t, which isn’t the contentious point.

                                                  1. 5

                                                    Seems like a distinction without a practical difference. You asked a question, “why aren’t these errors being caught when it is so easy to do,” and I answered with, essentially, “maybe it’s not as easy as you think.” I proposed a reason why it might not be easy.

                                                2. 4

                                                  The question is, why aren’t these errors being caught when it is so easy to do?

                                                  It isn’t easy. If it were, they’d be caught. The litany of security vulnerabilities everywhere shows us that we’re doing it wrong.

                                                  1. 1

                                                    Right. Why not?

                                                3. 2

                                                  Did I claim developer discipline wouldn’t prevent bugs? What I’m claiming is that it’s humanly impossible to manage that level of discipline in any large codebase. And I’m claiming that because we have decades of experience telling us that it’s the case.

                                              2. 3

                                                You raise a good point. I think anyone who thinks their own code is perfect is wrong, but I can’t prove it. I suppose, also, that it could be vacuously true in the sense that maybe their own code is perfect, but they haven’t written production systems entirely by themselves. Was that what you were suggesting?

                                                1. 2

                                                  You raise a good point. I think anyone who thinks their own code is perfect is wrong, but I can’t prove it.

                                                  Can you write one line of code that is perfect? Why not two? Why not ten? Why not a thousand?

                                                  Even then, there’s a continuum between perfect and unmitigated disaster. I’ll grant you that I don’t really believe in large scale software ever being perfect in a literal sense of the word. Not even bug free. However, I believe there are individuals who can produce safe software in C. And if given enough control over the platform the code runs on, they can lock things down to virtually guarantee that language level issues are not ever going to turn into full compromise (RCE) or secret leaks.

                                                  If you need something for a case study, why not take a look at qmail? The fun thing is that the papers and writeups about qmail’s security practices don’t really mention things such as extensive use of static analyzers, fuzzers, and formal verification. Despite that, it has an incredible track record. I think there is much more that could be done to raise the bar.

                                                  I suppose, also, that it could be vacuously true in the sense that maybe their own code is perfect, but they haven’t written production systems entirely by themselves. Was that what you were suggesting?

                                                  Security costs time and isn’t sexy. Worst of all, you can’t measure it like you can measure performance or the length of the list of features. So even if someone out there is producing “perfect” code, it’s likely that the project goes mostly unheard of. If one were to dig up and point out such a project, people would just call it a toy / academic exercise / “nobody uses it.” People might say they care about security but they really don’t, they just use whatever is convenient or popular. And when you point out the bugs in that, well, developers being developers, they just pat each other on the back. “Dude, bugs happen! Give ’em a break!”

                                                  It’s especially bad in any commercial setting, which is why I think it is indeed the case that the people who are capable of writing secure software are, in the end, not doing that, because they don’t get to write an entire production system on their own terms. I don’t think it’s a coincidence that the project I just mentioned is essentially a solo project by one person.

                                                  I’m in that boat too, sort of. At day job there’s so much code that’d get you kicked out if it were my personal project with a security guarantee. I’m not at liberty to rearchitect and rewrite the software. The markets opt out of security.

                                                  1. 6

                                                    Can you write one line of code that is perfect? Why not two? Why not ten? Why not a thousand?

                                                    It depends on the line. Perfection isn’t just about the semantics the code has to the compiler, but about how a future reader will interpret it. Even the shortest snippet of code can have subtleties that may not be obvious later, no matter how clear they seem to me today. Concretely, in the 90s, “everyone knew” that system() was a huge security vulnerability because of how it adds to the attack surface, and it wasn’t a big deal because code that was thought of as needing to be secure was hardened against it. But those very same semantics came as a very unwelcome surprise to “everyone” when Shellshock was publicized in 2014.

                                                    Lots of vulnerabilities can be traced to people misunderstanding single lines of code.

                                                    I very much agree with your point about it being hard to sell security. I think that’s by far the biggest factor in how horrible the current state of affairs is.

                                                    1. 3

                                                      Wasn’t the key shellshock problem that bash executed environment variables? 99% of these failures seem to come from parsing errors, eval, and convenience components. Why bash designers felt it was good to allow arbitrary functions to be passed in environment variables and then executed baffles me but probably came from feature creep. The same functionality could have been achieved more safely by include/load like mechanisms (not 100% safe either, but easier to lock down) or, better, running other programs.

                                                      BTW: Bash scripts are memory safe.

                                                      1. 2

                                                        It depends on what you see as the most unexpected part of it. The reason it was such an emergency to patch it was that bash was exposed to unauthenticated incoming network connections in the first place.

