this post was submitted on 03 Jul 2024
46 points (80.3% liked)

Programmer Humor

19512 readers
1124 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 1 year ago
MODERATORS
 

A shitpost about languages that generate CVEs

top 21 comments
sorted by: hot top controversial new old
[–] [email protected] 13 points 4 months ago (2 children)

Also, I like how this problem had a really simple solution all along

There really isn't anything we can do to prevent memory safety vulnerabilities from happening if the programmer doesn't want to write their code in a robust manner.

Yeah, totally, it's all those faulty programmers fault. They should've written good programmes instead of the bad ones, but they just refuse to listen

[–] [email protected] 7 points 4 months ago* (last edited 4 months ago) (2 children)

Right, those devs with 20+ years C experience don't know shit about the language and are just lazy. They don't want to catch up with the times and write safe C. It's me, the dude with 5 years of university experience who will set it straight. Look at my hello world program, not a single line of vulnerable code.

Anti Commercial-AI license

[–] [email protected] 5 points 4 months ago (1 children)

This is not completely wrong, though

[–] [email protected] 0 points 4 months ago* (last edited 4 months ago)

Yeah, for sure. Human error is involved in C and inertia too. New coding practices and libraries aren't used, tests aren't written, code quality sucks (variable names in C are notoriously cryptic), there's little documentation, many things are rewritten (seems like everybody has rewritten memory allocation at least once), one's casual void * is another's absolute nono, and so on.

C just makes it really easy to make mistakes.

Anti Commercial-AI license

[–] [email protected] 2 points 4 months ago

It has nothing to do with knowing the language and everything to do with what's outside of the language. C hasn't resembled CPUs for decades and can't be reasonably retrofitted for safety.

[–] [email protected] 1 points 4 months ago

Well yeah, 100% of programming errors are programmers fault.

[–] [email protected] 11 points 4 months ago (1 children)

lol this same post got flagged and taken down from HN

[–] [email protected] 5 points 4 months ago

Well, lemmy is a place for much more cultured audience. We can appreciate a good shitpost (that does also hold some water).

[–] [email protected] 10 points 4 months ago (2 children)

The "C is bad trope" is getting way too old. I'm surprised the author didn't plug Rust.

the only programming language in the world where these vulnerabilities regularly happen

Maybe because it's one of the most widely used languages in the world...

[–] [email protected] 28 points 4 months ago (1 children)

The trope will be "old" once the mainstream view is no longer that C-style memory management is "good enough".

That said, this particular vulnerability was primarily due to how signals work, which I understand to be kind of unavoidably terrible in any language.

[–] [email protected] 4 points 4 months ago (1 children)

A better language wouldn't have any need to use POSIX signals in this way.

[–] [email protected] 9 points 4 months ago

I'm not totally clear on why signals are used here in the first place. Arguably most C code doesn't "need" to use signals in complex ways, either.

[–] [email protected] 11 points 4 months ago (1 children)

Well, one of the most widely used that allows to do low-level stuff. The most widely used one is by far JavaScript but good luck making an OS or a device driver with it

[–] [email protected] 1 points 4 months ago (2 children)

I'm sure there are projects covering those areas written in JavaScript.

[–] [email protected] 6 points 4 months ago

Just because you can doesn’t mean you should and i hope that is not a thing

[–] [email protected] 4 points 4 months ago (1 children)

Oh gawd. That would be so horrible! Is there a project o compile JavaScript to bytecode? With like LLVM? There must be, but I haven't heard of it. I shouldn't even say anything because I will be better off pretending it doesn't exist.

[–] [email protected] 1 points 4 months ago

Just bundle a JavaScript interpreter with the JavaScript code. No need to compile JavaScript.

[–] [email protected] 2 points 4 months ago (2 children)

... the only language where 90% of the world's memory safety vulnerabilities have occurred in the last 50 years

Yeah... That's a shit post alright.

I'm not a C developer myself, but that's just a low blow. Also, uncited ;).

[–] [email protected] 9 points 4 months ago* (last edited 4 months ago) (1 children)

This is an overstatement, definitely. C is one of the few (mainstream) languages where memory safety vulnerabilities are even possible. So if you batch C and C++ together, they probably cover more than 90% of all the memory unsafe cove written in last 50 years, which is a strong implication that they will contribute to 90% of memory vulnerabilities.

All that said, memory vulnerabilities are about 65% of all high implact vulnerabilities on Chromium project^1 and about 70% of vulnerabilities at Microsoft ^2.

[–] [email protected] 2 points 4 months ago

So we'd only fix 70% of vulnerabilities by switching to rust? Not enough! Better keep writing C/C++!

[–] [email protected] 6 points 4 months ago

Yeah the only way it would be that high is if it lumps C and C++ together. But at that point it may be an underestimate.