Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Open Source Privacy Programming

Tor Browser Will Feature More Rust Code (bleepingcomputer.com) 149

An anonymous reader writes: "The Tor Browser, a heavily modified version of the Firefox browser with many privacy-enhancing features, will include more code written in the Rust programming language," reports BleepingComputer. In a meeting held last week in Amsterdam, Tor developers decided to slowly start using Rust to replace the C++ code. The decision comes after Mozilla started shipping Rust components with Firefox in 2016. Furthermore, Rust is a memory-safe(r) language than C++, the language used for Firefox and the customized Tor code, which means less memory corruption errors. Less of these errors means better privacy for all.
"Part of our interest in using safer languages like Rust in Tor is because a tiny mistake in C could have real consequences for real people," Tor developer Isis Agora Lovecruft posted on Twitter, adding "Also the barrier to entry for contributing to large OSS projects written in C is insanely high."
This discussion has been archived. No new comments can be posted.

Tor Browser Will Feature More Rust Code

Comments Filter:
  • by AuMatar ( 183847 ) on Sunday April 02, 2017 @10:52PM (#54162427)

    I'm pretty sure the number of programmers who know C is several orders of magnitude higher than Rust.

    • by ljw1004 ( 764174 ) on Monday April 03, 2017 @12:04AM (#54162591)

      I'm pretty sure the number of programmers who know C is several orders of magnitude higher than Rust.

      I can't imagine that being a problem. Rust is a familiar looking language designed not to have shoot-yourself-in-the-foot holes. I'd expect a good developer, who's already familiar with other languages, to be contributing good PRs in Rust within a day.

      • by AuMatar ( 183847 )

        You want an app that's supposed to protect your security online to be written by someone who hasn't studied or used the language but decided they could do well enough "within a day"? Yeah, no thanks.

        • by ljw1004 ( 764174 ) on Monday April 03, 2017 @12:32AM (#54162661)

          You want an app that's supposed to protect your security online to be written by someone who hasn't studied or used the language but decided they could do well enough "within a day"? Yeah, no thanks.

          Honestly, yes. A clean language like Rust means that you won't get problems due to misuse of the language no matter how new you are to it; only due to misunderstanding of algorithms or architecture or security principals. The whole point of the comparison with C is that after a decade of experience in C you'll still find accidental security flaws due to unspotted buffer overruns or read-after-free.

      • Try getting a hiring manager to believe that.
      • by Raenex ( 947668 )

        I'd expect a good developer, who's already familiar with other languages, to be contributing good PRs in Rust within a day.

        Are you a manager? Do you actually code in Rust? Because while I don't code in Rust, I spent some time with it to understand what kind of guarantees it provides. There are several concepts that you have to wrap your head around and become familiar with before you can write code and know what's going on at a fundamental level.

        • what fundamental level? Its 2017! We dont care about how the shit works we just want it to work. you must be one of those stick in the mud "i want to be smart" people. Havent you noticed your kind are going the way of the do do bird..

      • by Anonymous Coward

        I'd expect a good developer, who's already familiar with other languages, to be contributing good PRs in Rust within a day.

        This is not true at all.

        Can somebody please mod down ljw1004's disinformation? I don't think he's ever even used Rust. Anybody who has actually used it would never make the claim that he just made.

        Rust is not an easy language to learn.

        Even people with extensive academic experience, years of industry experience, and an excellent understanding of a complex language like C++ will find Rust

    • by Anonymous Coward

      I'm pretty sure the number of programmers who think they know C is several orders of magnitude higher than Rust.

      There, fixed that for you.

      • by WarJolt ( 990309 )

        You still didn't get it right...

        I'm pretty sure the programmers who know Rust are several orders of magnitude better programmers.

    • by _KiTA_ ( 241027 )

      ITT: The Holy Wars begin.

    • Who makes more safety-related mistakes, ten C-niks or one Rustnik? Not to mention that you need a fixed small number of programmers for the project, you're not interested in luring the whole global community.
    • I'm pretty sure the number of programmers who know C is several orders of magnitude higher than Rust.

      You don't get it. In every respectably-sized C project, there are lots of assumptions about "objects" lifecycles (who allocates, who has to free), concurrency access, etc. Unless you have spent a long time in the code it's difficult to know all the conventions used throughout the project, and you're pretty sure you'll shoot yourself in the foot the first time you'll try to modify the code.

      In Rust, all these conventions are encoded in the type system and are checked by the compiler. Which means that when you

    • The barriers I've encountered are typically only coincidental to C. It's that half the code appears to be written in m4 or something equally impenetrable.
  • by Anonymous Coward

    "because a tiny mistake in C could have real consequences for real people"
    Seems rust is an ai that churns out code which can never do evil.

    • by KiloByte ( 825081 ) on Sunday April 02, 2017 @11:17PM (#54162487)

      No one is suicidal enough to write critical code in C. What would happen if someone wrote, say, a kernel, in C!?!

      • What would happen if someone wrote, say, a kernel, in C!?!

        The users would probably be subjected to an endless treadmill of updating their kernel packages and rebooting each of their machines every couple of weeks.

      • by Anonymous Coward

        But that's really just it though isn't it? You write core functionality like a Kernel in C, but it's relatively small part of the overall code base - it's a part to which you devote a disproportionate amount of time relative to it's size because you absolutely must get it right and because hand crafting performance into it is incredibly important.

