Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Browser Will Feature More Rust Code (bleepingcomputer.com)

Posted by EditorDavid on from the Rusty-routers dept.

An anonymous reader writes: "The Tor Browser, a heavily modified version of the Firefox browser with many privacy-enhancing features, will include more code written in the Rust programming language," reports BleepingComputer. In a meeting held last week in Amsterdam, Tor developers decided to slowly start using Rust to replace the C++ code. The decision comes after Mozilla started shipping Rust components with Firefox in 2016. Furthermore, Rust is a memory-safe(r) language than C++, the language used for Firefox and the customized Tor code, which means less memory corruption errors. Less of these errors means better privacy for all.
"Part of our interest in using safer languages like Rust in Tor is because a tiny mistake in C could have real consequences for real people," Tor developer Isis Agora Lovecruft posted on Twitter, adding "Also the barrier to entry for contributing to large OSS projects written in C is insanely high."

20 of 149 comments (clear)

  1. And the barrier for Rust isn't? by AuMatar · · Score: 3, Insightful

    I'm pretty sure the number of programmers who know C is several orders of magnitude higher than Rust.

    --
    I still have more fans than freaks. WTF is wrong with you people?
    1. Re:And the barrier for Rust isn't? by ljw1004 · · Score: 4, Insightful

      I'm pretty sure the number of programmers who know C is several orders of magnitude higher than Rust.

      I can't imagine that being a problem. Rust is a familiar looking language designed not to have shoot-yourself-in-the-foot holes. I'd expect a good developer, who's already familiar with other languages, to be contributing good PRs in Rust within a day.

    2. Re:And the barrier for Rust isn't? by ljw1004 · · Score: 5, Informative

      You want an app that's supposed to protect your security online to be written by someone who hasn't studied or used the language but decided they could do well enough "within a day"? Yeah, no thanks.

      Honestly, yes. A clean language like Rust means that you won't get problems due to misuse of the language no matter how new you are to it; only due to misunderstanding of algorithms or architecture or security principals. The whole point of the comparison with C is that after a decade of experience in C you'll still find accidental security flaws due to unspotted buffer overruns or read-after-free.

    3. Re:And the barrier for Rust isn't? by IAN · · Score: 4, Informative

      Quick goggle tells me that rust compiler is written in C.

      That's why nobody seriously uses Goggle. Now if you tried Google, you'd get a snippet mentioning a "self-hosting compiler written in Rust" as the first result.

      (Yes, Rust's code generation backend is LLVM, written in C++. Don't try to build strawmen out of this.)

    4. Re:And the barrier for Rust isn't? by DrXym · · Score: 2
      The Rust compiler is written in Rust, i.e. its self hosting. It was originally written in OCaml but has been ported to itself for a long time.

      However it emits bitcode which is optimized and transformed into machine code by LLVM. So after code has passed the multitude of safety checks in the front end it shares a substantial portion of its toolchain with Clang and other languages that make use of LLVM.

    5. Re:And the barrier for Rust isn't? by Raenex · · Score: 2

      I'd expect a good developer, who's already familiar with other languages, to be contributing good PRs in Rust within a day.

      Are you a manager? Do you actually code in Rust? Because while I don't code in Rust, I spent some time with it to understand what kind of guarantees it provides. There are several concepts that you have to wrap your head around and become familiar with before you can write code and know what's going on at a fundamental level.

    6. Re:And the barrier for Rust isn't? by bugs2squash · · Score: 2

      The barriers I've encountered are typically only coincidental to C. It's that half the code appears to be written in m4 or something equally impenetrable.

      --
      Nullius in verba
  2. Re:Well rust must be reallllly good... by KiloByte · · Score: 4, Funny

    No one is suicidal enough to write critical code in C. What would happen if someone wrote, say, a kernel, in C!?!

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
  3. Uh-huh by 93+Escort+Wagon · · Score: 2, Interesting

    "Part of our interest in using safer languages like Rust in Tor is because a tiny mistake in C could have real consequences for real people," Tor developer Isis Agora Lovecruft posted on Twitter[.]

    This line of thinking seems eerily similar to the arguments people make when they choose to roll their own encryption rather than rely on a pre-existing project like openssl.

    --
    #DeleteChrome
    1. Re:Uh-huh by phantomfive · · Score: 2

      In other words, "please someone else please do lots of hard but pointless work for me so that I may pretend to be productive [postgresql.org]."

      It's actually amazing to me how maturely and respectfully the Postgresql guys responded to that. They are truly a mellow bunch.

      --
      "First they came for the slanderers and i said nothing."
  4. Rust never sleeps by Anonymous Coward · · Score: 4, Funny

    This is a browser for Johnny Rotten

  5. I am all for it by Anonymous Coward · · Score: 4, Interesting

    I am all for it. I know there will appear a group of people here bragging how they are good programmers and never do memory bugs in C. Maybe it is true, maybe not. Still, show me even one bigger project written in C that never had any memory management related bug!

    In a bigger project, you will not have just have programmers belonging to this elite. You will also attract less skilled developers. This could partly be solved by having more peer-review, but the more peer-review you have of the code and the more checks you do before committing, the slower the development process becomes. And even high class projects with amazing history of C usage like, OpenBSD, occasionally have their bugs.