                                              3. -3

                                                Where are all the safe Rust based applications and operating systems?

                                                  1. 6

                                                    I mean, so what? The pool of talented systems programmers is vanishingly small, and also going to be dominated by people using C/C++, so its not that surprising that it hasn’t eradicated all the competition yet. And as a sibling commenter pointed out, its doing pretty well for being all of 3 years old.

                                                    1. 0

                                                      There is a big difference between “has not eradicated the competition yet” and “still can’t point to 5 widely used and superior applications”.

                                                      1. 10

                                                        how many did python have within 3 years? Or ruby for that matter. How about clojure? None of those had “5 widely used and superior applications” within 3 1/2 years. It was probably a decade before python had 5, maybe a little less for ruby. And you didn’t respond at all to my point about the quantity of systems programmers. Rust is a kind of weird language, attempting to fill a very tight ecological niche with few potential adoptees in terms of actual programmers. I’m not in the least surprised that its still very much in an embryonic state in regards to a community and the works that would flow from that. And, fwiw, Servo and Fuscia aren’t exactly small scale applications, not to mention all of the companies using it internally for whom we have no data/reports other than job board postings.

                                                        1. 1

                                                          I’m not at all saying Rust is a failure - I don’t find it appealing, but that doesn’t mean anything. But it’s still in the experiment stage. You can declare C obsolete when you have that body of large successful, less buggy, products to point at.

                                                          1. 9

                                                            The whole point of the article is that literally decades of experience have shown that it is effectively impossible to write safe secure code in C/C++. The goal in fact is to to declare C/C++ a security nightmare. Does that make it obsolete? Maybe, maybe not. There are options out there that give you far more safety guarantees than C/C++ will ever be able to do.

                                                            Knowing that it is quite possibly flat our irresponsible to use it for any new project where security is important. Oh, and security is nearly always an important concern for a software project.

                                                            1. 1

                                                              Let me try again: To make that claim be anything more than marketing, you’d need some (a) data and (b) some indication that C programs were WORSE than some alternative. In the absence of both, it’s just weak marketing. The evidence seems to show more that it is very difficult to develop large software systems that are safe and secure and, at the same time, find an appreciative audience - no matter what the language. As I pointed out before, until there are significant examples of safe/secure/successful Rust programs to compare with, such claims are just blowing smoke.

                                                              1. 2

                                                                While it’s not as strong a claim as you seem to want, I don’t think it’s incorrect to say that C and C++ in the hands of not superhuman developers tends to result in a whole class of bugs that Rust makes nearly impossible to create. Bugs that have appeared numerous times and continue to keep appearing in critical internet infrastructure.

                                                                It’s purely anecdotal but Rust has prevented multiple use after free, use before initialized, and buffer overrun errors in my own code multiple times just while playing around. It’s a bit disingenuous to suggest that C/C++ don’t have a problem and that Rust which provably prevents most of those problems isn’t a promising solution.

                                                                This isn’t blowing smoke it’s a recognition that there is a problem and possible solution to that problem that doesn’t involve cloning Dan Bernstein and firing all the other programmers.

                                                                1. 2

                                                                  I kind of like the idea of cloning Dan Bernstein and firing all the other programmers. It’s a big idea with some verve and panache.

                                                                1. 4

                                                                  I agree the comment overstated by saying “effectively impossible.” Really hard with higher failure rates than safe languages would be more accurate. Yet, it seems misleading for you to use Bernstein and Hipp since most people are nowhere near as good at QA as them. Bernstein is also a security genius.

                                                                  C defenders countering with the vulnerability results of security geniuses in minimalist apps instead of what average C coder achieves vs average user of safe language isnt a good comparison.

                                                                  1. 0

                                                                    Hence my quest for examples rather than handwaving. Examples of real applications that are not minimalist. Specific examples.

                                                                    1. 2

                                                                      Ripgrep? Firefox? The former is shipped and used for search in VS Code, the latter is pretty rapidly moving to using rust where it can to improve performance, and reduce security issues. Just two projects I can name off the top of my head as a non rust programmer.

                                                                      1. 0

                                                                        The same two projects everyone names and I’m not dismissing either of them. I’m just pointing out that the triumphal declarations of the obsolescense of C and dawn of the Reign of Rust lack sufficient backing. If we just got enthusiastic reports about what people wrote in Rust and how well it worked that would be interesting and impressive. But this overblown marketing stuff is just irritating.

                                                          2. 5

                                                            Well, I guess ripgrep qualifies? Hopefully there will be more such applications.

