It would be amazing if there were a Manhattan Project for eliminating memory-unsafe code from modern operating systems and browser engines. This would probably increase the cost of pwning VIPs and critical infrastructure by several orders of magnitude.
It wouldn't noticeably change the unit economics. Very few attacks rely on memory exploits.
Edit: This appears to be confusing to people, so here are some examples you'll recall from the past few years: SolarWinds, the Colonial Pipeline hack, the Okta breach, the Uber breach. Most attacks don't rely on memory exploits.
As far as I know, Servo wasn't ever really intended to be a production browser. But significant parts of Firefox have been rewritten in Rust since, and those parts have included bits from Servo.
Remain? Humans /may become/ the weakest link after remote code execution exploits cease to be discovered, but certain hacks require no human in the loop.
I don't think so. Outside of labs, I can't remember needing memory safety exploitation or hearing about a major compromise that used such an exploit.
I am not saying the security improvements are not real, just not orders of magnitude. For example some post exploitation stuff like BYOVD I am sure would be much harder.
A lot of vulns are just mistakes people made. Perhaps LLMs can help with that in the neat future but right now you hardly even need a CVE to compromise even well protected networks. A little phish here, a little abuse of legit software there, patiently look for services and credentials that aren't well protected and voila. Few actors use 0days and auto-updates have made 1-days hard to rely on
> I don't think so. Outside of labs, I can't remember needing memory safety exploitation or hearing about a major compromise that used such an exploit.
I don't know what it's like now, but back in the day devdiv (owners of Visual Studio, .Net, etc.) and Windows were highly siloed and it was hard to get them to align on a common way forward. Rust seems like the sort of thing devdiv would naturally pick up though.
They still are, that is how we got C++/CX replaced with C++/WinRT and to this day zero tooling on Visual Studio, beyond the COM stuff that goes back to COM early days.
Or like UWP was dropped for WinUI 3.0/WinAppSDK and there is no designer, or Native AOT doesn't do WinUI (.NET Native and C++/CX were under WinDev umbrella).
From an outsider’s perspective, it seems like MS (meaning the “new” MS under Nadella) is more aligned under VS Code than their traditional Visual Studio product.
I don’t doubt that Visual Studio will continue to be developed, but it would surprise me to see MS direct Rust resources specifically to it when they’ve already dedicated a lot of work towards Rust in VS Code.
(This is coming from someone who feels mild resentment at how much better the Rust editing experience is in VS Code than his preferred editors.)
> but it would surprise me to see MS direct Rust resources specifically to it when they’ve already dedicated a lot of work towards Rust in VS Code.
Embrace, or are we up to Extend?
But seriously, don't MS already have form on the .Net LSP? I can remember the furore but not the details, something about pulling back some VSCode functionality for Visual Studio.
Has Microsoft actually dedicated a lot of work to Rust in vsc? They haven't contributed significantly to the rust-analyzer project, which owns the vsc extension.
> The following companies contributed significantly towards rust-analyzer development: Ferrous Systems Mozilla Embark Studios freiheit.com
Rust with rust-analyzer is IMHO very good nowadays, probably on par if not better than the experience with C++ on paid IDEs. The fact Rust grammar is context-free makes writing tools way easier because there's way less room for breakage, unlike when you write an extra > in C++ and parsing burns down in flames.
Visual Studio is on its way out, and I say that as someone that uses it professionally every single workday. They've been monkey-patching in features now for years, and it remains slow and bloated.
VSCode is the future and Microsoft's future. The current limited .Net support on VSCode feels like it is intentional to give Visual Studio another few years.
PS - Obviously Visual Studio will never ACTUALLY go away. I am talking about as its flagship product for current/future development, it will remain for things like Windows Forms and other dead-end tech.
I think VS Code is great for "light coding", especially Web development. I find it not so great for large projects. For example, there is no comparison at all between Java in VS Code versus IntelliJ.
VS code is a hodgepodge of plugins badly tied together which constantly spam you with change logs each time you open the app. Hopefully that’s not the future of IDEs and a Visual Studio replacement
From a solution organization perspective, Visual Studio is still king in the .NET world. I’ve tried matching up my work patterns in VS Code and no matter how I twist it, VS Code always feels like a NodeJS web dev editor.
As for performance, I recently upgraded from an old Yoga 2 (VS became unusable) to the new Surface Laptop 5 and Visual Studio is smoking fast now.
I’ve heard great things about Rider but haven’t tried it.
I don’t see MS dropping Visual Studio any time soon. There are still a lot of us older coders that’d raise hell if they tried.
I also use the free Community version and it has everything I need.
My experience with hobbyist C programming in VSCode (with C/C++ extension) is yet to match the experience of hobbyist C++ programming in VS. I'll try out CLion someday.
The biggest issues I noticed are:
- Lack of error indication e.g. used an indeclared variable
I personally gave up on GUI file searching a long ago, it's one thing that sucks everywhere IMHO. I'll take CLI tools like locate or `fd` any day, they are IMHO quicker to use even on Windows.
How many years and counting and MS still can't make search work? So much comments about how search is screwed up. For me I can't stand it sometimes doesn't find that I know there is. Or sometimes I don't really know that something is or is not there because I can't trust the search. And sometimes it just wont search. Or does it really slowly
Ugh that whole talk is announcing a whole bunch of things that make it much harder for smaller devs to get started. They want a signing chain that will inevitably cost thousands of dollars just to get approved with some sort of annual fee tacked on as well, so as a independent dev you can either go through that rigmarole or just not target windows, or you need to walk your users through disabling the smart filter thing first...
