A Practical Guide to Transitioning to Memory-Safe Languages - Turning off the spigot of vulnerabilities: a new strategy for memory safety (queue.acm.org)

submitted 4 weeks ago* (last edited 4 weeks ago) by HaraldvonBlauzahn@feddit.org to c/linux@lemmy.ml

2 comments fedilink hide all child comments

cross-posted from: https://feddit.org/post/21743329

Fortunately, data demonstrates that making a better choice does not require daunting multiyear rewrites of existing codebases. Security can be dramatically improved by incrementally shifting the development of just new code to memory-safe languages. If these vulnerabilities can be avoided with low impact on other development goals, then choosing to introduce new ones should increasingly be considered unacceptable, and our goal should be for vulnerabilities to become increasingly impossible to introduce.

[...] This leads to a counterintuitive insight that defies some popular anecdotes: The most vulnerable code in your project is not some dusty legacy component, but the code being written today. This is because, like most bugs, vulnerabilities have a half life. The longer code exists and is exercised, the more likely its flaws are to be found and fixed, leaving the freshest code with the highest concentration of bugs.

[....]

Beyond stability, there have also been gains in development velocity. Change lead time, the time it takes for a code commit to be successfully deployed, is a critical measure of efficiency. One of the largest factors in this metric is often code-review latency. Our data shows a fascinating trend: As our developer community has gained experience with Rust, the time required for code reviews has decreased (see figure 4b). Rust changes tend to go through fewer revisions and spend less time in the review cycle, with an approximately two times faster median code review in 2024 compared with C++.

top 2 comments

sorted by: hot top controversial new old

[-] boredsquirrel@slrpnk.net 1 points 4 weeks ago

Recompile C projects with Zig

[-] trevor@lemmy.blahaj.zone 4 points 4 weeks ago* (last edited 4 weeks ago)

Zig isn't memory safe by default. Safety needs to be opted-in to, which isn't free.

And merely recompiling C projects with the (very good) Zig toolchain wouldn't add any form of memory safety whatsoever as far as I'm aware. You can get some safety checks that way, but you still have to fix the buggy C code manually, which is a nontrivial task in best-case scenarios.

this post was submitted on 17 Nov 2025

23 points (100.0% liked)

Linux

57274 readers

696 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
No misinformation
No NSFW content
No hate speech, bigotry, etc

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 6 years ago

MODERATORS

AgreeableLandscape@lemmy.ml

nooter692@lemmy.ml

MarcellusDrum@lemmy.ml

cypherpunks@lemmy.ml

cyclohexane@lemmy.ml

d3Xt3r@lemmy.nz