Hi, Sorry for the delay on this one (I've a huge amount of mails backlog).
On Mon, 31 Mar 2025 16:09:07 +0300 Wael Karram <w...@waelk.tech> wrote: > > If you can avoid using ClamAV or any similar tool it might improve > > security as ClamAV's goal is to parse/scan untrusted files, and that > > is very difficult to do safely with languages like C. > That is quite off-topic and factually incorrect, please don't spread > C++/Rust-inspired FUD. > Case in point SeL4, OpenBSD...etc To clarify things, I was mostly talking about the use case of ClamAV here: it's meant to parse malicious files, so sandboxing would help a lot here. It's also possible to make C memory-safe or pretty safe with a complete or almost complete test-coverage and run the tests with tools that are meant to detect memory safety issues (some projects have that), and/or with good code reviews. And some modern memory-safe languages also bring in different type of security vulnerabilities not found in C (like loosing control of the dependencies because they don't rely on distributions), or even privacy issues for people compiling go programs with the go compiler, and what kind of security you need depends a lot on the context. Crypto code have different requirements for instance, and also require language support to be able to erase secrets, not enable side channels attacks, etc, and all that do require a threat model anyway. Denis.
pgpOiuc7w6oL0.pgp
Description: OpenPGP digital signature
_______________________________________________ Dev mailing list Dev@lists.parabola.nu https://lists.parabola.nu/mailman/listinfo/dev
