Questions about FreeBSD? Ask A Developer live stream

allanjude@

allanjude@

Developer
Klara will be hosting a live Ask Me Anything (AMA) webinar session on June 30th at 11am EDT with Kyle Evans (FreeBSD Core team), Colin Percival (FreeBSD Release Engineer), and myself, Allan Jude (FreeBSD/ZFS developer).

If you have questions about FreeBSD that you've always wanted to ask the developers, this is your chance. You can submit questions ahead of time and catch the answers in the recording if you won't be able to join live.

Hope to see you there.

https://klarasystems.com/webinars/freebsd-after-hours-ama-post-bsdcan-recap
 
Hello,

First time posting on the forum. Since I don't know if I could attend the live stream, here's my question:

Rust popularity comes mostly from the security guarantees it provides by restricting the ability of the developer of making unsafe operations. While the language provides advantages, it also come with cons (e.g. not a direct interopability with C, fat binaries...) with some being specific to FreeBSD (e.g. requires to import its own toolchain with a long compile time, not a C frontend, ...). These cons kinda move the technical debt of code security to some other layers: at least maintaining an interopability with C.

C, on the other hand, allows some unsafe operations and thus requires more cognitive burden for the developer to maintain the security of the code. But some standards exist in the industry that restrict the operations that are allowed to be done in C. One of them is the SEI CERT C Coding Standard [1] that restrict the C language to improve its safety (even though it's not being on par with the Rust security guarantees). Unfortunately, all the serious code analyzers for this standard are proprietary and commercial [2].

Do you think that the FreeBSD project could develop its own opensource static code analyzer to follow this security standard?

Thanks, and sorry if the question is too long.

[1] https://cmu-sei.github.io/secure-coding-standards/sei-cert-c-coding-standard/
[2] https://cmu-sei.github.io/secure-co...t-c-coding-standard/back-matter/ee-analyzers/
 
turingo said:
Hello,

First time posting on the forum. Since I don't know if I could attend the live stream, here's my question:

Rust popularity comes mostly from the security guarantees it provides by restricting the ability of the developer of making unsafe operations. While the language provides advantages, it also come with cons (e.g. not a direct interopability with C, fat binaries...) with some being specific to FreeBSD (e.g. requires to import its own toolchain with a long compile time, not a C frontend, ...). These cons kinda move the technical debt of code security to some other layers: at least maintaining an interopability with C.

C, on the other hand, allows some unsafe operations and thus requires more cognitive burden for the developer to maintain the security of the code. But some standards exist in the industry that restrict the operations that are allowed to be done in C. One of them is the SEI CERT C Coding Standard [1] that restrict the C language to improve its safety (even though it's not being on par with the Rust security guarantees). Unfortunately, all the serious code analyzers for this standard are proprietary and commercial [2].

Do you think that the FreeBSD project could develop its own opensource static code analyzer to follow this security standard?

Thanks, and sorry if the question is too long.

[1] https://cmu-sei.github.io/secure-coding-standards/sei-cert-c-coding-standard/
[2] https://cmu-sei.github.io/secure-co...t-c-coding-standard/back-matter/ee-analyzers/
Click to expand...

C is already uncomfortably restricted, No sense crippling it any further. IMHO
 
You must log in or register to reply here.
Back
Top