the problem with assertions about whether or not "C is secure" absent a language-level feature discussion is that it's unfalsifiable. if i point to buggy C code, you can say it's just written poorly; if i point to code in an alternative language, you can just assert without evidence that it has hidden bugs.
@morgan no, the Drew DeVault post I recently commented on here. I'm unaware of the Apache statement.
@tindall It would be great to have something like the obfuscated C contest but for non-C languages. That could yield some nice examples of obscure bugs.
@tindall I just realized that I keep confusing the obfuscated C contest with the underhanded C contest
Anyway, either variant would be great to see for other languages. I always enjoy reading entries from the C versions.
@tindall yeah. i'll admit to some nervousness about some emerging dogmas adjacent to the ones devault complains about (i frequently have variations on that "you're not wrong, walter, you're just an asshole" feeling about devault), but every conversation that seems like it boils down to "C is fine, just be daniel j. bernstein" is extremely frustrating.
like, yes, we should maintain things, but if c were actually fine, we wouldn't be here.
Also, “secure” is meaningless in this context. If it is possible to load the program into computer memory in any form, it is not secure.
The only secure programs have been etched onto granite slabs and dropped into the deepest part of the ocean.
@tindall honestly i think instead of "language X is not secure" it should be "does language X help the programmer write secure code and push her in such a direction?"