Subj : Re: US White House urges devs to dump C and C++
To   : Nightfox
From : tenser
Date : Fri Mar 01 2024 08:13 am

On 29 Feb 2024 at 09:31a, Nightfox pondered and said...
 
 Ni>   Re: US White House urges devs to dump C and C++
 Ni>   By: Digital Man to Nightfox on Wed Feb 28 2024 09:50 pm
 Ni> 
 Ni>  DM> I don't doubt it. Managed languages have been big in security and
 Ni>  DM> enterprise app development, anywhere performance or hardware-access i
 Ni>  DM> the paramount priority, for a long time now. It's not to say that you
 Ni>  DM> can't have vulnerabilites in managed software (they happen all the ti
 Ni>  DM> they're just a different class of vulnerabilities that are generally
 Ni>  DM> easier to find and defend against or fix than the memory issues that
 Ni>  DM> plague C and C++ code bases.
 Ni> 
 Ni>  DM> It's honestly not bad advice for most projects (e.g. I don't think Ap
 Ni>  DM> accepts apps written in C or C++ in its app store). But keep in mind,
 Ni>  DM> supports writing memory-unsafe code too. It's default mode is memory-
 Ni>  DM> but it's still subvertable. So Rust might not be the cure-all they th
 Ni>  DM> it is.
 Ni> 
 Ni> I've sometimes thought it shouldn't be much of an issue if you're always
 Ni> careful about how you write code.

The thing is, the last 50 years have shown us that this
doesn't hold.  I've seen the best and brightest programmers,
top researchers and people out of the best academic programs
in the world, who regularly write C code that is broken in
some fashion or another.

 Ni> There's that adage "the poor craftsman
 Ni> blames his tools"..

True, but only because the good craftsman curates,
maintains,  and carefully chooses his tools for the
job at hand.  A  skilled woodworker does not use a
hammer where a saw is required, and he keeps his saw
sharp and free of rust because it is safer and he
knows he'll do a better job.  Knowing what tool to
use, and choosing from the best of tools, is what
separates the good craftsman from the poor.

 Ni> One thing I like about C and C++ is they don't do
 Ni> much to limit you, but I suppose that can be a blessing and a curse. 
 Ni> And human error is always a factor, so I suppose it's good when the
 Ni> programming language can help you avoid introducing bugs and
 Ni> vulnerabilities.

Indeed.  Many of the arguments I'm seeing now seem
reminiscent of the arguments that were made when
people stopped writing applications in assembly and
moved to high (or higher) level programming languages.

--- Mystic BBS v1.12 A48 (Linux/64)
 * Origin: Agency BBS | Dunedin, New Zealand | agency.bbs.nz (21:1/101)

.