Debian's APT Will Soon Begin Requiring Rust: Debian Ports Need To Adapt Or Be Sunset : linux

[–] aubeynarf@lemmynsfw.com 33 points 5 days ago* (last edited 5 days ago) (3 children)

how many compiler back doors have we seen versus use-after-free/stack overflow attacks?

The anti-Rust crowd baffles me. Maybe C++ has rotted their brain to the point they can’t “get” the borrow checker.

My only complaint is that its syntax is an ugly mishmash. Should have copied scala or f#

[+] Shanmugha@lemmy.world -24 points 4 days ago (1 children)

More like Rust has rotted someone's brain. "Hey, I can't code safely, so I will use this new toy that is supposed to make me". This line of thought is OK as long as it does not get imposed on anything I do as a programmer

[–] LeFantome@programming.dev 6 points 3 days ago* (last edited 3 days ago) (1 children)

The industry cannot code safely. There are many reports, studies, and corporate disclosures highlighting that memory related bugs are the primary source of critical security issues in C and C++ code. That is why even NIH companies like Google and Microsoft are adopting Rust in their core products.

That you want to publicly ignore all that evidence to paint it as an individual skill issue does not come across as competent or intelligent. Few of us are going to assume your code is free of these kinds of bugs.

The fact that your have to say it so dismissively makes me think that you know it too.

[–] Shanmugha@lemmy.world -2 points 3 days ago

Things are much simpler:

Want a bug free code - do bug free code. Spend time carefully evaluating every line and interaction
Want third-party code and safety - examine that code in the same way
Whatever you do, assume there is a bug in any software you use, so plan and organize accordingly
No amount of magic pills can substitute the above. So yeah, it is a skill issue. Also an issue of kids wining that there are bugs and they don't feel safe, so they want to cling to magic pills instead of dealing with the reality

[+] iloveDigit@piefed.social -44 points 5 days ago* (last edited 5 days ago) (2 children)

how many compiler back doors have we seen versus use-after-free/stack overflow attacks?

Who cares? Why do you ask?

The anti-Rust crowd baffles me. Maybe C++ has rotted their brain to the point they can’t “get” the borrow checker.

I can't code, so C++ doesn't have much space in my brain, but Rust still seems a lot more sus to me than C.

[–] 4am@lemmy.zip 24 points 4 days ago (1 children)

Rust seems sus to you? What’s that based on, “vibes, bro”?

[+] iloveDigit@piefed.social -23 points 4 days ago* (last edited 4 days ago) (2 children)

Essentially, yeah.

Noticed an overall "vibe" where Rust critics repeatedly have points that sound like they make sense, and I can't really think of examples of them saying confusing nonsense, or refusing to elaborate on a point when challenged to. Whereas, other way around for Rust defenders.

Best way I know to determine what's "sus" is to look at what's defended by people who are willing to elaborate on the points you ask them to elaborate on. It's almost a perfect gauge. But maybe not quite perfect, and you could totally call it "vibes." I remain not totally certain about Rust.

[–] BlameTheAntifa@lemmy.world 15 points 4 days ago

If you are not a programmer, you do not have the background or understanding to assess any arguments about a programing language.

The vast majority of anti-Rust people are stubborn and toxic types who don’t know it and refuse to learn. On the other end you have those who do use it, know why it’s such a good language, and criticize it constructively so that it continues to improve. Rust lacks many quality of life features that other languages have, but that is by design. It’s meant to create rock-solid software and forces you to think about things like lifetimes and ownership scopes that other languages let you take for granted.

You can’t easily move from languages like C++ or Python to Rust without learning and accepting new concepts and patterns. If someone can’t or won’t do that, they should not be doing any programming.

[–] jasory@programming.dev 10 points 4 days ago (1 children)

It's very hard to get a good look at which arguments are good or not without having the experience to evaluate them.