                                                            1. -1

                                                              Ripgrep is interesting. Is it considerably less bug ridden than ag ? Is it considerably less bug ridden than grep?

                                                              https://www.cvedetails.com/product/23804/GNU-Grep.html?vendor_id=72 Well grep doesn’t seem so bad.

                                                              Come on, people need to do better than this.

                                                              1. 7

                                                                Is it considerably less bug ridden than ag ?

                                                                Yes, by a very very large margin across at least a couple different spectrums.

                                                                Is it considerably less bug ridden than grep?

                                                                Unlikely.

                                                                Come on, people need to do better than this.

                                                                Right. Nothing will ever be good enough. This is a classic Internet debate tactic. No matter what example anyone gives you, there will always be a reason to dismiss it. I don’t say that flippantly necessarily. Satisfying your standard (mentioned in another comment) to a high degree is nearly impossible. There will always be differences and variables that cannot reasonably be controlled for.

                                                                It’s totally fine to have high standards that are impossible to satisfy (it’s your choice), but at least state that up front explicitly and don’t be coy about it. And don’t accuse people who are trying to hit a lower standard of evidence as just “blowing smoke,” because that’s a bunch of bullshit and you know it.

                                                                1. -2

                                                                  Oh come on: ripgrep is the example I’m given. Yet, grep, written in horrible pathetic C, has very few security bugs. Are there CVEs for ag even? I am ready to be persuaded and I don’t need ironclad proofs - I just want to see a number of examples of complex applications/systems written in XYZ that are significantly better than the standard C versions in terms of security. Until those are available it’s just marketing. Maybe Rust is a brilliant advance that will lead to the creation of highly reliable secure applications - maybe it is not. Without evidence, all this claim that C has been obsoleted by Rust or whatever is exactly that - just blowing smoke. Read software jewels by Parnas, this is not a new problem.

                                                                  I’ll give you a good example: the OP makes a big deal about security issues in ImageMagick! Of all things. I cannot imagine that anyone involved in the development of ImageMagick worried about security at all - it was a tool people could use to manipulate images. Now it is being dragged into service as an online utility exposed to the open internet or used on images that come from anywhere and - lo and behold - because of C it’s insecure! Great, let me see a Rust program designed without any attention to security employed similarly and we’ll compare.

                                                        2. 1

                                                          Quite a few swift based applications out there though, so it isn’t like new languages aren’t being used for things.
                                                          Go is quite popular in certain spaces too, for what it’s worth.

                                                      1. 4

                                                        Maybe I’m just in the minority here but most of my defensive programming is about determining wheni should crash vs when i should take a different code path. I feel like this case was an instance of Solaris being more defensive than MacOs and Linux.

                                                        1. 4

                                                          There’s a big difference between choosing to crash and just .. happening to crash per chance due to UB. Which was it?

                                                        1. 2

                                                          Can you combine the constraints that affine types let you encode with the constraints that ADTs let you encode (link was about F# but technique is applicable to most anything with ADTs, which should include Rust), to achieve encodings of maybe even quite complicated invariants?

                                                          1. 2

                                                            I don’t see any particular reason that you couldn’t as long as these affine rules still apply for enums.

                                                            For example …

                                                            enum Item{
                                                              Letter{someprops...},
                                                              Flower{someEntirelyDifferentProps...},
                                                              PostCard{props...},
                                                              Photograph{props...}
                                                            }
                                                            
                                                            pub struct EmptyEnvelope { }
                                                            
                                                            /// A closed envelope containing a letter.
                                                            /// perhaps some rust afficionado can tell me if this is correct
                                                            pub struct ClosedEnvelope {
                                                                item: Item,
                                                            }
                                                            
                                                            impl EmptyEnvelope {
                                                                /// Put a letter in the envelope and seal it.
                                                                pub fn wrap(self, item: Item) -> ClosedEnvelope {
                                                                    ClosedEnvelope { item: Item }
                                                                }
                                                            

                                                            However I feel that you’d find the lack of recursive sum types to be pretty limiting if you went forward with this style for defining a structural hierarchy of your valid data representations. Also I could be mistaken I don’t think you can put reference types in your enum there.

                                                            1. 2

                                                              You would usea smart pointer combined with Option to represent recursive enums. Usually Option<Box<MyEnum>>

                                                          1. 3

                                                            I agree with most of this. However i disagree with his stance on checked exceptions. They prevent a large body of errors in production. Everything from swallowed exceptions to unnecessary crashes.

                                                            For a maintenance programmer, checked exceptions can be a lifesaver. The throws annotation is not noise. It’s important information when debugging a production issue. If the list gets to long then you can wrap the exception to cut the list down. But hiding that information can cost you in the form of bugs realeased to production.

