Thomas Bushnell, BSG <tbushn...@google.com>:
> On Fri, Jan 11, 2019 at 9:33 AM Eric S. Raymond <e...@thyrsus.com> wrote:
>
> > Thomas Bushnell, BSG <tbushn...@google.com>:
> > > Suppose it has a way, however. Now you have Go code which will have a
> > > bounds fault instead of a data leak. That's better, I suppose - the
> > > resulting bug is now "the server crashes" instead of "the server maybe
> > > leaks a key". This is an improvement, but a packet-of-death across a
> > widely
> > > used library this puts the world in a not dissimilar position in terms of
> > > the level of panic and rapid response everybody needs.
> >
> > The difference is trhat an overt bug will elicit a fast fix.
> >
>
> Was the Heartbleed fix particularly delayed? It seemed to be to be
> all-hands-on-deck.
No, but *noticing* it was delayed. Always easier to notice a crash bug
than an exploit with subtler consequences.
> Also, this isn't part of your argument in the past; I would encourage you
> to make it explicitly, rather than treating it as a matter of "by
> transpiling we'll eliminate this category of security flaw". If the story
> is actually "we'll make the bugs more visible and people will panic sooner,
> resulting in a faster fix", that's a different argument, and I'd encourage
> making it explicitly instead of implicitly.
Fair enough.
My general claim is that graceful transpilation to Go, if it can be
achived, will both eliminate significant classes of bugs *and* flush
others into the open. Both seem obvious consequences of (1) GC, (2)
improved type-chevking, and (3) runtime bounds-checking.
But maybe CCured is a better answer. I intend to investigate that.
--
<a href="http://www.catb.org/~esr/";>Eric S. Raymond</a>
My work is funded by the Internet Civil Engineering Institute: https://icei.org
Please visit their site and donate: the civilization you save might be your own.
--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to golang-nuts+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
