On 04/09/2014 01:43 PM, Dave Stevens wrote: > Quoting Tim <ignored_mail...@yahoo.com.au>: > >> Allegedly, on or about 08 April 2014, Jonathan Ryshpan sent: >>> It's an interesting question why Net infrastructure code continues to >>> be written in C, a language that provides no automatic checks for >>> buffer overflow, which (if I understand right) is the opening for this >>> security breach, along with so many others. And why is the code run >>> on hardware that provides no such checks? There have been languages >>> and system that check for overflow available for 40 years. Why >>> doesn't anyone use them? >> >> Only the other day I was thinking similarly: That almost every exploit >> that I read about, over the last umpteen years, was a buffer overflow; >> and why is it so? Are programmers such morons that they accept all data >> without care, rather than only accept what you actually expect? > > I would say they're badly trained. The cost/benefir ration between > hardware and programmer time has changed drastically to the point > where hardware is practically free but programmer time, > notwithstanding offshoring, is expensive. The institutional inertia is > so large that education consists largely of teaching the students to > do well what their instructors would like to have been taught. Not a > viable way forward. > > Dave > All this is understood. But, consider the transition from C to a more modern, safer coding language with respect to developing a new OS, or even re-coding Linux and Unix. But that may be coming. For instance almost all coding in Android is in Java. The Android runs 1 but JVM (Dalvik). But, the underlying OS is still the Linux kernel. Possibly we should design a chipset that is a JVM. But, regardless of the computer language, bugs will be present. I've been moving some of our code from Subversion (stable and written in C) to another source control system written in Java. That source control system crashes frequently and leaves core dumps..
My point is that it is not the computer language that causes the bugs,
it is the programmer. There are many tools out there a programmer can
use to analyze his/her code to find potential errors such as buffer
overflows. So, let's say that we built a chip that is essentially a JVM
and code everything in Java, will we have fewer bugs? No because sloppy
coding techniques will exist regardless of the computer language.
Bounds-checking an array, or generating bounds-checking in the code has
been around C a long time. But we generally don't use it because it
costs too much in performance.
But, we are stuck with C for a while because that is what Linux and Unix
are written. While Java is an excellent language I don't see it
replacing C at the OS level, but it is almost there in Android.
--
Jerry Feldman <g...@blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66 C0AF 7CEA 30FC 3BC1 EB90
signature.asc
Description: OpenPGP digital signature
-- users mailing list users@lists.fedoraproject.org To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines Have a question? Ask away: http://ask.fedoraproject.org
