Chris Burnor
mhoyeNaescent suspicion: if a utility tells me the language it was written in before it tells me what it does or why it was created, I should start looking for alternatives immediately.
Justin Pot
Yet Another Dave Brown@mhoye I have yet to learn what “goferd” does, but it is definitely in Python. That is literally all I know about it.
Nick Phillips
Western Infidels@mhoye I really like the phrase "naescent suspicion" but I'm concerned that if I use it myself I'll discover that it describes about 80% of what passes for my own personality.
In other words... ugh, well, you see the problem.
PixelJonesTotally, yes! The sheer number of new frameworks & "platforms" & startups that breathlessly declare they are "The first Floobar implemented in Zagbomb (mic drop)" without saying anything else is ridiculous.
Tell. Me. What. Your. Thing. Is. Good. For. And. Why. I. Should. Use. It.
I couldn't care less what flavor-of-the-week it was built on.
/end-of-old-techie-rant
Jos 
@mhoye I’m going to take to quoting this as “Hoye’s Law of Nascent Suspicion” and see if we can get it in there next to Godwin and Hanlon. :)
Emelia 👸🏻@mhoye I think the only one that carries a little weight is Rust, especially when comparing to a predecessor being written in C.. but otherwise I'd agree
Pyrex, nightsworn alchemistI agree to an extent! I don't agree if the story being told is that "being written in Rust" is the entire security model of the program.
Honestly I don't see anything in their readme.md that convinces me they understand why setuid binaries are scary and sudo specifically is _really_ scary.
To be clear, that is also my opinion on OG sudo, but OG sudo wasn't developed with the possible advantage of hindsight.
(Like, this to me is the archetypal example of software that is of an unknown level of badness and does nothing at all to convince me of its goodness.)
This other project by the same team (https://github.com/memorysafety/rav1d) is also "safe."
Safe how? Well, it preserves the vulnerabilities of the original C code, but theoretically doesn't introduce more vulnerabilities, so long as you trust a giant wall of unsafe Rust code (and mind that unsafe Rust is harder to write than C) and also you trust c2rust not to contain any unknown bugs.
I am open to the idea that this rewritten project may eventually be better but I don't know why you would assume something like this is better now.
I think this strongly implies their actual threat model _is_ "well, C will get pwned eventually and Rust probably won't" with no further analysis -- although I don't want to commit to that characterization because if I'm wrong about what they believe, I'm basically defaming them.
I don't think you get secure code without massive dev effort and actual testing against adversaries.
@pyrex @mhoye I don't know specifics on any of this, I just read an article on sudo-rs and it sold it pretty well: better test coverage, more maintainable code by removing obscure features, using a memory-safe language.
Based on the readme of rav1d, it looks to be early and not to have been cleaned up & refactored yet
Oh man -- it's possible the project comes off better in other venues? To be clear, I agree that removing obscure features is a good idea, and the readme.md hints at that. (but doesn't include a rationale for it)
I'm also possibly underestimating just how bad the actual quality of sudo is, fwiw! I'm used to using it, I may have bias in its favor.
Oh man! Yeah, so that's actually reassuring, imho? It at least suggests there's a clear reason for this tool to exist.
Same, if I were convinced both had undergone reasonable amounts of testing.
I haven't done enough research to know if sudo-rs has. AFAICT it explicitly hasn't ("an audit of sudo-rs will take place in September 2023" implies it hasn't happened yet) so I wouldn't use it now.
Maybe in a year if there aren't any CVEs that make my hair stand on end!
Matthew 
@mhoye does "<insert short description>, (re)written in Rust" count? Because that is everywhere these days.
Benjamin Fry@mhoye I don’t think I can agree. The language picked tells me a few things about it, is it easy to build and install from source if you have to, does it have decent dependency management such that I can verify there are no security vulnerabilities in the chain, is it a language I know so that I might contribute to it, are tests easy to run, will it be fast and cheap to run?
@bluejekyll @mhoye
Of course, you're right that the language, toolchain, & dependencies are important _features_ of a system (especially if it is a component that needs to fit into an existing ecosystem) but ... when _how_ something is built is touted above _what_ value it brings, you might as well be saying "Look, it is Hello World but in Prolang! Aren't I a genius."
Of course, you're right that the language, toolchain, & dependencies are important _features_ of a system (especially if it is a component that needs to fit into an existing ecosystem) but ... when _how_ something is built is touted above _what_ value it brings, you might as well be saying "Look, it is Hello World but in Prolang! Aren't I a genius."
@PixelJones @mhoye it depends. If something that is intended to be exposed to the internet, for example, and is built in Rust, I’m going to be inclined to believe it will provide more stability and security than say something built in C (or many other language choices).
The language choice based on intended uses is absolutely important as it can raise confidence in that applications ability to meat the goals you have.
Chris Siebenmann@mhoye I have one of those, but 'before' is 'earlier in the same sentence' and in my vague defense, it was my first Go program until it became too useful for me to stop using it. Then I threw it on Github.
(And at the time I wrote it, netcat was more feature-limited in my environments than it is today.)
daniel s.@mhoye throwing so much shade at rust it can't oxidize
vga256@mhoye i have the same policy for programmers
n3wjack@mhoye it's probably Go right?
Matt Palmer@mhoye @jwz I find it helpful to know whether the authors are completely unhinged before I bother to wrestle their installation instructions to the floor.
One thing far more irritating than this, though, is documentation that says "the format of this parameter is the $lang's X", typically without even a link to the canonical description of X. Golang's templating and interval formats are the most common example I trip up against. Google brainworms infecting everything.