DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 29th February 2024
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,133
Default White House urges developers to dump C and C++

From https://www.infoworld.com/article/37...p-c-and-c.html:
Quote:
Biden administration calls for developers to embrace memory-safe programing languages and move away from those that cause buffer overflows and other memory access vulnerabilities.

The White House Office of the National Cyber Director (ONCD), in a report released Monday, called on developers to reduce the risk of cyberattacks by using programming languages that don’t have memory safety vulnerabilities. Technology companies “can prevent entire classes of vulnerabilities from entering the digital ecosystem” by adopting memory-safe programming languages, the White House said in a news release.

Memory-safe programming languages are protected from software bugs and vulnerabilities related to memory access, including buffer overflows, out-of-bounds reads, and memory leaks. Recent studies from Microsoft and Google have found that about 70 percent of all security vulnerabilities are caused by memory safety issues.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #2   (View Single Post)  
Old 1st March 2024
Eric Eric is offline
User
 
Join Date: Sep 2008
Posts: 10
Default

I think it would be more productive to hold corporations accountable for garbage software. I doubt many developers have a choice in the languages they are using at work.
Reply With Quote
  #3   (View Single Post)  
Old 1st March 2024
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,133
Default

https://hackaday.com/2024/02/29/the-...y-red-herring/ is very critical about the White House report. Worth a read!
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote
  #4   (View Single Post)  
Old 1st March 2024
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 323
Default

Seems like corporate lobbying for Rust - which is backed by "Big Tech". Yet more typical "security theatre" from the likes of Google and MS.
Reply With Quote
  #5   (View Single Post)  
Old 2nd March 2024
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 172
Default

@blackhole That is my take too. Rust is still in flux and there are many architectures where it does not exist and maybe will never exist.

Quote:
Nevertheless, C retains the basic philosophy that programmers know what they are doing; it only requires that they state their intentions explicitly.
From "The C Programming Language Quotes by Brian W. Kernighan".

If programmers were given time to test and develop, many issues would not exist. Anyone who has ever worked for a large knows the pressure that exists to get things done quickly instead of right. So all these issues I blame on management.

How many times have we heard "ship it now, you can fix later" and "later" never comes.

Rust will never fix policy issues, just newer and maybe worst issues will happen.
__________________
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars (tvtropes.org)
Reply With Quote
  #6   (View Single Post)  
Old 4th March 2024
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 323
Default

It's a dangerous situation, but most software devs will willingly sleepwalk right into it.

MS tried to do this kind of thing in the past, e.g. with .NET / mono, and this is a similar strategy with an added "leave security to us" selling point. We're seeing a lot of this security mantra lately. It's mostly a sales pitch.

You're right in that it's a corporate culture thing - it's assumed that "memory safe" languagee will replace code audits and speed up development, reducing costs, but also lock developers into a corporate controlled platform.
Reply With Quote
  #7   (View Single Post)  
Old 4th March 2024
shep shep is offline
Real Name: Scott
Arp Constable
 
Join Date: May 2008
Location: Dry and Dusty
Posts: 1,508
Default

1+ for calling out Corporate culture and greed. Instead of being a fraud target based on crappy coding, in a 737 Max, you're just dead.
Reply With Quote
  #8   (View Single Post)  
Old 9th March 2024
e1-531g e1-531g is offline
ISO Quartermaster
 
Join Date: Mar 2014
Posts: 629
Default

Last time I checked Rust was open-source. It was also quite independent from GAFAM.
Google probably would like more devs use Dart & Flutter if it was about platform control.

@jmccue even with that software would be created according to some assumptions about usage. And then some person/company will think outside of the box and use that software component for different purpose than originally intended with success, but also uncover some bugs that according to original author are not bugs at all
__________________
Signature: Furthermore, I consider that systemd must be destroyed.
Based on Latin oratorical phrase
Reply With Quote
  #9   (View Single Post)  
Old 11th March 2024
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 323
Default

Rust may be "open source", but as with projects like systemd, wayland and the Linux kernel, for example, it's controlled and bankrolled by "Big Tech".

https://foundation.rust-lang.org/members/

This has been the case since 2021.

Then there is the trademark - and there was the whole trademark policy revision dispute last year, threats of a fork, etc...

