Gergely Buday wrote:
> Larry Kilgallen wrote:
>
>> Is there participation on this list from the (hopefully larger number of)
>> CMU instructors who are teaching people to use safer languages in the first
>> place ?
>>
> May anybody not from CMU enter the discussion about safer languages? ;-)
>
> I'm in favor of SML, as it has a number of implementations (some of
> them comparable to C in speed) and a formal definition ("well-typed
> programs do not go wrong") + a standard library.
>
SML is a nice & clean type safe language, and I don't mean to criticize
it. However, if the goal is to be ale to use industry-popular languages
that are safe, it seems to me that we have entered a bright new phase of
history. Python, Ruby, Java, and C# are all broadly popular in industry,
and are all type safe. Java and C# are statically type safe. So why not
use them?
For me, the enemy in the room is C++. It gives you the safety of C with
the performance of SmallTalk. There is no excuse at all to be writing
anything in C++ yet vastly too many applications are written in C++
anyway. Instead of trying to coax developers to switch from C++ to
something "weird" like SML, lets encourage them to switch to Java or C#,
which are closer to their experience.
Sure, there are likely to be ways in which SML is better than C# or
Java. However, in security, the perfect is all to often the enemy of the
good-enough. The big community hears security people talk about the high
security approach that security geeks really want, consider the costs,
and go back to doing things the old way, and ignore the security people.
If security people instead pitch something that is feasible and makes
the situation better, instead of asking for the moon, we will make more
progress.
Crispin
--
Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/
Director of Software Engineering, Novell http://novell.com
Hack: adroit engineering solution to an unanticipated problem
Hacker: one who is adroit at pounding round pegs into square holes
_______________________________________________
Secure Coding mailing list (SC-L)
SC-L@securecoding.org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