    My opinion is that it is better if the peer-review time and development time is spent on getting the algorithms correct rather than hunting around for memory handling issues.

    My biggest concern about this move is the state of Rust. It is still somewhat "unstable" as it is a young language with heavy development.

  6. Re:If it's scary, then you don't know C. by dunkelfalke · · Score: 2

    And yet there is no good reason to use C for anything outside certain special fields like drivers or operating system kernels, and even in these fields usage of C becomes more and more questionable.

    --
    "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  7. Re:If it's scary, then you don't know C. by dunkelfalke · · Score: 2

    Matter of fact, yes. And this only drives my point home harder. I had to port a few of these for a proprietary embedded system. Ultimately it was easier to rewrite them in clean C++ and maintain the result than to maintain the original mess of code (and I am not really a C++ fan). There is no good reason to use primitive tools if advanced tools can do the job in a safer and more comfortable way. Only use primitive tools when advanced tools are unfit for the task on hand.

    --
    "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  8. Re:Well rust must be reallllly good... by K.+S.+Kyosuke · · Score: 4, Informative

    What would happen if someone wrote, say, a kernel, in C!?!

    The thing you observe around you right now: holes in kernels, servers, browsers, virtual machines, regular security announcements... (Because everyone decided to repeat the same mistake.)

    --
    Ezekiel 23:20
  9. Re:Well rust must be reallllly good... by DrXym · · Score: 2

    A tiny mistake in C++ can be just as fatal. Besides which C++ is mostly a superset of C so it can make all the mistakes that C allows and a whole heap of its own on top.

  10. Re:If it's scary, then you don't know C. by roca · · Score: 2

    Using some wrapper library to force dynamic checks on all pointer accesses would mean giving up all the advantages of using C in the first place.

  11. Firefox is a project without a system engineer by Big+Smirk · · Score: 4, Insightful

    Is it so hard to write code that compiles with 0 errors and 0 warnings that will pass valgrind with with 0 warnings?

    Firefox (and by extension Tor) need to figure out why with 70+ threads they still have deadlocks. Perhaps they need a language that doesn't do threading?

    Actually I exaggerated, currently Firefox is only using 68 threads to display this page...

    Project without a _REAL_ system engineer?

    --
    TODO: create/find/steal funny sig.
  12. Can somebody mod down ljw1004's disinformation? by Anonymous Coward · · Score: 2, Informative

    I'd expect a good developer, who's already familiar with other languages, to be contributing good PRs in Rust within a day.

    This is not true at all.

    Can somebody please mod down ljw1004's disinformation? I don't think he's ever even used Rust. Anybody who has actually used it would never make the claim that he just made.

    Rust is not an easy language to learn.

    Even people with extensive academic experience, years of industry experience, and an excellent understanding of a complex language like C++ will find Rust's learning curve to be steep. "Lesser" programmers will have a much, much more difficult time with it.

    Based on my experience and that of a number of very experienced and skilled programmers that I know, it would take at minimum of 2 weeks for a talented programmer to become barely proficient with it. Two or three months is a more reasonable time frame for an average programmer.

    Rust is not a language like Java, C#, Python, or Go, where a good C++ programmer can be writing high-quality code within a few days. It's much more like Haskell, where even experienced practitioners need a lot of time (measured in weeks or months) to truly understand its concepts and nuances.

    Anyone who claims that Rust can be learned well "within a day" is full of bullshit.

  13. Re:Well rust must be reallllly good... by erapert · · Score: 2

    Java has been around for over 20 years. JavaScript has been around for over 20 years. C# has been around for over 15 years. Haskell has been around for over 25 years. Python has been around for over 25 years. Go has been around for over 7 years. Rust 1.0 was released almost 2 years ago. There are many other "safe" languages that I haven't mentioned.

    If you knew anything at all about software you would know the implications that garbage collection has on performance. It's a good thing you posted as AC because otherwise you would have just embarrassed yourself to the point that you'd probably be down-modded for the next fifty years.

    So given all of this time, and all of these different non-C/non-C++ languages, why have we seen almost none of the types of software you listed be successfully implemented using them?

    To reiterate: because performance.

    Web browsers written in non-C/non-C++ languages have all been failures. Xena/Javagator was a failure. HotJava Browser was a failure. Grails was a failure. Servo is shaping up to be a colossal failure.

    Servo was never intended to be actually used-- It's just an experimental prototype for research.

    Face it, C and C++ have proven themselves to be the only languages capable of being used successfully for the types of software that you listed. Despite having had allegedly "safer" languages for decades and decades now, we haven't seen anyone come up with anything to successfully replace the software written in languages like C or C++.

    I like C++. But you're mistaken in thinking that Rust should be compared to JIT languages like C# or Java or Javascript or to automatic garbage collected languages like Go or D. Yes, the details matter and Rust does have promise.

    Time will tell whether C++ evolves and outpaces Rust or whether Rust's standard library and general ecosystem are better.

    At this moment, though, it looks like Rust is roughly equivalent to C++ for performance which is not too surprising since rustc uses LLVM as its backend for compilation. I also think Cargo and crates are superior to the C++ way of handling libraries-- in the sense that a package manager is superior to manually finding libs and installing packages.