[fiedzia]

Note: I am discussing using safe languages in general and reasoning for doing or not doing that. If you believe rewrite requests are unreasonable no matter what, don't bother reading that. Or perhaps consider this to be addressed to people deciding how to choose libraries to depend on, not to specific library authors.

> curl is currently one of the most distributed and most widely used software components in the universe, be it open or proprietary and there are easily way over three billion instances of it running in appliances, servers, computers and devices across the globe. Right now. In your phone. In your car. In your TV. In your computer.

Congratulations. So how many of those have unpatched vulnerabilities right now that were caused by using unsafe language? In my phone? In my computer? In my car? How many accidents of data or money theft it caused? Not to mention common non-security related bugs.

> If we then have had 40, 50 or even 60 security problems because of us using C, through-out our 19 years of history, it really isn’t a whole lot given the scale and time we’re talking about here.

Curl had multiple unpatched security problems for several years before they were discovered. As the author admits, it most likely still has many. dpkg -l | grep '^ii lib'|wc -l lists over 2000 libraries I have installed, lot of them written in C. An estimate of 2000 multiplied by 60 is ... scarily to many. Large amount of them avoidable by using safer languages.

> Using another language would’ve caused at least some problems due to that language

If it solves more problems than it creates, it is worth doing.

> none of the memory safe languages anyone would suggest we should switch to have been around for 19 years.

Neither have been mobile phones (at least as we know them), but they are useful, so I am using one.

> We will continue to work hard on minimizing risks, detecting problems early by ourselves and work closely together with everyone who reports suspected problems to us.

I prefer to work smart, not hard.

[yjftsjthsd-h]

If you believe that you can rewrite any of those libraries or tools in a nice modern language with no security issues and all the portability that they had (including operating systems and embedded systems), please do grace us with your work.

In the meantime, it appears rather difficult to replace the last 40 years of work overnight in a novel, untested language, with support for a tiny fraction of the targets that C has been supporting all that time, while maintaining reasonable performance.

Or in short: It's easy to work smart when you're not working hard in your arm chair.

[fiedzia]

> If you believe that you can rewrite any of those libraries or tools in a nice modern language with no security issues and all the portability that they had (including operating systems and embedded systems), please do grace us with your work.

I can point you to numerous examples of people writing and rewriting software, there is no reason for it to be my work to prove its doable and often worth the effort. And all languages that generate C code are as portable as C is. I can also point you to countless examples where people replaced their dependencies with something written in another language. Also please go back to first line of my comment and read it again.

> In the meantime, it appears rather difficult to replace the last 40 years of work overnight in a novel, untested language, with support for a tiny fraction of the targets that C has been supporting all that time, while maintaining reasonable performance.

Who suggest it can be done overnight? Why not use something that compiles to C if you need this compatibility? There is no need to replace all of it at once - you can pick particularly sensitive parts first, one file or one library at a time. There are many ways to introduce safer languages if you want to do it. Also difficult or not, all code will be replaced eventually.

As for performance - its irrelevant in large amount of networking code. I'd have no issue whatsoever with adding few cpu instructions for bounds checking, when you wait several milliseconds for IO operation, which is the case with curl.

[lossolo]

> there is no reason for it to be my work to prove its doable and often worth the effort.

Why? You don't have expertise needed to do that yourself? It seems you think you have enough to lecture others and write how easy it is (just generate some C code).

> I can point you to numerous examples of people writing and rewriting software

Ok, point me to this software that was rewritten from unsafe C code and was replaced with memory safe language. I don't want any hobby projects, real software used by millions. Give me 10 examples.

[sigjuice]

I too am curious to know of large and prominent C projects rewritten in another language successfully. One recent atypical example that I can think of is the Go compiler.

[lossolo]

And unfortunately it become twice as slow because of that[1].

[1] https://cdn.infoq.com/statics_s1_20170328-0458_1/resource/ne...

[generic_user]

Good point. A project with the full financial support of Google with a team including Rob Pike, Ken Thompson, Russ Cox and others, in a language that they designed. And it still took a few years and was a huge and stressful process.

[sigjuice]

When I said "atypical", I was thinking more along the lines of that it is not unusual for compilers to eventually be self-hosting.

