Hacker News new | ask | show | jobs
by blissofbeing 702 days ago
So the argument is that yes Rust would have helped mitigate this specific bug, but bugs exist in all languages so therefore it doesn't matter the language.

I see the logic, but I don't think anyone is saying using Rust would make it bug free, people are just correctly pointing out Rust would have helped this bug, or in other words there is the potential for less bugs with Rust.

So yes, and.
4 comments
vb-8448 702 days ago
I would argue that the whole point of the post is: nothing in the world can save you from bad practices.

There are at least 3 bad practices here:

- releasing of untested SW/config files

- bypassing of final users' rollout policies

- unconditional faith of final users in crowdstrike

link
Sakos 702 days ago
> The above are all things that could (and sould!) be done to reduce the chances of a misbehavior happening, but we must accept that the code bug was just the specific trigger this time around and a different trigger could have had similarly nefarious consequences. The root cause behind the outage lies in the process to get the configuration change shipped to the world.

> Now, SRE 101 (or DevOps or whatever you want to call it) says that configuration changes must be staged for slow and controlled deployment, and validated at every step. Those changes should first be validated in a very small scale before being pushed to the world later on, and every push should be incremental.

Unfortunately, the article is sort of burying the lede until half-way through until it makes some decent points.

We should be using safer languages, but also 1) how is it possible that CrowdStrike can push a content update globally to all clients with no option for their customers to delay it for testing and 2) why doesn't CrowdStrike have internal testing before deployment?

link
SoftTalker 702 days ago
And "this bug" being one of the most common types of bugs.
link
smsm42 702 days ago
> people are just correctly pointing out Rust would have helped this bug

So would a unit test or a fuzzer. But it's obvious this does not solve the actual problem, only a particular instance of it. It should be as obvious that mentioning Rust doesn't too. Kernel module in Rust may not have buffer overflow bugs (even that is not 100% certain, but let's assume for a minute) but it doesn't mean it's safe - or even significantly less unsafe.

link