                                                            Runtime exceptions should be limited to errors that should return a 500 or crash the server.

                                                            1. 29

                                                              Does anyone know if any actual kernel devs have been involved with this threat? Something that isn’t pointed out in this (imo pretty biased) article is that the initial email was sent more-or-less anonymously, from an account hosted on cock.li, which seems to be at least spiritually 4chan-related. This makes me suspicious that the whole thing was invented as a “look how much backlash there is against these grievous CoCs!” stunt. This suspicion is strengthened by the misleading reference to the Drupal case, which seems to have been mostly in spite of a lack of CoC violations.

                                                              [edit: there is some discussion of this type of issue on LKML]

                                                              I mostly found it interesting because I had always assumed that you couldn’t rescind viral licenses like the GPL.

                                                              1. 3

                                                                There is a reason the GNU foundation requires a copyright assignment for contributions. An author is allowed to revoke licenses to any code they write under many licenses.

                                                                Google also requires a copyright assignment for any code you contribute to projects they oversee for similar reasons.

                                                                Linux sides not have such a requirement which gives the contributors a lot of power.

                                                                1. 3

                                                                  How does that change anything? The point is the law permits the transfer to be terminated.

                                                                  1. 5

                                                                    There is a reason the GNU foundation requires a copyright assignment for contributions. An author is allowed to revoke licenses to any code they write under many licenses.

                                                                    But not under the GPL. You absolutely cannot rescind your license under the GPL.

                                                                    Google also requires a copyright assignment for any code you contribute to projects they oversee for similar reasons.

                                                                    No, Google requires a copyright assignment for the same reason as many other companies: so that they have complete control and can use the software commercially and sell it under a proprietary license.

                                                                    1. 4

                                                                      On what grounds do you believe that the GPL doesn’t allow you to rescind your license?

                                                                      1. 2

                                                                        On the grounds that there’s no mention in the GPL that it allows you to rescind your license.

                                                                        1. 1

                                                                          I’m not sure that the GPL has to specifically allow it.https://www.law.cornell.edu/uscode/text/17/203

                                                                          In the case of any work other than a work made for hire, the exclusive or nonexclusive grant of a transfer or license of copyright or of any right under a copyright, executed by the author on or after January 1, 1978, otherwise than by will, is subject to termination under the following conditions

                                                                          It does indicate that there are restrictions on when 35 years after you can do the revoking and how much advance warning (on the order of 2 years) is necessary. But no where in the relevant US code do I see anything saying that you must specify that a license is revokable in order to allow for revoking a license.

                                                                          1. 1

                                                                            The GPL is a contract with consideration. As I understand it you cannot simply terminate a contract without reason, but if you do so and then you’re sued I don’t think you’ll necessarily be forced to honour the contract by the court. Courts are generally apprehensive about forcing people to do things and prefer to impose damages.

                                                                          2. 1

                                                                            GPL is still copyright, it’s just an attempt at subverting it. The developers are still the actual owners, and whenever it’s redistributed, it’s always redistributed under their own terms, namely those specified in the COPYING file. They aren’t slaves to their own conditions, they have the same right to remove it as they have to enforce it – it’s not public domain after all.

                                                                            1. 1

                                                                              You can’t just unilaterally revoke a contract. If you download and then redistribute my software under the GPL I can’t just tell you to stop. That’s literally the whole point of the license.

                                                                              1. 1

                                                                                No, but I can stop distributing newer versions under that license.

                                                                                1. 1

                                                                                  Absolutely. But then the ‘kill switch’ these developers have is just the freedom to stop working on the kernel. That’s a freedom they’ve always had, nothing new. The suggestion is that they can ‘rescind’ or ‘revoke’ their license and stop others from continuing development or continuing distributing existing versions. I see no reason why that would be true.

                                                                        2. 3

                                                                          Did you not read the article? GPL2 definitely DOES allow one to rescind the license.

                                                                          1. 15

                                                                            that article was awful. I mean, if your quoting anonymous comments from 4chan, what you’re doing isn’t journalism

                                                                        3. 1

                                                                          I always thought projects did this to be able to change the license.

                                                                          1. 1

                                                                            Changing the license is a similar operation to revoking a license in my mind so it makes sense that both reasons would behind the practice.

                                                                        4. 3

                                                                          I mostly found it interesting because I had always assumed that you couldn’t rescind viral licenses like the GPL.

