[blub]

This is so funny. Yesterday there was another discussion on how C needs to be replaced due to security/corectness concerns (the K&R topic), today people are fascinated by a UI(!!!) library built in it.

And they actually consider using this library.

[accatyyc]

C is simply the Correct Tool For the Job when writing cross-platform (native) UI's. It's simple, it's callable from almost any other language, and all OS GUI API's are already in C.

There has been a lot of negativity/arguments against C here lately, which in my opinion has been very exaggerated.

Seriously, how often do you guys write GUI apps that _also need to be secure_? An application isn't secure just because you write it in another language, there's a lot more work to it. If there is even such a thing as secure.

[kodfodrasz]

Any app i write needs to be secure as much as reasonably possible.

If you communicate over a Network with not fully trusted remote endpoints, and handle text you have a fair chance of remote code execution in C. A git front end. A text editor. Anything written in C has a fair chance to making a mistake.

Your very basic attitude is an example to the problem the industry is having!

We will always make mistakes, no matter how hard we try, but not caring for such an important topic from upstart is a not simply a mistake, but an outright sin!

Security, robustness are some examples which are way too hard to add to a software when not taken into account upfront at design time!

C is not the right tool for these tasks.

[accatyyc]

I'm not really sure I agree with communicating over the network in your GUI anyway. A git frontend shouldn't handle the connections, this is what libgit is for. Which would probably use curl or similar internally. Both of those are written in C, and are also reasonably secure as far as I know.

I stand by my point. Simply "not using C" isn't magically going to make your application so much more secure.

[kodfodrasz]

Ok, so that example maybe was not perfect. So what? Many apps nowadays talk with remote APIs. Imagine a twitter client, a SCADA app, pretty much anything nowadays, instead of nitpicking. Btw when you use libraries written in C that very much the same as communicating over the network from your app. Same process, same address space.

Also note: local files may also be rigged... Other languages protect for whole classes of vulnerabilities with negligible costs.

About the reasonable security: http://www.tripwire.com/state-of-security/latest-security-ne...

https://curl.haxx.se/docs/vulnerabilities.html (Kudos to the curl authors for this nice overview!)

[ArkyBeagle]

1) The rules for hardening 'C' based applications aren't exactly obscure nor are they new.

2) Some things very much need to never be on a wider network with untrusted nodes. This is easier than it sounds...

[kodfodrasz]

They are not new, I agree, I have been writing such programs for a few years. Looking back to those times make me say that C should be avoided for such tasks.

[blub]

Security should be evaluated based on requirements and usage. It makes no sense to say that UI (or any kind of) apps don't need to be secure, since a lot of them have high security requirements and ALL of them should at least have basic safety in place.

[kodfodrasz]

My feelings exactly. (thus my question above)