> Beyond the presumed safety improvement, performance is said to be 5 to 15 percent faster for Shaping (substituting) glyphs with OTLS (OpenType Library Services). That's all available to developers now.
I'd be interested to know as to why a simple rewrite (from C++, no less) would give you this kind of upgrade.
I wonder if somehow someday Microsoft Windows can be rerooted as something like wine running in user space of a rust os like https://github.com/theseus-os/Theseus
The kernel space of Windows is not a problem, it has been fit-for-purpose and even good for the last 20-odd years. The problem is the deterioration in the UI and UX side of the OS (adware, spyware, hodgepodge of UI paradigms, spotty GUI settings apps, reset of preferences after any serious update, bad built-in tooling forced on the user etc).
It's the same shit at Meta. It's developer job security. Random group decides to rewrite in Rust but then breaks their shipped codebase for 3 weeks. They don't care. They have a new toy and don't care if they break things other people use.
Developing in rust is so much easier than other languages I've used. Took a while to get the hang of it. It's honestly a wonderful experience. Can blindly follow types or hone in on performance critical areas without sketchy bugs.
I can’t disagree more. I hesitate to hitch my cart to Rust, but rewriting all the old memory unsafe code is an inevitable need. This status quo of just patching things up every time an exploit appears is farcical when we have the tools to address these problems today.
This is how I feel about devs forcing rust onto web UI development (https://news.ycombinator.com/item?id=35722681). JS exists and people already make new toys (frameworks) for it every month. That's not enough and now we need rust on the frontend
I often advocate for the use of Rust, but it's not the right tool for every job. If one of these conditions is met, I'll happily use Rust:
- Cannot have garbage collection
- Need the raw speed of C
- Need to provide a C interface
- Already have a lot of Rust code in the project
Having said that, I very much prefer statically typed languages, and ones with a focus on correctness and safety. Rust and Haskell both fit that bill very well.
I care if it's written to be better and cheaper to maintain. I don't care about a new Javascript, Rust, or (latest religion) framework, this or that, unless the approach is better than what came before and it's part of sound governance. Code should not be religious, it should be functional and focused on its purpose.
Thankfully most of that seems self-contained to Reddit/HN in pet projects. My god what a disaster for the web that would be, shoving everything into WASM despite zero performance reason to.
Because when I think of what would give me the most job security, it's to reimplement something that we already have and works perfectly fine on its own.
Readit News
Edit: This appears to be confusing to people, so here are some examples you'll recall from the past few years: SolarWinds, the Colonial Pipeline hack, the Okta breach, the Uber breach. Most attacks don't rely on memory exploits.
Microsoft says 70% https://www.zdnet.com/article/microsoft-70-percent-of-all-se...
Google says 70% https://www.chromium.org/Home/chromium-security/memory-safet...
I do feel they should have persevered. Although, yeah, writing a new rendering engine from scratch is a big job.
I am not saying the security improvements are not real, just not orders of magnitude. For example some post exploitation stuff like BYOVD I am sure would be much harder.
A lot of vulns are just mistakes people made. Perhaps LLMs can help with that in the neat future but right now you hardly even need a CVE to compromise even well protected networks. A little phish here, a little abuse of legit software there, patiently look for services and credentials that aren't well protected and voila. Few actors use 0days and auto-updates have made 1-days hard to rely on
NSO group. Stuxnet.
Dead Comment
Or like UWP was dropped for WinUI 3.0/WinAppSDK and there is no designer, or Native AOT doesn't do WinUI (.NET Native and C++/CX were under WinDev umbrella).
I don’t doubt that Visual Studio will continue to be developed, but it would surprise me to see MS direct Rust resources specifically to it when they’ve already dedicated a lot of work towards Rust in VS Code.
(This is coming from someone who feels mild resentment at how much better the Rust editing experience is in VS Code than his preferred editors.)
Embrace, or are we up to Extend?
But seriously, don't MS already have form on the .Net LSP? I can remember the furore but not the details, something about pulling back some VSCode functionality for Visual Studio.
> The following companies contributed significantly towards rust-analyzer development: Ferrous Systems Mozilla Embark Studios freiheit.com
https://rust-analyzer.github.io/
VSCode is the future and Microsoft's future. The current limited .Net support on VSCode feels like it is intentional to give Visual Studio another few years.
PS - Obviously Visual Studio will never ACTUALLY go away. I am talking about as its flagship product for current/future development, it will remain for things like Windows Forms and other dead-end tech.
Luckily Rider exists
As for performance, I recently upgraded from an old Yoga 2 (VS became unusable) to the new Surface Laptop 5 and Visual Studio is smoking fast now.
I’ve heard great things about Rider but haven’t tried it.
I don’t see MS dropping Visual Studio any time soon. There are still a lot of us older coders that’d raise hell if they tried.
I also use the free Community version and it has everything I need.
Even for .NET, what VS4Mac and VSCode can do is a tiny subset of VS capabilities for .NET development.
Naturally you can argue that anything MS, or game consoles are dead-end tech.
The biggest issues I noticed are:
- Lack of error indication e.g. used an indeclared variable
- Intellisense meh
Dead Comment
This is the announcement video. its about an hour long but much of it is very interesting.
"Adminless windows" sounds very interesting.
I'd be interested to know as to why a simple rewrite (from C++, no less) would give you this kind of upgrade.
https://youtu.be/8T6ClX-y2AE?t=2607
Deleted Comment
They shall be busy fixing the bugs in Windows 10.