I’m not writing this to criticize the uutils team. Quite the contrary; I actually want to thank them for sharing the audit results in such detail so that we can all learn from them.
As someone who is not at all into programming, this title made me genuinely think I had a stroke.
This is an excellent article that breaks down common pitfalls and provides really concise rules for avoiding them. It’s a great read if you’re in to systems programming.
Those are bugs I dont think any programming language catch, unless it’s a DSL for writing such programs on Linux or another OS.
Some of them seem to be harder to fix or to get right in Rust than C though. Mostly due to “convenience” methods that make application writing easier.
It could be improved. Sebastian Wick and Lennart Poettering made comments on how hard POSIX makes it to be secure. There are better APIs that try to be safer.
- https://blog.sebastianwick.net/posts/how-hard-is-it-to-open-a-file/
- https://mastodon.social/@pid_eins/116459585811044061
And since uutils is not Linux only, it can’t use these safer APIs directly, or at least not without writing more platform-specific code.
