fsebugoutzone.org:9999

       Post AafILsnSf7bOxH8Zpg by mmstick@fosstodon.org
 (DIR) More posts by mmstick@fosstodon.org
 (DIR) Post #AafCBJPEn1oKZWNoYK by soller@fosstodon.org
       2023-10-11T14:34:44Z
       
       0 likes, 0 repeats
       
       The point I am trying to make is there are few, perhaps no, programmers who can write C code without regularly creating potential security issues, especially ones involving buffer overflows.Manipulate my point all you want, say I am being too mean, but it remains a fact that a large set of potential vulnerabilities are trivial to create in C and C++ code and very difficult to create in Rust code.This is not just down to programmer skill, no one can learn &quot;safe&quot; C.
       
 (DIR) Post #AafCBKMREvALX855pQ by matthew@social.retroedge.tech
       2023-10-11T14:31:11.613864Z
       
       0 likes, 0 repeats
       
       What do you think about tools to check C code? I understand your preference for #Rust, but there&#39;s an enormous amount of code in C that will continue to be in use for some time. If there were good tools to check that code for weaknesses that then could be fixed, that would be a good thing in my opinion... but what&#39;s your take on that.
       
 (DIR) Post #AafIIXd0uTFWQveoJE by jajcus@toot.io
       2023-10-11T15:06:09Z
       
       1 likes, 0 repeats
       
       @matthew @soller for static analysis there is clang-analyzer - it can catch some common errors and can be used as language server for code editors (I use it in neovim).If that is not enough, Valgrind can find other problems in (virtualized) runtime, even when they don&#39;t cause the program to crash or leak outside of Valgrind (yet).
       
 (DIR) Post #AafILsnSf7bOxH8Zpg by mmstick@fosstodon.org
       2023-10-11T14:57:27Z
       
       1 likes, 0 repeats
       
       @matthew @soller They were already using those tools. There&#39;s a handful of universities and companies that run their automated vulnerability suites across open source code bases. None of them caught this.
       
 (DIR) Post #AafIPY9zKZV86sQGxc by misterjoshua@fosstodon.org
       2023-10-11T15:17:42Z
       
       1 likes, 0 repeats
       
       @soller the qmail guy used to boast about his memory safety. I wonder if he ever paid out a bounty.
       
 (DIR) Post #AafSLhqMNwlCWf318K by hunger@linuxrocks.online
       2023-10-11T17:37:58Z
       
       1 likes, 0 repeats
       
       @matthew @soller curl uses those, e.g. here: https://scan.coverity.com/projects/curl You can not see what the reported issues actually are, but somebody does obviously make an effort to fix issues reported by that tool.Those tools catch a lot and are absolutely worthwhile, but it is really hard to make sense of C and (even more so) C++ code. These tools also need a high degree of certainty before they can flag an issue: Too many false positives will make devs drop the tool as a waste of time.