                                                                          You were and are right: you cannot do so. The idea that you can’t because it doesn’t explicitly say you can’t is utterly absurd. The entire point of a copyright license is that you are licensing the work to others. There’s nothing in that license that says you can rescind it, thus you can’t rescind it. It’s pretty simple. The entire world of free and open source software is built upon this premise. If people could just go around and rescind the licenses to their contributions it would destroy free and open source software.

                                                                          1. 9

                                                                            So the analysis link seems excessively long, but here’s the relevant part of the law.

                                                                            https://www.law.cornell.edu/uscode/text/17/203

                                                                            You don’t have to build a rescinding clause into the license. It’s provided by law. Unless there’s some other reason this isn’t applicable.

                                                                            1. 6

                                                                              Seems like (section a.3 is saying) revocation can only occur after 35 years after initial grant, and within a 5 year window? Weird.

                                                                              1. 2

                                                                                Ah, this is a good point that I had missed: This particular way of rescinding a license actually isn’t possible for the next few years, since Linux isn’t that old. So the argument described by the possibly-troll lawyer is closer to the way this might actually work, though it seems way more tenuous to me now.

                                                                                1. 2

                                                                                  But that part is only relevant for people who have already been granted the license correct? I am very definitely not a lawyer and could easily be wrong here. However it seems like there could be an argument that Current users of the kernel would be allowed to continue to exercise their use under the license but that no future versions of the kernel could be published with the code in question. That could have the effect of preventing bugfixes to current kernel versions, as well as stalling kernel development for some time as the core devs worked to strip out and replace all of the code that is no longer licensed to be used.

                                                                                  How the relevant law applies with a viral license is a question that seems unsettled to me and likely would need to go through the courts to settle the question.

                                                                        1. 1

                                                                          Braces and indentation is redundant information. A good thing about that is that if someone comes after you and adds an indentation bug, it will look wrong, and a compiler might catch that as “misleading indentation” (as does gcc).

                                                                          1. 2

                                                                            Not all forms of indentation bugs look wrong. Particularly the “this was supposed to be in the outer block” bug.

                                                                            1. 2

                                                                              This is why in Go you specify only the braces and you let your editor and gofmt manage indentation :-)

                                                                              1. 1

                                                                                Well, running gofmt destroys the redundant information and any benefit with it :-(

                                                                                Think of the indentation as the checksum of the brace placement: If they don’t match, you have an opportunity to find a potential bug!

                                                                                • indentation = how it looks like it works (likely what the programmer intended)
                                                                                • braces = how it actually works
                                                                            1. 3

                                                                              I don’t know what he’s talking about with this:

                                                                              I haven’t waded into known strengths of Rust like the FFI and the concurrency model!

                                                                              Trying to do things concurrently in Rust made me stop trying to use Rust. Having to completely redo the i/o and suddenly having my selection of libraries Balkanized made continuing in Rust for a hobby project not worth it.

                                                                              1. 9

                                                                                I imagine Bryan Cantrill is in the class of developers who evaluates languages/frameworks/libraries in terms of their readability and maintainability. Probably because a large portion of his career has been doing maintenance programming.

                                                                                When measured along those axes balkanized libraries and the occasional refactor hardly matter. Especially when Rust makes those refactoring quite a bit safer than other languages with it’s type system and borrow checker.

                                                                                1. 1

                                                                                  I heard thread safety is one of Rust’s selling points. What kind of concurrency issues did you run into?

                                                                                  1. 2

                                                                                    Presumably he’s referring to the hoops you have to jump through because of Rust’s thread safety guarantees.

                                                                                    You can’t just use shared mutable state like you otherwise would have, and until recently there were multiple competing (and mutually incompatible) approaches in use.

                                                                                    1. 2

                                                                                      It has the same problem as C/C++ where I actually have no idea what kind of threading model any given library is going to use. Spawn a thread per request? Thread pool? Some actor framework? Callbacks? If it’s using a framework, which one? Do all my libraries play nice with it?

                                                                                      I think futures are in the stdlib, but async/await isn’t in stable. The rust book touches on futures, but mostly focuses on implementing your own ThreadPool, and not anything about how to organize futures-using code.

                                                                                      1. 3

                                                                                        Yep futures in std, and async/await are currently in nightly and will be available in the near term.

                                                                                  1. 3

                                                                                    I wonder how much of this is caused by caching. The gap between Inbox and Spreadsheets seems like it could be caused by caching what each is caching to make the UI responsive.

                                                                                    1. 2

                                                                                      Yeah I think some web apps cache whole prerendered screens so when you click a new tab it shows instantly

                                                                                    1. 8

                                                                                      As an occasional used of notebooks I agree with almost everything he said in those slides. Kind of want to see a recording of the talk now.

