Linux???

Linux Linux Kernel : Security vulnerabilities, CVEs published in 2024 (cvedetails.com)​

765 vulnerabilities was published in 114 days (only 2024).

​using Linux is messing with fire. So much developers time wasted on fixing this crap. Still insecure after all those years.



​

Give at least the Appendix B: Status of the affected programming languages section of "BatBadBut: You can't securely execute commands on Windows" a read.

(The gist of the whole article is that it's an emergent property of "On Windows, instead of receiving an argv from the kernel, every application implements its own command-line tokenization", "CMD.EXE has complicated tokenization and parsing rules", and "The default value of PATHEXT allows .bat and .cmd files to be executed by the 'spawn a new process' syscall". Take any one of those things away and this wouldn't have happened.)

This is literally a "we promised we'd shield you from this API's footguns, just like we do with other APIs, and we failed" CVE. It's only Rust's fault in the same way that failing to block all avenues for doing memory-unsafe things without the unsafe keyword is an I-unsound bug on their tracker, even if it's actually LLVM's fault which it often is.

They write it that way because, regardless of who's really at fault, the Rust team has a "the buck stops here" attitude regarding any violation of any safety promise they made.

Isn't "rust" and "crash reporter" not a contradiction in itself? ... an oxymoron?

I'd be curious to know what those annoying things were. I switched from PyGTK (GTK+ 2.x) to PyQt5 around the same time because I got tired of dealing with annoyances in GTK in the name of using "the toolkit that will feel equally native by this point, but people are most likely to already have installed on all desktops".

For example:

• Qt provides ready-made customizable toolbars and panels, with ready made hide/show context menus and ready-made tear-off/reposition where each one's valid states/locations can be constrained right in Qt Designer if you're using that, and which QMainWindow and QSettings let you persist the configuration of between runs in the platform standard location in roughly six lines of code. (Add two more if you also want to persist window geometry.)
• Qt didn't require you to manually reconcile multi-selection and drag-and-drop.
• (some other examples I don't remember off the top of my head right now)

It's a tool written in Rust for catching and reporting crashes in a program which is mostly C++.

In a noosphere where 25% qualifies as "mostly" - agreed.

No.. It can crash just fine.

One thing I recalled most vividly was the following:

I created 2d visualisation and used Glade to create the layout. And then I implemented a custom widget which visualisalsed my simulations.

The first version was using Qt. One of the issues I recall was the possibility to draw the visitation to a PDF file. The API didn't allow me to create a PDF file without a display, because I required a QApplication and a QConsoleApplication could not be used. Thus, I reworked the GUI to GTK with Cairo based drawing. The drawing API was quite similar, but Cairo was more flexible when it comes to output backends.

It is reporting crashes of Firefox, not itself.
Furthermore, there are multiple ways to crash an application. You are most likely taking about segmentation faults. But what about unhandled exceptions? Firefox is partially a C++ code base. What about errors the rust code base boubles up and cannot be handled reasonably? In the end the application will crash and those crashes need to get reported.

Not really. A CVE implies it's something wrong with the language/compiler itself, rather than what seems to be an intended feature based on the fact that *every other language that exists* had the exact same flaw. Many of which straight up said they're not going to bother with patching it, because it's not a real CVE. And again, weird that the CVE was filed *only* against Rust and not any other languages.

Rust's memory safety is nice, but it does so via syntax and control flow. Languages shouldn't automatically parse data and change it behind the scenes without you knowing. Languages shouldn't get in the way of people who know what they're doing to cushion people who don't know what they're doing.

Next, there's going to be a CVE for C and ASM because you can arbitrarily read memory D: