The code and data behind xeiaso.net
5
fork

Configure Feed

Select the types of activity you want to include in your feed.

update article with a better conversation snippet

Signed-off-by: Xe Iaso <me@christine.website>

Xe Iaso 2c23dbb5 a4ba1e20

+20 -12
+20 -12
blog/🥺.markdown
··· 39 39 amount of code involved in order to prevent vulnerabilities from being a 40 40 problem?</xeblog-conv> 41 41 42 - <xeblog-conv name="Cadey" mood="coffee">God I wish they did. They wrote the 43 - program in C, (as far as I can tell) have no intention of rewriting it in Rust, and it's had 44 - [many](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809) 45 - [viable](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156) 46 - [attacks](https://www.sudo.ws/security/advisories/sudoedit_selinux) over the 47 - years that allowed attackers to gain root privileges and worse. It's also 48 - debatable if the entire concept of privilege separation as implemented in Linux 49 - and UNIX was a bad idea to begin with but we're stuck with it because of an 50 - endless ball of legacy programs controlled by egotistical open source people 51 - that refuse to change because then [obscure targets that nobody uses won't be 52 - able to leech off of the rest of the ecosystem by holding back any chance to let 53 - us have a modicum of nice things](https://lwn.net/Articles/845535/).</xeblog-conv> 42 + <div class="warning">A prior version of this conversation snippet was badly 43 + phrased. You are reading an edited version in case this is relevant in internet 44 + comment arguments.</div> 45 + 46 + <xeblog-conv name="Cadey" mood="coffee">I don't know about the code quality 47 + standards of the sudo project, but overall I don't see them doing any concerted 48 + effort to try to migrate away from C (or to reduce the complexity of sudo) and 49 + there are 50 + [frequent](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22809) 51 + [security](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156) 52 + [vulnerabilities](https://www.sudo.ws/security/advisories/sudoedit_selinux) that 53 + result in attackers getting root access anyways. I really wish the industry as a 54 + whole would take languages like Rust a bit more seriously and start actually 55 + moving towards programs being safer to use because security vulnerabilities in 56 + core infrastructure result in emergency patches. It was disappointing to see [an 57 + attempt at using Rust in an important Python library torpedoed by users of 58 + obscure architectures not supporting Rust](https://lwn.net/Articles/845535/). 59 + Maybe the solution there is to use WebAssembly as a compile target instead of 60 + making everything be native code. I wouldn't wish hppa's reverse stack growth on 61 + anyone trying to write a compiler though.</xeblog-conv> 54 62 55 63 <xeblog-conv name="Aoi" mood="sus">Oh god...</xeblog-conv> 56 64