Announcement

**Sevard** · 07 February 2023, 11:29 AM

Originally posted by ryao View Post

I mentioned the existence of ancient flaws in an earlier comment. The reality is that they are an extreme minority, and the scarcity of them reflects the reality that mature code is less buggy than new code.

You don't know that. This is the main issue with bugs – most of them are hidden.

Originally posted by ryao View Post

You can identify the first commit in Linux that introduced the CVE and the commit that fixed it. (...)

Not really. Sometimes there is bug in old code that is just accidentally discovered by introduction of new code. In this case the old code is one to be blamed.

**kylew77** · 07 February 2023, 11:30 AM

So secure implementations like Xenocara are not affected since Xorg doesn't run as root on OpenBSD. Nothing to see here people, move along.

**ryao** · 07 February 2023, 11:31 AM

Originally posted by Sevard View Post

You cannot prove in any way that any software is bug free/is less buggy. That's just assumption. We still discover bugs that were introduced several years ago. Also some bugs introduced back then may be harmless now, but new code can create a way to exploit them. So no – we cannot look only at cases that went terribly bad.

This only look at cases that went terribly bad remark is a straw man argument. I never once made the suggestion that people do this. You keep arguing against something that has no basis in anything I said.

Originally posted by Sevard View Post

Nobody say that new code is bug free. Bugs are everywhere in new as well as in old code. Rewrite aren't more or less buggy by definition. It really depends.

New code is more buggy than mature code. That would be why you find so few CVEs that are more than 5 years old as a percentage of the CVEs in codebases. The majority of bugs are caught when they are young. That is why mature code is less buggy than new code.

**ryao** · 07 February 2023, 11:37 AM

Originally posted by Sevard View Post

You don't know that. This is the main issue with bugs – most of them are hidden.

If you look at CVE data, you will see that the majority of security bugs being found are not old. There is no reason to expect this trend to change, be it for security bugs or non-security bugs.

Originally posted by Sevard View Post

Not really. Sometimes there is bug in old code that is just accidentally discovered by introduction of new code. In this case the old code is one to be blamed.

Then you are agreeing with me since the commit that introduced the bug would be ancient in that case.

**NobodyXu** · 07 February 2023, 11:37 AM

Originally posted by ryao View Post

You are admitting that new code is more buggy than old code when you say that they are because Linux is becoming bigger and more complex. The patches adding things are adding the vast majority of these new bugs. You could also have bad fixes cause bugs too, but those are a minority and those bugs would still have their origin in a new change.

Yes and that's why I say the recent increase of CVEs is not necessary caused by rewrite and is not an evidence of rewrite necessary introduces more bugs than original.

**ryao** · 07 February 2023, 11:40 AM

Originally posted by NobodyXu View Post

Yes and that's why I say the recent increase of CVEs is not necessary caused by rewrite and is not an evidence of rewrite necessary introduces more bugs than original.

Notice how I was careful to say “rewrite from scratch” when talking about new code and it was always in the context of replacing an entire OS component, rather than changing a tiny piece of one. Whatever distinction you think you are making here has nothing to do with what I said.

**NobodyXu** · 07 February 2023, 11:40 AM

Originally posted by ryao View Post

If you look at CVE data, you will see that the majority of security bugs being found are not old. There is no reason to expect this trend to change, be it for security bugs or non-security bugs.

Yes, all CVEs found are not old, but if you claim that rewrite always contains more bugs than the original, then you need to compare the total number of bugs/CVEs, not just the new ones, but the total number.

Originally posted by ryao View Post

Then you are agreeing with me since the commit that introduced the bug would be ancient in that case.

It's still a bug in the old code, since the new function simply calls into the old code and it's the one who causes the bug.

**NobodyXu** · 07 February 2023, 11:44 AM

Originally posted by ryao View Post

Notice how I was careful to say “rewrite from scratch” whenever I used the term rewrite. Whatever distinction you think you are making here has nothing to do with what I said.

If you are comparing rewrite from scratch with original one, then the Linux example makes no sense since it is never fully rewrite from scratch but update incrementally.

My counter argument is google rewriting its android low-level drivers into rust and they is confident enough to ship it with whatever testing and tooling they have.
If your argument is the case, then how dare google releases their rewrite so soon without waiting for another two releases?

And cloudflare rewites nginx + lua in rust, how dare they ship it when the new one could have significantly more bug than the old one?

**ryao** · 07 February 2023, 11:51 AM

Originally posted by NobodyXu View Post

If you are comparing rewrite from scratch with original one, then the Linux example makes no sense since it is never fully rewrite from scratch but update incrementally.

My counter argument is google rewriting its android low-level drivers into rust and they is confident enough to ship it with whatever testing and tooling they have.
If your argument is the case, then how dare google releases their rewrite so soon without waiting for another two releases?

And cloudflare rewites nginx + lua in rust, how dare they ship it when the new one could have significantly more bug than the old one?

It depends on the driver, but I would not consider a number of drivers to be mature code. In that case, a rewrite would probably be less buggy than the original.

I would consider nginx and lua to be mature code. Doing a rewrite from scratch would probably be unwise, but once it reaches maturity, it would probably be better off. However, the pain from bugs until then would be self inflicted.

As for the Linux example, it shows that new code is more buggy than old code and old code is generally mature code.

**Sevard** · 07 February 2023, 11:53 AM

Originally posted by ryao View Post

Then you are agreeing with me since the commit that introduced the bug would be ancient in that case.

No, I say that sometimes you can discover bug in the old code because you push some limit. And such bugs occur only in some cases.
Imagine that you have object with registerListener method and it can do some nasty things if you add too many listeners. You add a new listener from time to time. Everything works perfectly fine and then one day you add another new listener and boom – you have bug that affects only new versions, but it's actually been introduced long time ago.

Announcement

X.Org Server Hit By New Local Privilege Escalation Vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment