Technology

1357 readers

24 users here now

A tech news sub for communists

founded 3 years ago

MODERATORS

muad_dibber@lemmygrad.ml

burlemarx@lemmygrad.ml

Is Germany Looking to Put a Backdoor into Arch Linux? (www.youtube.com)

submitted 1 week ago by yogthos@lemmygrad.ml to c/technology@lemmygrad.ml

46 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] yogthos@lemmygrad.ml 6 points 1 week ago (1 children)

Big tech agencies often house their own compilers and make their developers use it (even if it’s just a copy of the open source ones) to ensure that if a compiler is compromised,

That's precisely what makes Rust appealing here with it being a new language and only having a single compiler implementation.

Also, there’s many many places where there’s a push to move C code to Rust to increase security, this isn’t ‘wierd’.

I actually do find it weird that there's a massive push to rewrite all the stable and battle tested software that's been known to work fine for decades in a new language that's still evolving.

There are so many other problems to consider before going down this route. supply chain attacks, trust verification, code signing, all these come in play way before this.

Why assume that's mutually exclusive? Intelligence agencies would pursue a multi pronged approach, and if one trick works that's all you need.

The real issue is that most security vulnerabilities are caused by things Rust seeks to fix, use-after-free and double-free causing crashes that can be taken advantage off by a clever malware writer. Writing in Rust is (a slow and somewhat painful way of) making software more secure, not less.

Sure, the idea of Rust seems generally useful. However, the features Rust provides are entirely tangential to the discussion.

Additional note, this govt agency (and I’m no fan of Germany’s govt necessarily, but just to note) has given millions to many open source projects. Let’s encrypt, pypi, yocto, the openprinting stack, activitypub (you know, from the fediverse, how this platform runs…). They’ve also recommended languages other than Rust for projects too.

That of itself doesn't really let us know anything one way or the other.

Finally, I personally was not familiar with Lunduke, sounds like he's a massive piece of shit. I don't think that has anything to do with the question of whether it is problematic that there's a mass push to rewrite mature software in a new language that only has a single compiler implementation.

[–] RedClouds@lemmygrad.ml 3 points 1 week ago (1 children)

So for sure, everything you said is correct. One compiler, the push to rewrite software (This one I do 100% agree with, I do write Rust, but for greenfield stuff, it's not really useful to rewrite working, stable, secure software, in Rust). Security work isn't mutually exclusive, and what agencies do elsewhere doesn't represent what it doe here.

I guess my best argument here is that I don't think Lunduke cares about what he claims, I think he's a right wing propagandist that looks for any reason, no matter how small, to push controversy and pull people to his blog to make money.

So yeah, you're right, security wise it's not a nothing burger, and is suspicious. Though I will still say that even though the Rust evangelists have rightfully been told to back off a bit, there's lots of companies that have decided to rewrite a lot in Rust.

[–] yogthos@lemmygrad.ml 2 points 1 week ago* (last edited 1 week ago) (1 children)

Sure, Lunduke is a terrible person and we obviously shouldn't take anything he says as gospel. But the conversation itself is very much worth having. It's too bad he had to be the guy to bring it up since that immediately taints the whole discussion. I didn't really think to look him up when I saw the video, otherwise I would've just made a post without referencing him.

[–] RedClouds@lemmygrad.ml 2 points 1 week ago

Fair!