Have a look through this obnoxious diatribe: https://docs.google.com/document/d/1...0mWSOAuok/edit

Last edited by blackhole; 11th March 2024 at 03:16 PM.
Reply With Quote
Old 13th March 2024
jmccue jmccue is offline
Real Name: John McCue
Package Pilot
 
Join Date: Aug 2012
Location: here
Posts: 172
Default

Quote:
Originally Posted by blackhole View Post
Rust may be "open source", but as with projects like systemd, wayland and the Linux kernel, for example, it's controlled and bankrolled by "Big Tech".

https://foundation.rust-lang.org/members/
Thinks like this only make me happier the *BSDs exist. But as many for is know, up-streams, mozilla, freedesktop, ... seem to be chasing big corp. dollars. I would not be surprised in a decade or so, that will eventually cause the BSDs a lot of hurt
__________________
[t]csh(1) - "An elegant shell, for a more... civilized age."
- Paraphrasing Star Wars (tvtropes.org)
Reply With Quote
Old 14th March 2024
blackhole's Avatar
blackhole blackhole is offline
Spam Deminer
 
Join Date: Mar 2014
Posts: 323
Default

One could write a novel about the situation with Mozilla, so I won't get into that here - as many are aware, google has funded their browser project for over a decade - and ensured that chrome almost wiped it out of existence. In that time, Mozilla have spent a fortune paying the CEO and on activism and side projects, while laying off developers.

Rust is also hosted on github - a Microsoft platform, along with many other OSS projects such as systemd (a projected headed by a Microsoft employee).

Servo was cancelled, developers laid off and rust transferred to the "Big Tech" cartel and now Mozilla are talking about "AI"...

In my view a free alternative to the chrome monoculture was sabotaged from the inside and that's why Firefox is still using the gecko engine - and no threat whatsoever to chromium. If we fast forward, the end result is fairly predictable - now that Mozilla have handed their "memory safe" language over to that aforementioned group, abandoned their next generation browser and publicly stated that Firefox is no longer the focus - in time, Firefox will be either be rebased on the chromium project or abandoned (much the same end result). A rebase on chromium would be the best outcome for google as complete abandonment could lead to a fork - and that could still happen regardless. But a chromium that uses the logo, name and trademark would still dupe the majority of casual (mainly) windows users - and mobile users probably wouldn't notice the difference - so any fork would be far less potent and mostly a niche thing. Opera did this years ago, even Micrososft did the same... but for Firefox it would be a disaster.

Freedesktop.org hosts all of the "business friendly" OSS projects such as systemd, wayland, etc and is part of the X.org Foundation which is in turn funded by by "umbrella organisation" SPI, the same as that which manages funding/legal for the Debian Project.

SPI's organisation is difficult to understand. But the basics of it are that it handles all the funding/legal - and if one project gets donations, it goes into a "pool" and then that funding is distributed among the member projects - usually.

Debian in particular got a lot of money from Microsoft from it's debconf events, over the last several years, where Microsoft was a "platinum" donor. This is all related to Microsoft's interests (e.g. Azure and WSL2) and not in the interests of Debian users, or "free software" users and developers in general.

If you examine any given SPI financial statement you can see the funds for the individual projects, such as systemd, postresql, x.org, etc, but it's hard to "follow the money" and see precisely where that money is coming from.

The problem with corporate backing is that once these projects take the money, they're trapped. The money and the paid developers can be withdrawn (or the withdrawal threatened). We're already in the situation (for well over a decade) where corporate backed "open source" projects thrive and dominate, while volunteer based projects die from lack of developer time and donations. In fact the corporate mouthpieces spend significant time and money "talking down" FOSS alternatives, while talking up their own/preferred "open source" projects/products. This has made the "death" of some tried, test and proven software to be a self fulfilling prophecy. The corporates and their stooges put every ounce of weight behind dismissing and pulling apart some tried and tested solution in order to force in their own software, which has been developed entirely from a business perspective and not according to any solid design principles.

Last edited by blackhole; 14th March 2024 at 02:21 PM. Reason: typos
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Other Cloudflare Ditches Nginx For In-House, Rust-Written Pingora J65nko News 0 16th September 2022 10:46 PM
Open source body quits GitHub, urges you to do the same J65nko News 3 2nd July 2022 06:05 PM
FreeBSD in Macbook 3.1 Santarosa White DwBSD FreeBSD General 4 14th August 2012 03:44 PM
Drupal clarifies security rules after White-House gaper J65nko News 0 11th June 2010 05:51 AM
Free Software Foundation urges Google to open On2 codec J65nko News 0 22nd February 2010 06:28 AM


All times are GMT. The time now is 01:34 PM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick