Foo_ (foo.delete@this.nomail.com) on July 10, 2021 6:56 am wrote:
> cqwrteur (euloanty.delete@this.live.com) on July 9, 2021 9:56 pm wrote:
> > I just read the upcoming Rust code for Linux Kernel from Github. Maybe I am stupid.
>
> 1) Why do you posts specific complaints about the Linux source code on RWT? If I'm
> the maintainer of an open source project and some opaque nickname posts complaints
> + a personal attack on an unrelated Web forum, I'm unlikely to be very receptive.
>
> 2) If you are looking for insight, did you try asking the authors of the code?
> Or the maintainers who approved it? Or simply posting on a relevant message board
> or mailing-list, so that the experts can read and answer your questions?
>
> 3) I'm not a Rust expert (however I know quite a bit of C and C++), but arguing that Rust isn't
> useful because some functions are marked "unsafe" sounds nevertheless ridiculous. Much C and
> C++ code is inherentely "unsafe", even if the word appears nowhere in the code. The fact that
> Rust makes you mark which precise operations are unsafe is already a step forward for maintainability.
> Also, it is an incentive to gradually reduce the amount of unsafe operations.
>
> Note that secluding "unsafe" code in small dedicated regions of code is also good practice in C++, for example,
> but the language doesn't really push you do that, unlike Rust (for example, your dedicated allocator may be
> "unsafe" but using it in shared_ptr and friends will still benefit from the usual "safety" properties).
>

1. Well. This is clearly not "some". It is basically ALL functions are unsafe. The argument unsafe is only used for exceptional circumanstances is just like the argument "C++ exceptions should only be used in exceptional circumanstances." They are completely wrong in real world.

2. I seriously doubt that you truly need Rc, Arc (shared_ptr) or his friends in kernel. It does not look like a good code smell for me either.

3. unsafe keyword has a side effect is that it might make attacker's life easier too since attacker can go and grep unsafe and attack it.

> > Some Rust people like Alex Gaynor who actively push Rust into kernel
> > look crazy for me.
>
> And you look like someone who insults the person they disagree with.
>
> > Maybe Linus Torvalds also agrees using C and C++ violates human rights like those Rust people believe?
>
> That's not what the excerpt you posted *precisely* says...
>
> If you want to dispute the fact that some vulnerabilities can have dire consequences
> (such as risking people's lives, in some situations), feel free to do so.
>
> And, yes, you may point out that not all vulnerabilities would be avoided by using Rust, and that would be a
> good point in its own right; but that does not look like a sufficient reason to avoid making things better.
>

I do not believe Rust code like "Rust-for-linux" truly make any code safer. In fact, a lot of Rust evanglists just made big promises like Rust has no memory-safety issues or using C and C++ violates human rights.

Can you show me an example using C or C++ kills people in real world? I never heard a single example people were killed by using C or C++. The safety in programming world has nothing to do with safety in real world.

https://songlh.github.io/paper/rust-study.pdf

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=rust

The cve numbers in rust std and crates (no including redox os, firefox etc, i can show them too) are a lot.
Rust std in one year has 8 memory safety cves than all C++ standard library in entire lifespan

The worst part like some cves like CVE-2021-31162 has CVSS 9.8 score (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31162) which is worse than Eternal Blue.


You said i should try to contact people who wrote those code. However those people who push Rust very hardly like Alex Gaynor are people who believe you must RIIR or using C or C++ violates human rights. Clearly talking to them won't solve anything since they just want the Linux to be completely rewritten in Rust, no matter the code quality is.


Maybe Rust in general can truly bring safety, but the code in "Rust-for-linux" repository just does not.