Here's my view on Rust vs C or C++. Rust is a stricter language which makes it easier to code with low run-time errors, which is great for writing large scale projects. Now the problem with this is that you can write C++ to also be strict but it's a lot more verbose than the standard approach, so most developers don't. This causes disagreement among Rustaceans and C/C++'ers. The C++'ers are correct that you can replicate anything in Rust in C++. A correct program is a correct program regardless of the language it's written in. Rustaceans also oversell when it comes to program correctness, tons of Rust programs have errors; Rust can help minimize errors but it's not a silver bullet. Rewriting-in-Rust for an already good program is a fools errand; the outcome will probably be a worse program. However Rustaceans are correct in pointing out that the C++ written programs tend to have more errors, it's just not the rule they pretend it is.

In summary, Rust is a great language but Rustaceans oversell it. Many of it's apparent advantages can be mitigated by good development practice. It's just that good practices are difficult and uncommon.

(Note that there are also 3-rd party tools like static analysers, which can help developers detect errors. So again Rust is better out of the box, but ultimately you can get the same outcome with some work).

[–] iloveDigit@piefed.social 2 points 4 days ago

That all lines up with what I've heard. Thanks for the comprehensive reply 🤙

[–] aubeynarf@lemmynsfw.com 22 points 5 days ago* (last edited 5 days ago) (1 children)

You care, you are the one that brought it up as an issue with rust.

I ask as a rhetorical question to shed light on the fact that compiler back doors are a vanishingly small fraction of total security exploits, while the memory bugs that rust specifically addresses make up the vast majority.

[+] iloveDigit@piefed.social -27 points 5 days ago (1 children)

You care

About random numbers? Not really

you are the one that brought it up as an issue with rust.

Are you referring to where I said "I want to know some random numbers Rust isn't giving me, and that's a problem with Rust?"

Because that was in your imagination.

Or are you referring to where I said "Rust wants to know some random numbers it isn't giving itself?"

Because that was also in your imagination.

In reality, I brought up that I've heard Rust adds another layer of trusting the compiler isn’t backdoored.

[–] aubeynarf@lemmynsfw.com 14 points 5 days ago (2 children)

While you’re spouting nonsense, this is happening:

https://www.infoq.com/news/2025/11/redis-vulnerability-redishell/

The vulnerability exploits a 13-year-old UAF memory corruption bug in Redis, allowing a post-auth attacker to send a crafted Lua script to escape the default Lua sandbox and execute arbitrary native code. This grants full host access, enabling data theft, wiping, encryption, resource hijacking, and lateral movement within cloud environments.

13 years. That's how long it took to find a critical safety vulnerability in one of the most popular C open source codebases, Redis. This is software that was expertly written by some of the best engineers in the world and yet, mistakes can still happen! It's just that in C a "mistake" can often mean a memory-safety bug that would put user data at risk (...) That's the nature of memory-safety bugs in C: they can hide in plain sight.

[+] iloveDigit@piefed.social -18 points 5 days ago* (last edited 5 days ago) (1 children)

While you're spouting nonsense

I'm the guy you were replying to here. I'm not spouting any nonsense in this thread. Did you reply to the wrong person, or is this a false accusation?

this is happening:

https://www.infoq.com/news/2025/11/redis-vulnerability-redishell/

The vulnerability exploits a 13-year-old UAF memory corruption bug in Redis, allowing a post-auth attacker to send a crafted Lua script to escape the default Lua sandbox and execute arbitrary native code. This grants full host access, enabling data theft, wiping, encryption, resource hijacking, and lateral movement within cloud environments.

13 years. That’s how long it took to find a critical safety vulnerability in one of the most popular C open source codebases, Redis. This is software that was expertly written by some of the best engineers in the world and yet, mistakes can still happen! It’s just that in C a “mistake” can often mean a memory-safety bug that would put user data at risk (…) That’s the nature of memory-safety bugs in C: they can hide in plain sight.

Why did you make me read these paragraphs without explaining how they connect to the context? Let me guess: they don't connect to the context, you're just designing your replies to mislead people dumb enough to be vulnerable to your manipulation tactics? With no consideration for me whose time/energy you're wasting, much less them who you're confusing?

[–] aubeynarf@lemmynsfw.com 8 points 5 days ago (1 children)

Our team has reviewed this interaction, and cannot issue a refund at this time.

