I totally agree. Kees' proposal is yet another attempt by The Nanny State to infuse itself into our daily lives so that we don't have to care, nor be careful, or even responsible for our own actions, work, or creations.

Linus, while never the gifted diplomat, will always tell us where he stands in very clear words that we do not have to parse. What I heard was this: Programmers should be responsible for understanding how their creations truly work AT ALL LEVELS, including the maths. Seriously, I think Linus is like me in some ways, namely: sick & tired of the "If It Compiles Then SHIP IT !" attitude and then looks derisively upon those who (or down their noses at) expect them to explain how it actually all works.

For those people that need warm fuzzy feelings, soft cuddly hugs, and quiet comforting words whenever anyone speaks to them may I suggest that those weak links crawl back to kiddie garden and continue developing for another few decades.

Look, it's a rough world out there and it doesn't owe you anything, so consider yourselves lucky that Linus is willing to be totally & clearly honest about where he stands; you don't have to parse his words to understand him (unlike those warm fuzzy types out there).

Sounds like this is really a signed vs unsigned thing. Put the overflow warning on signed ops but leave unsigned rollover out of it.

One would assume so, but even the best humans are fallible. That's the angle I'm looking at it from. I'm not saying that Cook is right, but I think that, absent the context of the proposed design he's reacting to, Torvalds's statement isn't automatically correct.

So even more clearly then, and quite context-independent. I usually test for wraparound with (a > UINT_MAX - b), and didn't recognize the pattern as such.

Yes, fallible, and I would generally encourage the use of warnings, sanitizers, static analyzers, and so on. However I think Linus is correct to say that the compiler must do further analysis to avoid false positives. Using a lot of warnings is extremely time consuming when there are false positives. C is a language that must remain practical for writing optimized code.

You realize what you ask is impossible.. Codebases of today do not align with a single human being in scope, scale or time. Even Linus doesn't know what the Kernel does at ALL levels anymore.. The Linux kernel code will long outlive Linus Torvalds or Greg KH's time on this Earth. There is good merit in continuing to improve tools in the name of security or catching mistakes, everyone makes them.. No one person is an island.

Not necessarily. Look at Rust support in the kernel which currently is about creating modules in Rust, without changing the kernel itself. As long as interfaces are respected C code doesn't care. And it is a project blessed by Linus.

Definitely. Warning fatigue is worse than no warnings because it'll desensitize people to the more significant ones.

Try looking in the mirror, before calling others insecure. Your own insecurity is the main reason you can't refute my posts point-by-point, as that would force you to actually reflect on what I'm saying.

Furthermore, if you really wanted to demonstrate your competence and superiority, you'd be making rational arguments instead of hurling insults at everything and everyone you don't like. Resorting to the discursive tactics of an angry school child paints yourself in a far worse light than anything I could probably say.

"(a+b < a)" on unsigned a and b, is only true when a + b overflow. It is an overflow test! So obviously overflow is expected and explicitly handled, an analyser complaining about a check EXPLICITLY testing for overflow as possibly overflowing IS BROKEN.