پویان Pouyan

This reminds of the front rust is per se secure that gave us the sudo-rs disaster. The Anti-AI front war cry is ai is per se bad.

I’m tired of choosing sides and fighting battles that aren’t really mine. To me, categorical stances smell like virtue signaling. And I want no part of it.

#ai #rust #ubuntu #virtuesignalling

RE: https://toot.pouyan.net/objects/f714955d-d031-4895-bc5c-30493a887b60

Mar 14 at 4:28pmWeb
Show threadMartin 🧀Mar 14

@i I wouldn’t call sudo-rs a disaster. There was a security issue, it was fixed. That also happens in sudo (it got a CVE in january) or any software. New software has probably more bugs than old but it will mature.
Only fools are saying “rust is always secure and a rewrite is always better”.

For genAI, it’s different IMO, you can say “this has unacceptable issues, I don’t want to use it and will call to boycott anyone using it”.
You could do the same with crypto (or now US tech) for instance.

Show threadپویان Pouyan Mar 14

@mart_e I wouldn’t say that gen ai has “unacceptable issues” per se. For well documented and popular languages, the chances are that you’ll get a proper response. All the while, I understand that people don’t want to have it in their codebase

My point is: having strong feelings about something can negatively impact one’s judgement and at some point it’s not rational anymore, it’s just virtue signaling.

Show threadMartin 🧀Mar 14
@i what is unacceptable is a personal judgment. For instance, the environmental impact or the use of underpaid labor.
But I see what you mean, nuance is not an easy position ;-)
Show threadKornelMar 14

@i You're exaggerating with "disaster". CVE-2025-64170 was a UI issue exploitable only under rare circumstances and required ability to see victim's terminal.

Meanwhile OG sudo had more severe issues: https://www.sudo.ws/security/advisories/

so sudo-rs is an improvement overall.

Security Advisories

Sudo
Show threadپویان Pouyan Mar 14

@kornel I’ve got no issues with rust replacing existing tools. I have a problem with claiming that it would be then more secure by default because it’s written in rust.

P.S. Irrelevant to my original point: give sudo-rs a couple of more years, and it’ll accumulate some more CVEs.

Show threadMichał FitaMar 14
@i @kornel Fine. But promise you'll always compare that growing number with number of CVEs of the original. This condition is the only way under you're allowed to complain 😉
Show threadپویان Pouyan Mar 14

@michalfita I’ll be damned if I complained about something that was provided to me for free!

@kornel

Show threadKornelMar 15
@i there are numerous ways in which programming languages affect security and reliability of programs, in a systemic way.
The range of possibilities is the same for all turing-complete languages (you can make a perfectly secure program in theory, and you can ruin any foolproof safety feature with a sufficiently advanced fool), but the distribution of outcomes isn't the same.
So as a bayesian prior, I think such claim is valid. There's a decade of track record for it.
Show threadپویان Pouyan Mar 15
@kornel Rust helps avoiding memory safety issues (which comprise a lot of registered CVEs). But it does not automagically produce “safe” and “secure” code. People make mistakes, and then some more.
Show threadKornelMar 16
@i You seem to apply a strict definition of "safe"/"secure" meaning nothing counts below absolute perfection, which is more of an argument about linguistic/semantics of the wording used, rather than the technical benefits of the language.
Rust has features that broadly improve quality and reliability too, eg. sum types help catch mistakes in stateful data and missed error handling. They're incremental improvements rather well-defined guarantees like borrow checking, but still helpful in practice
Show threadBennolius 😷⚡Mar 15
@i don't pretend it's rational saying people aren't allowed to take a stance on generative AI.