[+] iloveDigit@piefed.social -13 points 5 days ago* (last edited 5 days ago) (3 children)

For anyone confused:

Make sure you know exactly what "compiler" and "backdoor" mean. With that, you can probably skip the rest of this comment.
aubeynarf seems to be framing things in a way that might make you think C is immune to compiler backdoors, and might also make you think we're in agreement on that point. That's based on absolutely nothing. C has no special resistance to compiler backdoors. I hear Rust introduces new risk here, but I don't see any reason to reframe that as all the risk with C being in other areas.
aubeynarf seems to be framing things in a way that might make you think security exploits all have similar levels of severity. Like, if you make a list of 100 exploits, it will be about the same severity as any other list of 100 exploits. That is not true. Scoring would be based on what damage the exploits can do, not how many there are.
If aubeynarf's framing makes it seem like known exploits are scored by sheer quantity, that would also imply security experts put a lot of focus on "scoring" known exploits at all. We don't. We might put a lot of energy into counting and scoring unknown exploits if we could, but we can't, so this is again not an honest mistake or a slight twist from reality - it's completely made up from nothing. Not only would quantity be unrelated if we did have a big use for scoring known exploits, but we don't. Known exploits are not unknown exploits. We're trying to expose unknown exploits, and fix them. Counting and scoring the known ones is just something that happens along the way. We would never weigh the entire concept of compiler backdoors by counting the ones we've identified.
aubeynarf seems to be framing things to set an impression of "oh this guy knows what he's talking about and he thinks compiler backdoors are no big deal, so they must be no big deal." If you fall for that, there's not much I or anyone can do for you.

[–] ArsonButCute@lemmy.dbzer0.com 13 points 4 days ago* (last edited 4 days ago) (2 children)

I have no horse in this fight, so pardon my asking:

You self admittidly don't know code, so like, why are you trying to argue about code?

That's like a DJ and a Barber arguing over which carbueretor jet is correct in a classic Mercedes. The answer is muddier and than either of them know enough to understand, because they're not mechanics or engineers.

Are you a programmer? Cybersecurity researcher? Bot designed to sow discontent with pretty arguement?

Like, what's the point of all this? Neither of you know what you're talking about, I don't even know what you're talking about but I can clearly read the vibes based technobabble between you, so like, why?

[–] aubeynarf@lemmynsfw.com 0 points 4 days ago

lol dude, I know what I’m talking about. I’ve been a software engineer for 30 years.

[+] iloveDigit@piefed.social -10 points 4 days ago* (last edited 4 days ago)

You self admittidly don’t know code, so like, why are you trying to argue about code?

Because the level of knowledge that would stop you from rephrasing my words into "don't know code" is much higher than the level of knowledge I'm using in the argument.

That’s like a DJ and a Barber arguing over which carbueretor jet is correct in a classic Mercedes. The answer is muddier and than either of them know enough to understand, because they’re not mechanics or engineers.

How is that like an unpaid cybersecurity expert arguing about cybersecurity then?

Are you a programmer?

Already answered this and you acknowledged that in the beginning. It's becoming clearer and clearer you're replying in purely bad faith.

Cybersecurity researcher?

Kinda, but not really.

Bot designed to sow discontent with pretty arguement?

Obviously not, and now it seems like you're trying to bait me into the kind of response that could get me banned here. This discussion would be more appropriate for nostr, where no one can be banned.

Like, what’s the point of all this?

The main point of your gish gallop is to waste my time and energy and confuse other people.

The main point on my side of the discussion has been to raise awareness of how concerned the general public should be (and sadly isn't) about the general state of cybersecurity right now, especially in vital areas like how the Linux ecosystem and coding languages themselves are developing.

Neither of you know what you’re talking about

Incorrect. I have talked about, for example, a user's statements in a discussion I linked to. I know this. You can't really provide an example of anything I've mentioned here that I don't know about.

You could use "don't know what you're talking about" as a euphemism for how the person I was replying to was spewing bullshit, but I'd just call them a liar. Seems more straightforward. Either way, that's not me.

don’t even know what you’re talking about but I can clearly read the vibes based technobabble between you

I think in this context, you should be trying to ignore the vibes and understand what's being said.

so like, why?

Awareness should be raised for this stuff, because people are sadly not as concerned as they should be about the state of cybersecurity right now. It's particularly an issue in Linux / FOSS circles where there seems to be more of a false sense of security these days.

