https://kotlinlang.org logo
#random
Title
# random
s

Stefan Oltmann

02/28/2024, 4:35 PM
First I was thinking this is a prank / fake news, because I never heard of governments telling developers what to do, but the linked PDF is hosted on whitehouse.gov, so it’s real 👀 Thanks for sharing. Let’s see what my colleagues working on older C++ products think of this. 😬
i

itnoles

02/28/2024, 4:39 PM
"Recent studies from Microsoft and Google have found that about 70 percent of all security vulnerabilities are caused by memory safety issues."
s

Stefan Oltmann

02/28/2024, 4:40 PM
And I have no problem to believe that.
e

eygraber

02/28/2024, 4:46 PM
The problem is that memory safety issues are a known issue. I'm sure newer languages (Rust, etc...) will develop their own set of issues that are currently unknown. And then the cycle continues...
2
s

Stefan Oltmann

02/28/2024, 4:49 PM
The famous talks of Robert C. Martin about Clean Code always started with words about how we as developers need to craft better software or else governments will step in and regulate our space (like they do with banking, stocks, etc.). As I never saw governments doing such a thing before this feels big to me. Now they „urge“. The next step is to prohibit. 👀
i

itnoles

02/28/2024, 4:52 PM
Microsoft would have to break their "backward compatibility" promise if they tried to convert Windows OS into Rust.
s

Stefan Oltmann

02/28/2024, 4:53 PM
Microsoft becomes more and more Apple anyways 🤷‍♂️
👆 1
I think of this:

https://youtu.be/2dKZ-dWaCiU?si=ehzvh3aGfa9Sx3Je&t=650

(at 10:50) I becomes a reality.
„They will tell us what languages we have to use.“ 😄
i

itnoles

02/28/2024, 5:11 PM
Some developers are like "Sorry, my hand-tied with the project manager decisions"
s

Stefan Oltmann

02/28/2024, 5:13 PM
Robert’s talk is quite funny. „Why did you let happen the death of 10000 people?“ - „My boss told me it had to be done on Tuesday.“ 😂 This line always gets me. He has a point. I’m a big fan of clean architecture and clean code.
i

itnoles

02/28/2024, 5:13 PM

https://www.youtube.com/watch?v=Vhh_GeBPOhs

lol
s

Stefan Oltmann

02/28/2024, 5:17 PM
Steve Ballmer, the monkey boy 🦧
As Robert C. Martin correctly said it was just a matter of time before our space will be regulated.
i

itnoles

02/28/2024, 5:22 PM
by that time, they would join union
s

Stefan Oltmann

02/28/2024, 5:22 PM
?
i

itnoles

02/28/2024, 5:23 PM
Software Developer didn't have own union
s

Stefan Oltmann

02/28/2024, 5:24 PM
What Union? What is that? I think you lost me there.
i

itnoles

02/28/2024, 5:26 PM
if they tried to regulate developers, more would quit without proper benefits
s

Stefan Oltmann

02/28/2024, 5:30 PM
What benefits? I can’t follow you. You see that they now start to regulate… the White House is urging developers do drop C and C++ with the next likely step of prohibiting it. One day you can’t write software for controlling banking, cars or aircraft’s in C, because it will be illegal. What Robert said 2019 slowly starts to become real. Listen to the talk I linked above.
The intro goes from minute 3 to 20.
s

Shawn

02/28/2024, 5:43 PM
🙄 both NIST and the DoD have been making similar recommendations for a while now, please reevaluate what "regulation" really means. https://www.nist.gov/itl/ssd/software-quality-group/safer-languages https://media.defense.gov/2023/Dec/06/2003352724/-1/-1/0/THE-CASE-FOR-MEMORY-SAFE-ROADMAPS-TLP-CLEAR.PDF
👎 1
and it's not even just an American thing, I know the Bundestag is investing in similar research and development https://www.sovereigntechfund.de/mission
s

Stefan Oltmann

02/28/2024, 5:50 PM
🙄 both NIST and the DoD have been making similar recommendations for a while now, please reevaluate what "regulation" really means.
I understand that we are now in the recommendation phase. As I said this is one step before a regulation. Regulation of course means actual laws.
Yes, in Germany we have the BSI (Bundesamt für Sicherheit in der Informationstechnik) that issues all kinds of recommendations. I think there are some laws too about how strong encryption has to be and what algorithms to use. But nothing like a „Don’t use this language“. This has a new quality.
I'm sure newer languages (Rust, etc...) will develop their own set of issues that are currently unknown. And then the cycle continues...
Indeed. There may be some cycles. But maybe it’s necessary. The government will step in and regulate at the point where people’s lifes or funds are endangered. And as citizens we expect it to - for our protection. So the topic of the article is about cybersecurity.
e