                                                                                      1. 9

                                                                                        Yea I’d rather see a recording. The slides aren’t really getting the full point across on their own (which means they’re actually good slides and are just an addition visual aid like they should be, vs something you just read point by point while on stage).

                                                                                        1. 7

                                                                                          If you look at the speaker notes (if Google Slides lets you) you’ll get the bulk of what I actually said.

                                                                                          (You’ll still miss out on the two livecoding pieces and my impeccable comedic timing.)

                                                                                        2. 5

                                                                                          They did record it and supposedly will put it up on YouTube at some point.

                                                                                          1. 1

                                                                                            I had no idea this stuff existed before this post. Are they actually widely used?

                                                                                          1. 37

                                                                                            The best today list system is one you will actually use. There is no one size fits all system.

                                                                                            1. 3

                                                                                              This is why you Don’t Implement Your Own Crypto! Come on folks.

                                                                                              1. 9

                                                                                                Sooo, You know that this is OpenSSH right? I mean someone has to write the Crypto. OpenSSH developers are among those that you might want to trust to do it right. No one is perfect though.

                                                                                                1. 6

                                                                                                  Actually, the code in question was written by Tatu, before openssh was forked.

                                                                                                  Well, depending on exactly what code you mean. The key encrypting code was technically in OpenSSL (or librsa) I think. The choice to use it was Tatu’s.

                                                                                                  1. 3

                                                                                                    Pretty sure this comment was intended as a joke for this reason?

                                                                                                    1. 2

                                                                                                      Yeah it kind of was. I guess it was a little obscure though.

                                                                                                  2. 6

                                                                                                    Well, hop in a time machine back to 1996 and pick something better off the shelf…

                                                                                                    1. 1

                                                                                                      I read the article, and the situation seems related to OpenSSL only. Joel Sing confirmed that commits https://github.com/libressl-portable/openbsd/commit/17b1f1ce28ae8bc5a873951ad6c8aa564b68c0ab and https://github.com/libressl-portable/openbsd/commit/952c1252f58f5f57227f5efaeec0169759c77d72 fixed the issues back in 2017 for LibreSSL. More details by Billy Brumley to the oss-security earlier this year: http://www.openwall.com/lists/oss-security/2018/04/16/3 .

                                                                                                      In conclusion OpenBSD and Void Linux have this mitigated.

                                                                                                      1. 4

                                                                                                        Those commits have nothing to do with the issue in the article.

                                                                                                    1. 6

                                                                                                      Most of my code on Github or Bitbucket is recreational code. I have 0 expectation that anyone would want to use any of it. I do like sharing it anyway though.

                                                                                                      1. 0

                                                                                                        I’m very happy with vgo after spending years frustrated with buggy, partially-broken third party tools: first glide (no way to upgrade just one package, randomly fails operations) then dep (100+ comment issue on not supporting private repos).

                                                                                                        This comment from HN sums up my feelings on this post:

                                                                                                        Go does not exist to raise the profiles of Sam Boyer and Peter Bourgon. Sam wanted to be a Big Man On Campus in the Go community and had to learn the hard way what the D in BDFL means. The state of dep is the same as it was before - an optional tool you might use or might not.

                                                                                                        Lots of mentions in Peter’s post about things the “dep committee” may or may not have agreed with. Isn’t this the same appeal to authority he is throwing at Russ? When did the “dep committee” become the gatekeepers of Go dependency discussions and solutions? Looks like a self-elected shadow government, except it didn’t have a “commit bit”. Someone should have burst their balloon earlier, that is the only fault here. Russ, you are at fault for leading these people on.

                                                                                                        Go is better off with Russ’s module work and I personally don’t care if Sam and Peter are disgruntled.

                                                                                                        1. 14

                                                                                                          This is an extremely bad faith interpretation of events. Your words have an actual negative effect on people who have tried for a very long time to do the best they could to improve a bad situation.

                                                                                                          1. 9

                                                                                                            had to learn the hard way what the D in BDFL means

                                                                                                            Except Go is not (or at least doesn’t market itself as) BDFL-led. The core team has been talking about building and empowering the community for years (at least since Gophercon 2015, with Russ’ talk).

                                                                                                            When did the “dep committee” become the gatekeepers of Go dependency discussions and solutions?

                                                                                                            They were put in place by / with the blessing of the Go core team, so some authority on the subject was certainly implied.

                                                                                                            Go is better off with Russ’s module work

                                                                                                            You can certainly prefer Russ’s technical solution, that’s only part of the thing being discussed (and I think it’s fair to say it’s not the heart of the matter).

