Zero out of the six pending #curl CVEs are C mistakes.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 16:13:17 GMT

greg@icosahedron.website — Sat, 25 Apr 2026 16:13:17 GMT

@tdelmas @bagder this is so goofy. all the time you spent posting this comment could have been used to search for missing children instead.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 16:06:15 GMT

michiel@social.tchncs.de — Sat, 25 Apr 2026 16:06:15 GMT

@bagder it's the lamp post fallacy. Many memory errors are relatively easy to find, making them a fun target for early static vulnerability analyzers.

Leading to a lot of security bugs related to buffer overruns that were found automatically.

Leading some people to conclude erroneously that since they were the majority of security bugs found, they must represent the majority of all security bugs.

AI vulnerability scans will likely demonstrate they were just the tip of the iceberg.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 16:02:12 GMT

bagder@mastodon.social — Sat, 25 Apr 2026 16:02:12 GMT

zero out of seven now...

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 10:30:34 GMT

ahltorp@mastodon.nu — Sat, 25 Apr 2026 10:30:34 GMT

@floooh @gloriouscow @goedelchen @tdelmas Very few people were as stupid as me and wrote large amounts of complicated high-level code in 386 assembly well into the ’90s, but in my defence it was code with no security implications and accepting no input.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 10:19:47 GMT

ahltorp@mastodon.nu — Sat, 25 Apr 2026 10:19:47 GMT

@floooh @gloriouscow @goedelchen @tdelmas I’m of the firm belief that low-level code should be written with low-level constructions and high-level code with high-level constructions. If that’s possible in the same language, great. If it’s not, multiple languages should be used, but that might of course also have problems.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 09:36:05 GMT

floooh@mastodon.gamedev.place — Sat, 25 Apr 2026 09:36:05 GMT

@ahltorp @gloriouscow @goedelchen @tdelmas the cognitive load argument may apply to some gc languages, but definitely not to rust

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 01:25:01 GMT

ahltorp@mastodon.nu — Sat, 25 Apr 2026 01:25:01 GMT

@gloriouscow @goedelchen @floooh @tdelmas The point should not be that a language protects you from doing something bad, it should be that it frees up cognitive resources that are unnecessarily spent on figuring out what a certain construction does. Those resources can then be used to actually understand the code.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 21:32:32 GMT

rylik@mastodon.social — Fri, 24 Apr 2026 21:32:32 GMT

@bagder This makes all the Rust people get in the comments like the Spanish Inquisition.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 21:28:50 GMT

rylik@mastodon.social — Fri, 24 Apr 2026 21:28:50 GMT

@tdelmas @bagder Sure, and any language other than C was a waste of time, cuz you could’ve just spent that time writing better C.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 21:15:15 GMT

kiskae@hachyderm.io — Fri, 24 Apr 2026 21:15:15 GMT

@icing @bagder reality is sadly non-exhaustive

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:48:26 GMT

gloriouscow@oldbytes.space — Fri, 24 Apr 2026 20:48:26 GMT

@goedelchen @floooh @bagder @tdelmas

As for that quote, optimistic as it may be, there's a kernel of truth to it. There are entire classes of vulnerability that are just not really feasible to create in Rust without an unsafe block or really going out of your way to Find Out.

My boldest claim for Rust would be, if you selected some random programmer of indeterminate skill and assigned them the task of writing a file parser that everyone on earth will use, I would absolutely pray they write it in Rust.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:37:58 GMT

gloriouscow@oldbytes.space — Fri, 24 Apr 2026 20:37:58 GMT

@goedelchen @floooh @bagder @tdelmas

Fair point, my interpretation of overconfidence was that it leads to laziness, but that was indeed not the original point. If you feel something is protecting you, you drop your personal vigilance, vigilance takes effort, thus avoiding effort being a form of laziness.

Maybe a bit of a leap, but it's my brain and I have to live in here.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:34:15 GMT

goedelchen@mastodontech.de — Fri, 24 Apr 2026 20:34:15 GMT

@gloriouscow @floooh @bagder @tdelmas "So would gently push back on the idea that programming in Rust leads to laziness." The question was, whether there is an overconfidence syndrome, not laziness.

