Comment by o8r3oFTZPE
4 years ago
I think you are misattributing the source of Heartbleed. Can you point out the security issues in NaCl. It is written in C. According to this "no one can write C" logic, there must be bugs because "no one can write C". https://nacl.cace-project.eu/
The other bizarre aspect of this logic is that not only is the author of the code irrelevant but apparently the task is, too. It would appear to apply to, e.g., even the most simple programs. The only factor that matters is "written in C". I use sed every day. It's written in C. Show me the bugs. I will probably be dead before someone finds them. Will I be using a "memory-safe" sed before then.
Saying "show me the vulns in this codebase" over and over is not a good argument.
Whereas saying "no one can write C without bugs" over and over is a good argument.
Its hyperbole. If the argument was "few people can write C without bugs" that would be much easier to digest.
OK, but I didn't say that no one can write C without bugs. I said that blaming languages is good, that we'll all lose due to people continuing to use C, that C programs aren't inherently smaller and faster than other languages, and that people should treat writing C as they would treat writing crypto.
3 replies →