eygraber

02/28/2024, 6:16 PM
No one can say for sure what the future holds, but I highly doubt the US government would ever regulate what programming languages could be used across the board. Maybe I could see them doing that within governmental agencies, but even that is a stretch, because they only can mandate that for federal agencies, and there isn't enough understanding about the issue at the higher levels that would cause this to get mandated. And let's be honest. If something like this was ever imposed on the industry at large in the US, there would be lawsuits bogging it down in court instantly, and for a long time 😅
👆 1
It's also a very nuanced problem. For example the issue isn't with the language itself; it's with the code written in the language. It's possible (and not entirely difficult) to write excellent and safe code using C. Contrast that with something like encryption where you're either providing a sufficient level of protection or you're not.
verified 2
s

Stefan Oltmann

02/28/2024, 6:52 PM
Yes, but’s a language allowing to make some kind of errors that are impossible to make in other languages. That’s why they „urge“.
They also regulated other industries like aircrafts, so I think it’s entirely possible that we will see regulations.
e

eygraber

02/28/2024, 6:57 PM
There's no such thing as a language where it's impossible to make dangerous errors. Like I said above using Rust as an example, we might not even know what those are yet, which I think is more dangerous than a known issue.
s

Stefan Oltmann

02/28/2024, 7:00 PM
Yes, there may be not. But honestly, we all know that C code is prone to such security problems. I‘m on Robert C. Martins side. An accident big enough needs to happen and regulations will follow.
As you can’t prohibit bad code or put up a law against writing security issues, all they could do is „tell us which languages to use“ (with the words of Robert C. Martin)
I am curious what follows next. I find it interesting. 👀
I don’t think they will go as far as prohibiting a certain language, but I could see them putting up something like a list of allowed languages/frameworks/libs/etc for certain critical areas like cars, airplanes, banking, stocks and government infrastructure. It’s unlikely that you won’t be allowed to write your consumer multimedia app in C one day. We will see how Rust performs if enough developers follow the government’s recommendation.
k

Klitos Kyriacou

02/29/2024, 11:43 AM
A lot is made of "memory safety" without thinking in detail about what it means, but instead trashing C++ in favour of languages with garbage collection, thinking that that somehow makes applications "memory safe". What does that even mean? Typical problems with memory safety: • Failing to free memory, resulting in memory leaks -> Java and Kotlin are not immune to memory leaks either, due to inadvertently holding on to objects that are no longer needed. • Accessing memory beyond the bounds of an array -> We also have ArrayIndexOutOfBoundsException, so no, there's not much of an advantage here. (Admittedly, throwing AIOOBE is safer than C++'s "undefined behaviour", but only if you do something sensible with the exception.) • Having to manage memory manually -> On the JVM memory is managed by the runtime, but actually, memory is not the only resource. There is no garbage collector for InputStreams, OutputStreams and other Closeables, for example. Yes, we have try-with-resources and .use {}, but so does C++ with its destructors and RAII. In both cases, we programmers have to consiously use them. So calling Java and Kotlin "memory safe" is a bit of a relative term.
👀 1
s

Stefan Oltmann

02/29/2024, 12:14 PM
I guess it's more about possible attack vectors / vulnerabilities like overwriting values from other apps by overflow and such things. Less about memory leaks. The paper seems to have a focus on security, not performance.
i

itnoles

03/05/2024, 2:59 AM
JVM does use C++. Java makes everything as a pointer. All it did was hide it from you.
s

Stefan Oltmann

03/05/2024, 4:42 AM
Indeed. I suspect also other languages to use C++ under the hood. To C# as a former Java clone the same may apply. And the python interpreter may also be implemented in C. I believe their point is not to prohibit everything made with C, but to encourage using higher level languages that make security issues due to errors in memory handling less likely. We all know that this is hard and can easily lead to errors. That’s why GC was invented. Rust may have other issues, but as far as I understand it doesn’t have this. If it turns out that there is a big issue elsewhere whatever comes after Rust will fix it. Ultimately we will have a language without all that big flaws. That’s evolution. Looks like the White House wants to speed up that process a bit.
i

itnoles

03/06/2024, 4:23 PM
According to Google, Clang is going to try the experimental flag for the borrow checker. https://docs.google.com/document/d/e/2PACX-1vSt2VB1zQAJ6JDMaIA9PlmEgBxz2K5Tx6w2JqJNeYCy0gU4aoubdTxlENSKNSrQ2TXqPWcuwtXe6PlO/pub
👍 1
2 Views