[fiedzia]

> Why? You don't have expertise needed to do that yourself?

You are taking code criticism to personally. Keep it professional.

> point me to this software that was rewritten from unsafe C code and was replaced with memory safe language.

From my own field - bunch of libraries for python. Mysql driver for example - used by large amount of people.

Numerous compilers and related tools: Golang runtime for example. Objective-C to Swift migration. Various parts of Firefox. Coreutils (https://github.com/uutils/coreutils). Ruby extensions: https://codeandtalk.com/v/fullstackfest-2015/full-stack-fest... remacs: https://github.com/Wilfred/remacs Whole industries run from C/C++ to Java/Python/.Net. Millions of projects there.

[lossolo]

> You are taking code criticism to personally. Keep it professional.

What? I am asking if what you are writing is based on your experience or it's just theory that you've read somewhere. How is this personal?

I am not asking for myself. I already know the answer for that question after reading your comments (the last one only confirmed that), but people that are reading your comment may not, so why don't you just answer the question ?

> Numerous compilers and related tools: Golang runtime for example. Objective-C to Swift migration. Various parts of Firefox. Coreutils (https://github.com/uutils/coreutils). Ruby extensions: https://codeandtalk.com/v/fullstackfest-2015/full-stack-fest.... remacs: https://github.com/Wilfred/remacs Whole industries run from C/C++ to Java/Python/.Net. Millions of projects there.

I am talking about projects that NEEDED C for it's time/space efficiency and cross platform support. Not any C project. Do you see OS kernels in production written in python used by millions ? Do you see video/audio codecs written in Java/python/.net used in production by millions? No. This is where C is used because it's needed.

Coreutils in rust, remacs, ruby extensions - this is not used by millions.

> Objective-C to Swift migration

What? This are different languages. It's not SAME software rewritten from C.

> Various parts of firefox

Whole software, not parts.

So the only valid example you gave is Go (Go compiler is not used by millions by the way). So you gave 1 example instead of 10 and Go compiler is now twice as slow after rewrite.

[rkangel]

> dpkg -l | grep '^ii lib'|wc -l lists over 2000 libraries I have installed, lot of them written in C

That '2000' number is not the relevant one here. The reason that security is important wrt Curl is that Curl is used to access the internet. Security in the library used to print colours to your terminal is a bit less important.

It's those widely used, public facing libraries that need a good security story (and using a memory-safe language is a good start there).

[fiedzia]

> Security in the library used to print colours to your terminal is a bit less important.

Printing colors still may provide an attack vector. Latest CVE in Ubuntu comes from a program that eject CD's (and needs root privileges to do so).

[lossolo]

It's really easy to criticize. Why don't you rewrite curl yourself? Instead of talking do something. In language that is memory safe + supports all the platforms that curl support (good luck with that) and same time is as efficient.

[fiedzia]

> It's really easy to criticize.

Yes, that's the point of this discussion. We are not criticising some code for having one bug a decade that requires 24 steps to reproduce, we are criticising code for having numerous bugs that are easily preventable with existing technology. Its way easier than it should be.

I have no personal need for rewriting curl. Instead I am using libraries written in safer language. You are misaddressing my criticism. I am not criticising curl author for using C - just some of his arguments for doing so the way he does. They are not valid in my opinion. There might be reasons for distributing code as C source, there is no reason for networking library to be written in C directly.

> In language that is memory safe + supports all the platforms that curl support

There are languages safer than C that compile to C, supporting all platform C does. No luck is needed.

[lossolo]

> There are languages safer than C that compile to C, supporting all platform C does. No luck is needed.

I think you are living in theory world, but you don't have any practice. Show me 10 examples of C code (>10KLOC) that was generated by those "safe languages" that compile to C which is safe, as time and space efficient as equivalent hand written, highly optimized C code.

[avar]

Just a comment on your dpkg one-liner. You can use aptitude to find things written in a given language, e.g. on my Debian computer:

    $ aptitude search '?tag(implemented-in::c)'|grep '^.  lib'|wc -l
    1895

[fiedzia]

This only listed some 4 i386 packages I had installed.