                                                                                                            The rest of your quotes are just mean.

                                                                                                            1. -4

                                                                                                              People don’t seem to realize that Go is not driven by the community, it’s driven by Google. It’s clear to me that Google doesn’t trust its programmers to use any advanced features, the code is formatted the same (again, don’t trust the programmer), everything is kept in one single repo and there is no versioning [1]. In my opinion, Google only released Go to convince a ton of programmers it’s the New Hotness (TM), get everybody using it so they can cut down on training costs and disappointed engineers looking for resume-worthy tech to work on [2].

                                                                                                              So, any proposal for Go that violates Google’s work flow will be rejected [3]. Any proposal that is neutral or even helps Google, will probably be accepted. As far as I’m concerned, Go is a Google-proprietary language to solves problems Google has. The fact that it is available for others to use is intentional on Googles part, but in no way is it “communitty driven.”

                                                                                                              [1] Because if you change the signature of a function, it is up to you to change all the call sites at the same time. Because the code is all formatted the same way, there does exist tooling to do this. At Google. Probably no where else.

                                                                                                              [2] “What do you mean we got to use this proprietary crap language? I can’t put this on my resume! My skills will stagnate here! I hate you, Google!”

                                                                                                              [3] Stonewalled. Politely told no.. But ultimately, it will be rejected.

                                                                                                              1. 4

                                                                                                                To be fair, don’t trust the programmer, is a pretty good rule to follow when you design a language or API. Not because programmers are bad or incompetent but because they are human and thus predisposed to make mistakes over time.

                                                                                                            2. 5

                                                                                                              hrm, I actually want to push back against this quite strongly. any BDFL making decisions in the absence of community input will quickly find themselves the BDFL of a project that has no users, or at least one that often makes poor technical choices. Also, framing this disagreement as a personal one where prestige and reputation are at stake rather than as a technical one is a characterization that nobody other than the involved parties can make, certainly not people uninvolved in the project at all. In particular, making character judgements about people you don’t know based on technical blog posts is something I expect from the orange website, but I’d like to think the community here is a bit better.

                                                                                                              and as far as that technical disagreement goes, I’ve read through rsc’s rationale and I’m not any more convinced than I was in the beginning that jettisoning a well known package management path (SAT-solver) in favor of a bespoke solution is the correct decision. It is definitely the Golang thing to do, but I don’t know if it’s the best. Time will tell.

                                                                                                            1. 20

                                                                                                              Kinesis Advantage. I’ve been using them for almost twenty years, and other than some basic remapping, I don’t customize.

                                                                                                              1. 2

                                                                                                                Ditto, I’m at a solid decade. I cannot recommend them enough.

                                                                                                                1. 2

                                                                                                                  Also Kinesis Advantage for over a decade. On the hardware side I’ve only mapped ESC to where Caps Lock would be. On the OS side I’ve got a customized version of US Dvorak with scandinavian alphabet.

                                                                                                                  I’d like to try a maltron 3d keyboard with integrated trackball mouse. It’s got better function keys too, and a numpad in the middle where there’s nothing except leds on the kinesis.

                                                                                                                  1. 2

                                                                                                                    Me too. I remap a few keys like the largely useless caps-lock and otherwise I don’t program it at all. It made my wrist pain disappear within a couple weeks of usage though.

                                                                                                                    1. 2

                                                                                                                      My only “problem” with the Kinesis, and it’s not even my problem, was that the office complained about the volume of the kicks while I was on a call taking notes.

                                                                                                                      So I switch between the Kinesis and a Apple or Logitech BT keyboard for those occasions.

                                                                                                                      1. 1

                                                                                                                        You can turn the clicks off! I think the combo is Prgm-\

                                                                                                                        1. 2

                                                                                                                          Yeah, its not that click, it’ the other one from the switches :-)

                                                                                                                          I can be a heavy typer and for whatever reason, these keys stand out more than I expected to others behind the microphone.

                                                                                                                      2. 2

                                                                                                                        I prefer the kinesis freestyle2. I like the ability to move the two halves farther apart (broad shoulders) and the tilt has done wonders for my RSI issues.

                                                                                                                        1. 2

                                                                                                                          similar, largely I like that I can put the magic trackpad in between the two halves and have something that feels comparable to using the laptop keyboard. I got rid of my mouse years ago but I’m fairly biased on a trackpad’s potential.

