The coreutils Rust rewrite story is pretty funny.
-
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf I'm the first advocating for Rust for new developments, I do think having a more modern codebase for coreutils makes sense.
But as much as I like seeing Rust software running on more computers, seeing Canonical push a pre-release version of a software made me even more pissed at them that I already was.
Why would you deploy pre-v1 critical components on millions of computers, wtf.
Even on my archlinux machines I wouldn't deploy that in its current form... -
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf the best code is the code that already works.
-
@r @q @erincandescent @pinskia @lcamtuf ouch.... we just realized, the last time we saw people excited to be creative with a new browser feature
it was JPEG XL
@ireneista @r @q @erincandescent @pinskia @lcamtuf
when it was added, when it was removed, or when it was added again? -
@ireneista @r @q @erincandescent @pinskia @lcamtuf
when it was added, when it was removed, or when it was added again?@Doomed_Daniel @r @q @erincandescent @pinskia @lcamtuf when it was removed. it came back?
-
-
@Slash909uk @cmdrmoto @benh @lcamtuf especially in the age of AI
-
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf yeah. currently running Ubuntu 24.04 LTS. My next upgrade will be a different distribution I think
BSD maybe?
-
"Netscape went bankrupt trying to re-write their software from scratch"
It is also why Microsoft Edge went from something written from scratch to be a fork of chromium. The story is the same and even more it is about the similar product. Plus it is a recent example of the whole starting from scratch issues.
@pinskia @ireneista @lcamtuf
> It is also why Microsoft Edge went from something written from scratch to be a fork of chromiumWasn't that because most of Edge audience heavily used Google products (including Google maps and YouTube and Google meet), and Google actively sabotaged the performance of these products in Edge specifically, in order to push users away from it and towards Chrome?
-
@Doomed_Daniel @r @q @erincandescent @pinskia @lcamtuf when it was removed. it came back?
@ireneista @r @q @erincandescent @pinskia @lcamtuf
yeah, but disabled by default in chromium and AFAIK in Firefox it's only in the nightlieshttps://en.wikipedia.org/wiki/JPEG_XL?useskin=vector#Web_browsers
-
@ireneista @r @q @erincandescent @pinskia @lcamtuf
yeah, but disabled by default in chromium and AFAIK in Firefox it's only in the nightlieshttps://en.wikipedia.org/wiki/JPEG_XL?useskin=vector#Web_browsers
@Doomed_Daniel @r @q @erincandescent @pinskia @lcamtuf ah thanks
-
@Seirdy@pleroma.envs.net @ireneista@adhd.irenes.space @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @puppygirlhornypost2
I have personally found it mildly irritating that
a) GNU Grep has PCRE as an option but Gnu Sed does not, and
b) Sometimes I can figure out how to do something in PCRE but not whatever version of regex GNU sed uses.
I can get around this mild irritation by using perl or python directly instead of sed. -
Dev culture was one long series of "dick measurements" as one engineer put it. That was because of how Google evaluated engineers and how reviews got written. How that emerged in practice was that saying "I don't know" was like saying "fire me now" to a lot of these kids. So they couldn't introspect at all in front of others. I was not popular (as you might guess) for asking "rude" questions.
But I also didn't care if Google chose to fire me so there was that. 2/2@ChuckMcManis @josh @lcamtuf incentives trump everything
-
@Seirdy@pleroma.envs.net @ireneista@adhd.irenes.space @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @puppygirlhornypost2
I have personally found it mildly irritating that
a) GNU Grep has PCRE as an option but Gnu Sed does not, and
b) Sometimes I can figure out how to do something in PCRE but not whatever version of regex GNU sed uses.
I can get around this mild irritation by using perl or python directly instead of sed.@2something@transfem.social @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @puppygirlhornypost2@transfem.social the
sdutility is excellent for this <img class=“not-responsive emoji” src=“https://pleroma.envs.net/emoji/custom/colon_three.png” title=“:colon_three:” /> -
@sten @darkuncle @ChuckMcManis @lcamtuf
you expect rare race conditions to occur anywhere but production?
@wolf480pl @sten @ChuckMcManis @lcamtuf most serious race condition in production is the race to push to prod before you bounce on a Friday afternoon
-
@2something@transfem.social @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @puppygirlhornypost2@transfem.social the
sdutility is excellent for this <img class=“not-responsive emoji” src=“https://pleroma.envs.net/emoji/custom/colon_three.png” title=“:colon_three:” />@Seirdy@pleroma.envs.net @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @ireneista@adhd.irenes.space @puppygirlhornypost2
I just ranman sdand I don't understand anything of what it said. -
@Seirdy@pleroma.envs.net @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @ireneista@adhd.irenes.space @puppygirlhornypost2
I just ranman sdand I don't understand anything of what it said.@2something@transfem.social @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @puppygirlhornypost2@transfem.social no thats something else. it’s one of those newer rust utilities like what ripgrep is for grep.
-
@lcamtuf Rustaceans are the problem, not Rust itself. theyre like a lobbing group trying explicitly to boost their future employment demand much more than prioritized on doing the right thing as engineers or for the community. much like the AI VC are "talking up their book" even if its poison for the rest of us
@synlogic4242 @lcamtuf I’ve learnt to differentiate between people who only talk about the tech, and never about solving problems. It’s been the same for decades.
Tech can be fun, not saying it shouldn’t be. But it doesn’t create solutions by itself.
-
@2something@transfem.social @lcamtuf@infosec.exchange @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @puppygirlhornypost2@transfem.social no thats something else. it’s one of those newer rust utilities like what ripgrep is for grep.
@2something@transfem.social @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @lcamtuf@infosec.exchange @puppygirlhornypost2@transfem.social it’s not full pcre with stuff like variable length lookbehinds but it’s close enough with named capture groups and the like. It uses Rust’s regex crate
-
@2something@transfem.social @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @lcamtuf@infosec.exchange @puppygirlhornypost2@transfem.social it’s not full pcre with stuff like variable length lookbehinds but it’s close enough with named capture groups and the like. It uses Rust’s regex crate
@2something@transfem.social @Doomed_Daniel@mastodon.gamedev.place @ireneista@irenes.space @lcamtuf@infosec.exchange @puppygirlhornypost2@transfem.social it’s packaged by almost every distro and easy to statically link and take with you
-
The coreutils Rust rewrite story is pretty funny.
Coreutils are tools like rm, mv, mkdir, etc. Unlike binutils, this isn't a fertile ground for memory safety bugs. But, the rewrite was completed, and in the spirit of progress, Canonical decided to switch.
But do you know what coreutils are a fertile ground for? Race conditions around file creation, deletion, permission setting, and so on. The original code accounted for decades of hard-learned lessons in that space. The Rust rewrite did not:
https://seclists.org/oss-sec/2026/q2/332
PS. I'm not dunking on Rust. It's just that... starting over from scratch has its hidden costs.
@lcamtuf As someone who spent more than 30 years writing C++ professionally, I don't object to efforts to rewrite that stuff in a safer language, and I like Rust, but Canonical was extremely premature in their decision to make the rewritten coreutils the default. As the article makes clear, they completely ignored race condition issues, and I'm wondering if management didn't understand that Rust's ability to prevent data races does not carry over to filesystem races. With this huge volume of CVEs it seems that their testing efforts must have been woefully inadequate. I suppose one way to go is to just ship it and let the Internet test it for them.
️) for this simple reason!
