lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMP44s3DYzwnKbRoiUBAWBVGEc8M78wkkD-DAkJDK=qZmXNtZw@mail.gmail.com>
Date: Mon, 24 Feb 2025 14:27:20 -0600
From: Felipe Contreras <felipe.contreras@...il.com>
To: Dave Airlie <airlied@...il.com>
Cc: Boqun Feng <boqun.feng@...il.com>, gregkh@...uxfoundation.org, hch@...radead.org, 
	hpa@...or.com, ksummit@...ts.linux.dev, linux-kernel@...r.kernel.org, 
	miguel.ojeda.sandonis@...il.com, rust-for-linux@...r.kernel.org, 
	torvalds@...ux-foundation.org
Subject: Re: Rust kernel policy

Dave Airlie wrote:
>
> On Fri, 21 Feb 2025 at 15:59, Felipe Contreras
> <felipe.contreras@...il.com> wrote:
> >
> > Boqun Feng wrote:
> > >
> > > On Thu, Feb 20, 2025 at 11:19:09PM -0600, Felipe Contreras wrote:
> > > > Greg KH wrote:
> > > > > But for new code / drivers, writing them in rust where these types of
> > > > > bugs just can't happen (or happen much much less) is a win for all of
> > > > > us, why wouldn't we do this?
> > > >
> > > > *If* they can be written in Rust in the first place. You are skipping that
> > > > very important precondition.
> > >
> > > Hmm.. there are multiple old/new drivers (not a complete list) already
> > > in Rust:
> >
> > That is a black swan fallacy. Just because you've seen 4 white swans
> > that doesn't mean all swans are white.
> >
> > > , so is there still a question that drivers can be written in Rust?
> >
> > I didn't say no driver can be written Rust, I questioned whether *all*
> > drivers can be written in Rust.
> >
> > People are operating under that assumption, but it isn't necessarily true.
>
> That doesn't make sense, like you could make a statement that not all
> drivers could be written in C, but it would be trash, so why do you
> think rust is different?

Because different languages are different?

Just because B is in the same category as A doesn't mean that B can do
everything A can.

C has had more than 35 years of stability, Rust has had only 10, and
I've stumbled upon many compatibility issues after it was supposedly
stable.

Even compiling linux on a compiler other than gcc has been a
challenge, but somehow getting it to compile on an entirely new
language would not be a problem?

I find it interesting that most senior linux developers say the same
thing "I don't know much about Rust", but then they make the
assumption that everything that can be done in C can be done in Rust.
Why make that assumption?

Especially when we already know that the Rust for Linux project has
used many unstable features [1], precisely because compiling for linux
isn't a walk in the park.

But this is not how logic works. You don't get to say "god exists,
prove me wrong". Anyone who claims that *all* drivers can be written
in Rust has the burden of proof. I don't have the burden of proof
because saying that something isn't necessarily true is the default
position.

> if you said 100% safe rust I'd agree, but that isn't the goal.

The *only* advantage that has been sold to linux developers is that a
whole category of bugs would be gone -- that is in fact what Greg was
arguing, but now you say maybe the code cannot be "100% safe". OK,
what is the minimum you expect? 80% safe?

But even if a driver is written in 80% safe Rust, that doesn't
necessarily mean a whole category of bugs is gone for 80% of the code
because compilers -- like all software -- aren't perfect, and the Rust
compiler has been known to introduce memory-safety issues in the past.

So who is to say some drivers aren't going to stumble into compiler
bugs even in "100% safe" Rust code?

I don't understand why I have to explain that theory isn't the same
thing as practice, I thought the Linux project of all places would get
that.

[1] https://github.com/Rust-for-Linux/linux/issues/2

-- 
Felipe Contreras

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