                                                                                                                          I’ve sometimes thought about buying a microsoft folding keyboard and cutting/rewiring it to serve as a portable setup. Have also thought of making a modified version of the nyquist keyboard to be a bit less ‘minimal’ - https://twitter.com/vivekgani/status/939823701804982273

                                                                                                                      1. 3

                                                                                                                        These look modest in size but very definitely not modest in impact.

                                                                                                                        1. 3

                                                                                                                          “modest proposal” is an ironic phrase alluding to https://en.wikipedia.org/wiki/A_Modest_Proposal.

                                                                                                                          1. 2

                                                                                                                            A great text!

                                                                                                                            I’ve always considered it as the original inspiration for the old propaganda about Communists eating children.

                                                                                                                            I wonder to what length one could go writing a similar paper, in Latex, today.

                                                                                                                            It’s definitely an hack to try.

                                                                                                                        1. 2

                                                                                                                          I’d reply to this, but I’m really busy doing dot products on big piles of vectors… they’re really big vectors…

                                                                                                                          1. 2

                                                                                                                            Computationally, I don’t think they’re that big. Typical vision models have matrix multiplications that are quite small (on the order of 1000x1000 matrices for the huge ones) relative to the problems solved for computational chemistry (a couple of orders of magnitude bigger).

                                                                                                                            1. 2

                                                                                                                              I’m doing it by hand, and I’m not good at math.

                                                                                                                              1. 1

                                                                                                                                I guess that’s why you are procrastinating on Lobste.rs then?

                                                                                                                          1. 6

                                                                                                                            I agree with the author that many of the software abstractions all common operating systems use are decades-old relics of a time when designers made decision based around hardware constraints that are for the most part no longer relevant, and it would be good to re-think the relevance of some of these abstractions.

                                                                                                                            The devil’s in the details though. What specific abstraction should replace plain text? If I call my plaintext file “config.json” or and check that it is valid JSON, does that effectively solve the problem I wanted to solve by making another abstraction ubiquitous (is parsing text really all that hard on modern hardware?)

                                                                                                                            Are the specific terse conventions of UNIX shell commands (ls, cp, etc.) so bad that it’s worth the transition cost? After all, nothing is stopping anyone from writing their own shell where you type whatever you want to do those things, that really is just a product of human inertia - just like the English spelling system, one might point out.

                                                                                                                            Is “But the division of work into processes seems very coarse-grained; one widely replicated practice is having each end-user application, on average, correspond to a process” still true anymore, even on desktop computers? Of course the UNIX process abstraction still exists, but plenty of software makes use of multiple threads of execution (IIRC the basic unit of a thread of execution in Linux is the task, which can be configured share arbitrary resources with other tasks, and if you have one or more tasks that happen to share a memory address space you call that a process). And this is ignoring fairly-common computing environments like, say, offloading computation to GPUs to play a video game or do some hardcore math.

                                                                                                                            I don’t want to seem overly critical here. I don’t think that the Linux process abstraction is necessarily the best possible abstraction for running a computer program. Maybe there’s a better abstraction out there that would make multithreading and talking to the GPU much easier, and computing as a whole is losing out because most mainstream software developers have to shoehorn these tasks into an inferior abstraction. But this is below the level of abstraction that I personally normally work in as a programmer, so it’s hard for me to judge whether or not this is actually true without a counterexample of a potentially-better abstraction, which the author doesn’t provide.

                                                                                                                            The Urbit project also seems relevant to this discussion. They are trying to build a clean-slate computing environment (right now implemented as an ordinary UNIX process however) that has fundamentally different abstractions from UNIX, created for the purpose of making it easy for people to host personal servers. It uses a custom functional programming language (interpreted by a very minimalist interpreter running on actual hardware) as the OS implementation language/application software language, rather than C; it builds a network namespace into the design of the system at a much more fundamental level than any kind of UNIX networking, and has a model of running programs that addresses a lot of the points made in section 5 of this article.

                                                                                                                            1. 1

                                                                                                                              Urbit is interesting in many of it’s choices. But it is also a long way from stable and polished. I say this as someone who has spent a lot of time getting to understand it and also possesses a galaxy on the network.

                                                                                                                              It will be interesting to see if they can stabilize it and make it more ergonomic.

                                                                                                                              1. 1

                                                                                                                                Urbit is interesting in many of it’s choices. But it is also a long way from stable and polished. I say this as someone who has spent a lot of time getting to understand it and also possesses a galaxy on the network.

                                                                                                                                Oh, absolutely, it’s still very much unstable software. I bring it up because it’s an example of a recent OS that actually is substantially different from UNIX/Windows and uses different abstractions and conceptual metaphors for its computing, that you can use (to some limited extent) right now today.