[uecker]

Yes, we need a languages that makes it impossible. But how could this happen in Rust? https://github.com/advisories/GHSA-5gmm-6m36-r7jh But clearly, this does not count because it used "unsafe", so it remains the programmer's fault who made a mistake. Oh wait, doesn't this invalidate your argument?

[mkj]

A random 16 star github repo using unsafe doesn't really tell anyone much.

[Ygg2]

> Oh wait, doesn't this invalidate your argument?

Not really. If you can't be perfect, at least be good.

Unless you want to make an argument that searching all of your code base for UB is better than running on a relatively small subset (20-30%).

Or that Linux should use tracing GC + value types. Which I would find decent as well. But sadly LKML would probably disagree with inclusion of C# (or Java 35).

[uecker]

You can't be perfect. The question is how much improvement "rewriting in Rust" actually brings, how important that is, and what downsides it may have.

[throwawayqqq11]

Another, way more impertant question is, can we keep maintaining legacy C code in community driven FOSS projects, when the world moves on.

[uecker]

Does the world really move on? I think HN could be misleading here. And is moving to evermore complex solution the right answer to mainentance problems? I doubt it.

[eru]

If you really want, you could write your code in Agda or similar and prove it correct. See also seL4 https://github.com/seL4/seL4 which is a proven correct kernel.

https://sel4.systems/Verification/proofs.html

[uecker]

... written in C.

[eru]

It's written in C in the same way it's written in assembly:

C is just used as part of the process to go from a high level spec to executable code.

You can also compile eg Haskell via C.

The subset of C used in seL4 is highly constrained.

[johnnyjeans]

a subset of C is provable, and is the de-facto standard in the industry.

what is it with rust people and thinking robust, automatic correctness checking was invented in the last 20 years?

[Ygg2]

Wow, the Linux kernel must be full of dunces that rather than writing in proven correct C, added another language that other maintainers hate. What morons! /sarcasm

Disclaimer: above is sarcasm, while I don't think Linux Kernel Maintainers are perfect, I don't consider them dunces either. If they can't avoid writing UAF (use after free) or DF (Double free) bugs then what hope does the average C programmer has?

[johnnyjeans]

I'm not sure what you're even trying to say. Do you think that formally verified C isn't a thing? Because it's not used in Linux?

Linux isn't designed to be formally verifiable. For all of the manpower and resources dedicated to it, it's still bidden to the technical debt of being a 30 year old hobbyist experiment at its core. If you want a formally verified, secure kernel that wasn't written by a college student to see if he could, seL4 exists.

[uecker]

While the memory safety issues are a concern, switching to Rust + Unsafe will only reduce but not eliminate those issues and it is unclear whether adding a lot of complexity is actually worth it compared to other efforts to improve memory safety in C.

[immibis]

Proven correct C