The coreutils Rust rewrite story is pretty funny.
-
@r @q @erincandescent @pinskia @lcamtuf yeah exactly.... it's no longer a generative process, in the social sense. new features no longer fire up public excitement to see what people can make with them.
@r @q @erincandescent @pinskia @lcamtuf ouch.... we just realized, the last time we saw people excited to be creative with a new browser feature
it was JPEG XL
-
@r @q @erincandescent @pinskia @lcamtuf ouch.... we just realized, the last time we saw people excited to be creative with a new browser feature
it was JPEG XL
@ireneista @q @erincandescent @pinskia @lcamtuf oh, that's way more recent than the last time we were excited: the long painful drawn-out process of rolling out ES6 modules (which apparently "everybody else" gave up on, because bundlers)
-
Deus forbid if they create a functional specification of how the existing utilities work, before converting / rewriting them in a new language
️@simonzerafa
But the question is also where the responsibility lies for the lack of documentation and (much more importantly) unit tests. If the learning curve was so steep when it came to eliminating all race conditions, where are the tests that verified precisely these issues? Of course, it’s clear that the bug-fixing culture at the time didn’t have a “must-have 100% test coverage” requirement. But it’s also not easy to implement these tests now through reverse engineering.I don't think a lack of documentation and testing is necessarily the main obstacle to a new development. In fact, they might even be a reason for it.
However, you shouldn't put such newly developed software into production right away.
@lcamtuf -
@lcamtuf
I learned C++ after Modula-2 and before C.
I learned programming earlier.Learning a programming language isn't learning programming (extracting requirements, specification, design, coding, test etc).
I looked at Rust. C++ certainly has got too complicated since 1987, but I wonder does Rust *only* help with memory safety?
Main memory safety in general relates to using pointers that are invalid, accessing arrays out of bounds and past the end of strings.
Partly bad libraries & design.@raymaccarthy
Main memory safety in general, including threads. So, it's a "little" bit more
-
@xerz@soc.masfloss.net @hypha@cafe.mycelium.locahlo.st @star@fed.amazonawaws.com @lcamtuf@infosec.exchange Last I had heard from gccrust is that it couldn’t even be used for bootstrap compiling yet, without enforcing any of the semantics a Rust compiler is expected to.
It’s unclear whether it also now does that as of this progress report or not. If it does then that would be progress indeed.
@lispi314 @xerz @hypha @lcamtuf you don't need borrow checking in well-formed programs. You need borrow checking to ensure a program is safe. the rust compiler is currently the definition of what is well-formed so you don't really have an advantage if you compile the 1.49 sources with or without borrow checking -
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf Of course it didn't, an LLM wouldn't account for that.
-
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf People keep stepping on that rake.
-
@ChuckMcManis @lcamtuf now why the hell, after all these years, have I not heard of Chesterton’s Fence? Is this what I missed by not learning my trade at a uni? Kinda rhetorical, but I _still_ feel I must’ve missed something other than the debt…
Anyway, thank you. It’s going to provide a nice two-worder when reviewing prs by newbies - and a lot of oldbies and, lest l forget, their sloppy chums.
If it's any comfort, I got my bachelor's degree in CS, yet Chesterton's Fence was never mentioned there. I only learned it later in life due to memes. So don't feel bad about the uni thing
-
@BalooUriza People who hate the GPL and wanted to get rid of it, from what I heard.
It also felt like a fair bit of "this is a known quantity and a fun task to undertake just because I'm learning a new language". Almost like a joke that got taken too far
-
If it's any comfort, I got my bachelor's degree in CS, yet Chesterton's Fence was never mentioned there. I only learned it later in life due to memes. So don't feel bad about the uni thing
@gumnos @Kynx @ChuckMcManis @lcamtuf same. I still have to look it up every time I see it mentioned, and every time I think “oh, right; yeah, obviously”
-
-
@lcamtuf Yeah, but they got to license-wash the coreutils, the gnu coreutils are GPL3, the rust uutils use the much more corporate-overlord and user-abuse friendly MIT license.
@miss_rodent @lcamtuf oh, is that why canonical liked it?
-
@gumnos @Kynx @ChuckMcManis @lcamtuf same. I still have to look it up every time I see it mentioned, and every time I think “oh, right; yeah, obviously”
To be fair, if it had been mentioned outside the context of this thread, I too would have had to (re)look it up (for the umpteenth time…)
-
@sten @darkuncle The old joke that _everyone_ has a testing environment, some are fortunate enough to have a separate Production environment
Joke?
-
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf I'm the first advocating for Rust for new developments, I do think having a more modern codebase for coreutils makes sense.
But as much as I like seeing Rust software running on more computers, seeing Canonical push a pre-release version of a software made me even more pissed at them that I already was.
Why would you deploy pre-v1 critical components on millions of computers, wtf.
Even on my archlinux machines I wouldn't deploy that in its current form... -
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf the best code is the code that already works.
-
@r @q @erincandescent @pinskia @lcamtuf ouch.... we just realized, the last time we saw people excited to be creative with a new browser feature
it was JPEG XL
@ireneista @r @q @erincandescent @pinskia @lcamtuf
when it was added, when it was removed, or when it was added again? -
@ireneista @r @q @erincandescent @pinskia @lcamtuf
when it was added, when it was removed, or when it was added again?@Doomed_Daniel @r @q @erincandescent @pinskia @lcamtuf when it was removed. it came back?
-
-
@Slash909uk @cmdrmoto @benh @lcamtuf especially in the age of AI
️) for this simple reason!