[–] anzo@programming.dev 1 points 2 days ago* (last edited 2 days ago) (1 children)

Here's your reply to Redishell. You answered "To anyone confused: [...]" and went on and on talking about backdoors.

[–] iloveDigit@piefed.social 1 points 2 days ago

Still not getting your point. Is there a reason I should read about Redishell?

[–] aubeynarf@lemmynsfw.com 5 points 4 days ago (1 children)

This is what a tryhard looks like, lol! You’re really twisting yourself around to “win” aren’t you?

[+] iloveDigit@piefed.social -6 points 4 days ago (1 children)

What do you mean?

[–] anzo@programming.dev 1 points 3 days ago (2 children)

the only loss here is my time as a moderator :P

I am not banning anyone, you were quite civil in this "fight" ^1^

Do keep in mind that all this has a lot of "editor wars" vibes. But the conflict goes beyond Debian (e.g. including Rust in Linux kernel), and actual harmful discussions between Rust and C/C++ people is REAL, damaging our communities, and very much driven by generations/ network-effect. And this is just sad. It's not a technical issue, and overcoming it seems nearly impossible at the moment.

--

^1^ I'd call it discussion, but it seems to me that 'whoever loves Digit' was ranting more on their own behalf... as per their own words:

Awareness should be raised for this stuff, because people are sadly not as concerned as they should be about the state of cybersecurity right now. It's particularly an issue in Linux / FOSS circles where there seems to be more of a false sense of security these days.

I agree with these words, but not all you said (specifically, backdoors to me are a smaller concern in the software industry nowadays in comparison to the Redishell provided that you were unable to fully understand). Anyway, I don't see reason to remove any of the most downvoted comments you have. But I will take the opportunity here to raise a warning to you. OR, let's make it a personal advice: arguing on the internet is not worth the emotional toll. As with any advice, you can either take it or leave it. Good luck!

[–] iloveDigit@piefed.social 1 points 3 days ago* (last edited 3 days ago) (1 children)

the only loss here is my time as a moderator :P

I value mine more than yours, sorry.

Do keep in mind that all this has a lot of “editor wars” vibes. But the conflict goes beyond Debian (e.g. including Rust in Linux kernel), and actual harmful discussions between Rust and C/C++ people is REAL, damaging our communities, and very much driven by generations/ network-effect. And this is just sad. It’s not a technical issue, and overcoming it seems nearly impossible at the moment.

Is this the reason you give me a "warning" later in your reply? I'm not getting the exact point clearly. This topic is "harmful," but I don't think you warned everyone else discussing it? So what is the actual warning? Are you telling me not to reply in threads on this topic in the future?

backdoors to me are a smaller concern in the software industry nowadays in comparison to the Redishell provided that you were unable to fully understand

Backdoors are a top priority concern in consumer electronics. I hope nobody lets themselves be mislead on that fact here.

I have no idea what "Redishell" is. I don't think there was any point in this thread where I said anything about it, so what are you talking about with me being "unable to fully understand" it? Couldn't you try telling me what it is and checking how much I understand before saying that? Am I totally forgetting something?

Whatever it is, it sounds like you're implying it's a security vulnerability that cannot be a backdoor, which I definitely don't understand when I have no idea what it is.

[–] anzo@programming.dev 1 points 2 days ago

I am not saying this as a moderator: you're person of obnoxious answers. Probably far too intelligent to even consider that you're actually interacting with other human beings that may not want to engage or sacrifice their time with your rants. But I don't ban based on personality.

Anyway, I don't have to answer any of your questions. Typing comes too fast on your keyboard. Try stepping away, read, click the links (like redishiel CVE), take a deep breath, live more calmly.

I will post a reply to you reply on Redishell. So that you can check again what happened there. You went too fast and hit your own wall.

[–] eah@programming.dev 12 points 4 days ago

There's an ongoing effort to get gcc to compile Rust.^[https://lwn.net/Articles/907405/]

[–] vk6flab@lemmy.radio 7 points 5 days ago

This seems relevant:

https://youtu.be/Fu3laL5VYdM