the problem with assertions about whether or not "C is secure" absent a language-level feature discussion is that it's unfalsifiable. if i point to buggy C code, you can say it's just written poorly; if i point to code in an alternative language, you can just assert without evidence that it has hidden bugs.

@tindall is this statement in relation to the Apache discussion related to Rust ?

@morgan no, the Drew DeVault post I recently commented on here. I'm unaware of the Apache statement.

@tindall oh my bad, I blocked the guy so I didn't see it.

@morgan @tindall same here, highly recommend others do the same. not worth the headache.

@tindall It would be great to have something like the obfuscated C contest but for non-C languages. That could yield some nice examples of obscure bugs.

@tindall I just realized that I keep confusing the obfuscated C contest with the underhanded C contest :flan_confused:

Anyway, either variant would be great to see for other languages. I always enjoy reading entries from the C versions.

@stsp @tindall there was an Underhanded Rust a few years ago, very cool stuff.

@federicomena @stsp @tindall there used to be an obfuscated perl contest with some truly impressive results, and then there's perl golf...

@tindall yeah. i'll admit to some nervousness about some emerging dogmas adjacent to the ones devault complains about (i frequently have variations on that "you're not wrong, walter, you're just an asshole" feeling about devault), but every conversation that seems like it boils down to "C is fine, just be daniel j. bernstein" is extremely frustrating.

like, yes, we should maintain things, but if c were actually fine, we wouldn't be here.

@brennen @tindall yeah I have no intention of learning rust but I would be much happier if a smaller percent of the programs I use every day were based on technology that hasn't moved forwards since the 1970s

("here" being where i can think of 3 new glaring vulnerabilities for things i have to care about which are written in c in the last, what, week or something?)


Also, “secure” is meaningless in this context. If it is possible to load the program into computer memory in any form, it is not secure.

The only secure programs have been etched onto granite slabs and dropped into the deepest part of the ocean.

@tindall honestly i think instead of "language X is not secure" it should be "does language X help the programmer write secure code and push her in such a direction?"

Sign in to participate in the conversation

cybrespace: the social hub of the information superhighway jack in to the mastodon fediverse today and surf the dataflow through our cybrepunk, slightly glitchy web portal support us on patreon or liberapay!