        You wouldn't then however go and take C all the way up to your web stack, because that would be fucking stupid - the cost and time to productivity and security rat

      • by K. S. Kyosuke ( 729550 ) on Monday April 03, 2017 @05:00AM (#54163151)

        What would happen if someone wrote, say, a kernel, in C!?!

        The thing you observe around you right now: holes in kernels, servers, browsers, virtual machines, regular security announcements... (Because everyone decided to repeat the same mistake.)

    • by Anonymous Coward

      What is it with this perfect solution fallacy based Rust meme? No one is saying Rust can prevent all coding problems, except those of you creating strawmen. But solving some common mistakes is still a step forward, even if it is not solving all possible mistakes and problems.

    • "because a tiny mistake in C could have real consequences for real people"

      As opposed to, "because a tiny mistake in C could have virtual consequences for virtual people."

      C'mon . . . this is 2017 . . . nobody does anything real anymore . . . everything is virtual these days.

      Remember:
      If it's there, and you can see it . . . it's real.
      If it's not there, but you can see it . . . it's virtual.
      If it's not there, and you can't see it . . . it's gone.

      Virtual people have virtual problems on virtual TV shows.

      So, there!

      • If it's there, and you can see it . . .
        If it's not there, but you can see it . . .
        If it's not there, and you can't see it . . .

        We should ask Donald Rumsfeld about this then.
        Also, for the case of "If it's there, but you can't see it".
        Alternatively you might have something to teach Rumsfeld about!

  • Uh-huh (Score:3, Interesting)

    by 93 Escort Wagon ( 326346 ) on Sunday April 02, 2017 @11:24PM (#54162503)

    "Part of our interest in using safer languages like Rust in Tor is because a tiny mistake in C could have real consequences for real people," Tor developer Isis Agora Lovecruft posted on Twitter[.]

    This line of thinking seems eerily similar to the arguments people make when they choose to roll their own encryption rather than rely on a pre-existing project like openssl.

    • tbh if you did roll your own encryption instead of relying on openssl, there's a reasonable chance your code would end up being more secure. Your chances of success entirely depends on how good you are at programming.
      • by Anonymous Coward

        From a code quality point of view, absolutely. OpenSSL is a horribly written, poorly documented codebase with a long history of coding mistakes.

        From a cryptography point of view -- beware. There are a huge number of gotchas. It's not enough to implement the TLS and PKI specs to the letter. You have to make sure that your code is resistant to side-channel (timing) attacks, oracle attacks, workarounds for buggy clients/servers, workarounds for weaknesses in the spec, etc. Most of that comes about through tria

  • is able discover the origins of onion routing users. A change in code is nice but does not change the ability to track and find.
  • by Anonymous Coward

    " for real people," Tor developer Isis Agora Lovecruft posted on Twitter, adding "Also the barrier to entry for contributing to large OSS projects written in C is insanely high"

    This is completely orthogonal to designing a secure browser.

    • It's hard to add productive code to a large existing project. Large existing projects are mostly written in C. Therefore it's hard to contribute to C projects.

      If this is what passes for logic among the Rusty Firefox set, I'll avoid it.

  • by Anonymous Coward on Sunday April 02, 2017 @11:46PM (#54162557)

    This is a browser for Johnny Rotten

  • I am all for it (Score:4, Interesting)

    by Anonymous Coward on Monday April 03, 2017 @12:05AM (#54162599)

    I am all for it. I know there will appear a group of people here bragging how they are good programmers and never do memory bugs in C. Maybe it is true, maybe not. Still, show me even one bigger project written in C that never had any memory management related bug!

    In a bigger project, you will not have just have programmers belonging to this elite. You will also attract less skilled developers. This could partly be solved by having more peer-review, but the more peer-review you have of the code and the more checks you do before committing, the slower the development process becomes. And even high class projects with amazing history of C usage like, OpenBSD, occasionally have their bugs.

    My opinion is that it is better if the peer-review time and development time is spent on getting the algorithms correct rather than hunting around for memory handling issues.

    My biggest concern about this move is the state of Rust. It is still somewhat "unstable" as it is a young language with heavy development.

    • by Anonymous Coward

      Still, show me even one bigger project written in C that never had any memory management related bug!

      Show me one bigger project completely written in Rust.

  • Isn't that all that really matters? Who cares even if it's 100% written in binary code? (I mean my hat off to whomever would be fucking crazy enough to do something like that)

    Am I getting my point across?

  • by Big Smirk ( 692056 ) on Monday April 03, 2017 @07:05AM (#54163459)

    Is it so hard to write code that compiles with 0 errors and 0 warnings that will pass valgrind with with 0 warnings?

    Firefox (and by extension Tor) need to figure out why with 70+ threads they still have deadlocks. Perhaps they need a language that doesn't do threading?

    Actually I exaggerated, currently Firefox is only using 68 threads to display this page...

    Project without a _REAL_ system engineer?

    • by gtall ( 79522 )

      This sounds like the same sort of mentality that gave us Java. Sun created Java in its own image, so it encouraged extra threads and creation of lots of objects because they figured it would run on big machines. They sold it though as something that would run everywhere. The threading and objects made it run like a dog on small machines.

    • by Anonymous Coward

      Wonder what you'll think about Chrome and Google when you realize it needs even more resources to do the same job without much benefit, and still with the same warnings, memory leaks, deadlocks and other crap that we know and love.

This is clearly another case of too many mad scientists, and not enough hunchbacks.

Working...