[Yokohiii]

The problem is the lack of talent that is willing to work on this, not the language.

AI Security researchers at least do something. If it was so easy to rewrite everything in rust, I don't know why the response to this incidents isn't a rock solid replacement in rust, the next day.

I tell you why that is. Working on these things doesn't give you stars on github.

[bluedragon1221]

That is a very pretentious opinion. Dnsmasq is a ubiquitous project, ~14 years old, and has maintainers that are very experienced in c and in the codebase. Telling them to rewrite in a language they are (maybe) unfamiliar with, even with the help of AI, will make these maintainers' experience worthless.

People seem to think that rewriting in rust just magically fixes all issues, but that's not how it works (See recent uutils CVEs). Rewrites tend to have more bugs because the code is new and hasn't been reviewed as much.

[bigiain]

I'm pretty sure we are getting close to the point where a few thousand bucks worth of tokens is enough for an agent coding session to reproduce a significant sized (but not linux kernel sized) C codebase in Rust that's 100% security bug for security bug compatible with the original. And _maybe_ "given enough eyeballs, all bugs are shallow" was true or even close top true once. But non of the "new code" ever has a _single_ eyeball cast over it. You know how sometimes you can stare into the code you wrote for weeks, but as soon as somebody else sees it they go "Hmmm, that bit looks odd. Are you sure it's right?" For most vibe coders or agents coders, it's all the same tool that generated the code that's looking for the bugs - it seems reasonable to assume that if a particular LLM generated the buggy code in the first place, it's at least as unlikely to find the bugs as a human who write buggy code?

[swiftcoder]

> I'm pretty sure we are getting close to the point where a few thousand bucks worth of tokens is enough for an agent coding session to reproduce a significant sized (but not linux kernel sized) C codebase in Rust

Given a comprehensive test suite for the original, probably, yes. if the test suite isn't great, you are still going to spend a lot of time/tokens chasing edge cases.

> that's 100% security bug for security bug compatible with the original

You can do this part without AI. c2rust will give you a translation that retains all the security bugs (and all the memory unsafety). The hope is that the AI in the loop will let you convert it to idiomatic rust (and hence avoid the memory unsafely, and in doing so, also resolve some of the security issues).

[Yokohiii]

I think I was ambiguous.

> If it was so easy to rewrite everything in rust, I don't know why the response to this incidents isn't a rock solid replacement in rust, the next day.

Meaning that AI/Rust enthusiasts are supposed to supply solutions. Of course they won't.

[LtWorf]

But they will produce a lot of posts on this website to say that it's only 3 weeks away.

[pdimitar]

> People seem to think that rewriting in rust just magically fixes all issues

Citations and links, please.

[Yokohiii]

I am not a journalist, nor your nanny.

[pdimitar]

Then you're claiming falsehoods supporting your prejudices. Good to know.

Though I wonder why.

[Rexxar]

> Citations and links, please.

"bigiain" comment, in the same discussion is an example: https://news.ycombinator.com/item?id=48120707

There is comment like this everywhere, if you don't see them it's just that you don't want to see them. There are a little less frequent than 5 years ago but still frequent enough in each c, c++ or rust discussions.

[pdimitar]

Which part of the comment comes off as fanatic to you?

I'd disagree with that poster that you can write 100% security bug free code just like that.

> There is comment like this everywhere, if you don't see them it's just that you don't want to see them.

Can you discuss productively without attacks? Mine was, and still is, a question of genuine curiosity. And the only "fanatic" thing in your linked comment is a bogus 100% claim. I'm not seeing fanaticism.

[Rexxar]

> Which part of the comment comes off as fanatic to you?

I didn't use the word 'fanatic' neither the previous comment you were responded too.

> Can you discuss productively without attacks?

So you thing someone telling you "look a little harder" is a "personal attack" ? After I took some time to give you a link you ask for ?

> I'm not seeing fanaticism.

You are the only one using this word in this discussion.

[pdimitar]

> So you thing someone telling you "look a little harder" is a "personal attack" ? After I took some time to give you a link you ask for ?

If you are taking the time to find a link then understand that your effort can be for naught if you could not resist to insert "if you don't see them it's just that you don't want to see them". What's your imagined ideal outcome when you comment... this, exactly?

Advice: just put the link and skip snarky commentary. Trying to emotionally load your message does not move discussions forward. It puts them in a corner.

> You are the only one using this word in this discussion.

OK, fair -- then I want to hear what words you'd use. Apart from the guy claiming an imaginary "all security bugs will be fixed" which I already said I disagree with, are there other criticisms?

[LtWorf]

> I don't know why the response to this incidents isn't a rock solid replacement in rust, the next day.

Go ahead and ask your AI to make it. What's stopping you?

[krferriter]

> What's stopping you?

Based on their comment I guess they are worried they won't earn enough stars on github

[LtWorf]

They can simply buy them :D

At a talk to showcase how dumb stars/downloads are to measure popularity I showcased a tool to reach the most downloaded list very easily.

The owners of code repositories that release download counts stats without even aggregating them by IP address are fully aware of it.

Probably some people play the stats to seem popular and get VC funding.