Mozilla, where Rust was originally conceived, have already talked about this risk factor ages ago when they were still working on Servo. Reimplementing battle-tested software in a different language can result in logic bugs being introduced, which no programming language can really prevent. Many times they will actually reintroduce bugs that have already been historically fixed in the original implementation. This doesn’t invalidate the benefits of moving to a very memory safe language, it just needs to be taken into consideration when determining whether it’s worth the risk or the effort.
Honestly I have no idea whether sudo-rs is a good idea or not, but I have my doubts that any of the other people (especially the very vocal kind) chiming in on this do. Any time Rust is involved in the Linux community, a lot of vocal critics with very little knowledge of the language or programming in general seem to appear.
The counterpoint is that, especially with FOSS that does not receive much (if any) corporate backing, developer retention and interest is an important factor.
If I’m donating some of my free time to a FOSS project I’d rather not slug through awful build systems, arcane mailing lists, and memory unsafe languages which may or may not use halfway decent - often homebrew - manual memory management patterns. If the project is written in Rust, it’s a pretty clear indicator that the code will be easily readable, compilable, and safer to modify.
I do think there are long-term benefits in many cases, it just depends on available resources. There are plenty of projects that desperately need a rewrite for maintenance reasons alone so you might as well examine if language switch is worth it. It’s not like there aren’t a lot of success stories, even if there’s projects like sudo-rs where we’re, at best, not sure if there’s tangible benefits.
It’s a generally applicable lesson in why it’s NOT a good idea to change things for the sake of it though (chesterton’s fence, but where most of the actual bits of fence are invisible).
I think a key difference is that firefox is a eternally evolving codebase that has to do new stuff frequently. It may have been painful but it’s worth it to bite the bullet for the sake of the large volume of ongoing changes.
For sudo/coreutils, I feel like those projects are more ‘settled’ and unlikely to need a lot of ongoing work, so the risk/benefit analysis cuts a different way.
Contrary to popular belief, it is possible to write software in C that is very secure. It takes thought but C has the edge with its small footprint and system integration
Contrary to popular belief, it is possible to write software in assembly that is very readable. It takes thought but assembly has the edge with its miniscule footprint and zero-dependency runtime.
The problem with assembly is that it is almost impossible to optimize it as a human. Way back in the day instruction sets were written for humans but these days it is highly unlikely that you will be able to write assembly that can outperform a compiler. The reason primary has to do with pipelining and caching since modern CPUs are extremely complex.
That’s btw. also a good argument for Rust. Due to the strictness of the language the compiler os able to do optimizations that just aren’t possible (safely) in C or C++
Yea I mean it’s possible, but the sooner you bite the bullet and use a more modern language, the sooner you’ll get back to the same level of maturity and start having productivity dividends being paid out thanks to things like being able to get your compiler to prevent use after free bugs and the like.
Not sure how much sudo specifically needs this, maybe new commits are rare. As long as it stays out of LTS for the time being I’m all for it though.
Also not quite sure what you mean by “footprint”
Are you talking about the binary size or the fact that C has a tiny and straightforward language spec?
At this point I think the “thoughtful” C programmer is a myth and I don’t mean this as an insult. Even the most careful and experienced C gurus still make mistakes that would be much harder to make, if not categorically prevented in something like Rust. A lot of very secure C software is small in footprint, has had stable requirements for years, experienced thousands of hours of real world testing by users and the scrutiny of security experts. What I’m saying is: it should be easier to write secure software, especially with complex requirements or large attack surfaces.
I disagree that C has a notably smaller footprint than Rust for most purposes and system integration is in some cases harder in Rust precisely because of the notorious upfront implementation cost that prevents a lot of potential bugs.
Mozilla, where Rust was originally conceived, have already talked about this risk factor ages ago when they were still working on Servo. Reimplementing battle-tested software in a different language can result in logic bugs being introduced, which no programming language can really prevent. Many times they will actually reintroduce bugs that have already been historically fixed in the original implementation. This doesn’t invalidate the benefits of moving to a very memory safe language, it just needs to be taken into consideration when determining whether it’s worth the risk or the effort.
Honestly I have no idea whether sudo-rs is a good idea or not, but I have my doubts that any of the other people (especially the very vocal kind) chiming in on this do. Any time Rust is involved in the Linux community, a lot of vocal critics with very little knowledge of the language or programming in general seem to appear.
This is why its generally better to only write new code in more memory safe langs instead of rewriting everything
The counterpoint is that, especially with FOSS that does not receive much (if any) corporate backing, developer retention and interest is an important factor.
If I’m donating some of my free time to a FOSS project I’d rather not slug through awful build systems, arcane mailing lists, and memory unsafe languages which may or may not use halfway decent - often homebrew - manual memory management patterns. If the project is written in Rust, it’s a pretty clear indicator that the code will be easily readable, compilable, and safer to modify.
I do think there are long-term benefits in many cases, it just depends on available resources. There are plenty of projects that desperately need a rewrite for maintenance reasons alone so you might as well examine if language switch is worth it. It’s not like there aren’t a lot of success stories, even if there’s projects like sudo-rs where we’re, at best, not sure if there’s tangible benefits.
It’s a generally applicable lesson in why it’s NOT a good idea to change things for the sake of it though (chesterton’s fence, but where most of the actual bits of fence are invisible).
I think a key difference is that firefox is a eternally evolving codebase that has to do new stuff frequently. It may have been painful but it’s worth it to bite the bullet for the sake of the large volume of ongoing changes.
For sudo/coreutils, I feel like those projects are more ‘settled’ and unlikely to need a lot of ongoing work, so the risk/benefit analysis cuts a different way.
Contrary to popular belief, it is possible to write software in C that is very secure. It takes thought but C has the edge with its small footprint and system integration
Contrary to popular belief, it is possible to write software in assembly that is very readable. It takes thought but assembly has the edge with its miniscule footprint and zero-dependency runtime.
I wouldn’t go that far
The problem with assembly is that it is almost impossible to optimize it as a human. Way back in the day instruction sets were written for humans but these days it is highly unlikely that you will be able to write assembly that can outperform a compiler. The reason primary has to do with pipelining and caching since modern CPUs are extremely complex.
That’s btw. also a good argument for Rust. Due to the strictness of the language the compiler os able to do optimizations that just aren’t possible (safely) in C or C++
https://esolangs.org/wiki/Brainfuck
Yea I mean it’s possible, but the sooner you bite the bullet and use a more modern language, the sooner you’ll get back to the same level of maturity and start having productivity dividends being paid out thanks to things like being able to get your compiler to prevent use after free bugs and the like.
Not sure how much sudo specifically needs this, maybe new commits are rare. As long as it stays out of LTS for the time being I’m all for it though.
Also not quite sure what you mean by “footprint”
Are you talking about the binary size or the fact that C has a tiny and straightforward language spec?
At this point I think the “thoughtful” C programmer is a myth and I don’t mean this as an insult. Even the most careful and experienced C gurus still make mistakes that would be much harder to make, if not categorically prevented in something like Rust. A lot of very secure C software is small in footprint, has had stable requirements for years, experienced thousands of hours of real world testing by users and the scrutiny of security experts. What I’m saying is: it should be easier to write secure software, especially with complex requirements or large attack surfaces.
I disagree that C has a notably smaller footprint than Rust for most purposes and system integration is in some cases harder in Rust precisely because of the notorious upfront implementation cost that prevents a lot of potential bugs.