IMHO, the claim "A language empowering everyone to build reliable and efficient software" is ... uhm... optimistic.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:27:24 GMT

thradams@social.vivaldi.net — Fri, 24 Apr 2026 20:27:24 GMT

@tdelmas @bagder we can also say that C saves time in may cases. (compiling time , time updating tools, time updating code, time learning, time fixing build problems, etc…)

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:00:34 GMT

amoshias@esq.social — Fri, 24 Apr 2026 20:00:34 GMT

@tdelmas @bagder which language doesn't have the possibility of mistakes?

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 18:52:38 GMT

corpsmoderne@mamot.fr — Fri, 24 Apr 2026 18:52:38 GMT

@levitte @bagder @tdelmas . You just have to be extra careful when you write this (do-curl) macro

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:59:08 GMT

jefftp@hachyderm.io — Fri, 24 Apr 2026 17:59:08 GMT

@bagder If I'm understanding you correctly... we need a programming language that doesn't allow the programmer to make logical mistakes?

A programming language that doesn't follow logic...

Are you re-writing curl in COBOL?

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:52:43 GMT

lennybacon@infosec.exchange — Fri, 24 Apr 2026 17:52:43 GMT

@bagder See, Daniel, couldn’t you show a bit more engagement in putting the bugs where the public expects them? Call it expectation management…

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:38:39 GMT

icing@chaos.social — Fri, 24 Apr 2026 17:38:39 GMT

@bagder It would have been harder in Prolog.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:12:55 GMT

larsmb@mastodon.online — Fri, 24 Apr 2026 17:12:55 GMT

@jwalzer @bagder @tdelmas Given how extensive the test suite and docs are it is actually surprising nobody has burned the tokens to reimplement / launder it in Rust as a drop-in replacement.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:05:52 GMT

jwalzer@infosec.exchange — Fri, 24 Apr 2026 17:05:52 GMT

@bagder @tdelmas

So the rust-rewrite will then be called „rurl“ I assume? Or „gurl“ in golang?

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 16:55:43 GMT

bagder@mastodon.social — Fri, 24 Apr 2026 16:55:43 GMT

@tdelmas yes, and C has existed as a real working option for decades, while memory safe alternatives have not...

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 16:51:49 GMT

gloriouscow@oldbytes.space — Fri, 24 Apr 2026 16:51:49 GMT

@floooh @bagder @tdelmas

As a Rust programmer who started in C and knows all about nasal demons, I find that the Rust borrow checker is a constant reminder that "oops, I might have just tried to make a CVE right there."

That you must structure a Rust program of any complexity around memory safety is a constant reminder of what things are and are not safe to do. It's not cognitively free, to the frustration of many people new to Rust. So would gently push back on the idea that programming in Rust leads to laziness. Most languages do not complain at all - in C, you only get interested in safety if you get interested in safety.

I'd also hesitate to call any bug embarrassing, unless it was my own. We've all made some whoppers. These are process failures.

Reply to Zero out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 16:46:58 GMT

afx@infosec.exchange — Fri, 24 Apr 2026 16:46:58 GMT

@bagder @tdelmas As someone who grew up writing and selling my own software in Modula-2 in the 80s, I strongly disagree. Decent languages with strong typing and other checks are definitely more efficient than that pseudo assembler called C.

*Zero* out of the six pending #curl CVEs are C mistakes.

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 16:13:17 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 16:06:15 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 16:02:12 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 10:30:34 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 10:19:47 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 09:36:05 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Sat, 25 Apr 2026 01:25:01 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 21:32:32 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 21:28:50 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 21:15:15 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:48:26 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:37:58 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:34:15 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:27:24 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 20:00:34 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 18:52:38 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:59:08 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:52:43 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:38:39 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:12:55 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 17:05:52 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 16:55:43 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 16:51:49 GMT

Reply to *Zero* out of the six pending #curl CVEs are C mistakes. on Fri, 24 Apr 2026 16:46:58 GMT