Notices by yosh (yosh@toot.yosh.is)

There’s a lot I disagree with Drew DeVault on, but I respect this a lot:

https://drewdevault.com/2025/01/16/2025-01-16-No-Billionares-at-FOSDEM-please.html

Heh, I didn't consciously realize that the way Rust determines whether an associated function is a method or not is based on whether the identifier is called `self`. That means that this is a method:

fn meow(&mut self) { .. }

And so is this:

fn meow(self: &mut Self) { .. }

But this is not:

fn meow(Self { a, b }: &mut Self) { .. }

Instead the latter is parsed as a static method that takes an instance of `Self`. Despite it operating on the same type as the other variants.

Sorry, what kind of values?

Hear me out: Noctua bathroom fans

Found out about Wirth’s law the other day. It’s… not wrong.

(Software gets slower at a faster rate than hardware advances can speed things up)

https://en.wikipedia.org/wiki/Wirth%27s_law

Wasmtime being a universal language runtime also means there is an opportunity to write universal developer tooling.

New blog post: What are Temporal and Spatial Memory Safety?

https://blog.yoshuawuyts.com/temporal-spatial-memory-safety/

A good thing I did this week: deleted both YouTube and instagram off of my phone and iPad. Feeling a lot calmer already.

I’m keeping Mastodon tho; I can’t really keep scrolling on here, and I think that’s a good thing.

the existence of bisexual sitting implies the existence of bisexual sciatica

@xgranade

Hah, I thought USB was the USB of home theatre :P

For people looking for more context on why C++ Profiles are not going to work, here is a good analysis:

https://www.circle-lang.org/draft-profiles.html#c-is-under-specified

C++ profiles, as designed, cannot achieve memory safety. The only way I see it “succeed” is if they try and move the goalposts by attempting to redefine the term “memory safety” to fit what they can deliver.

From my perspective that’s a dead-end. The only realistic mid/long-term solution is replacing C++. The only realistic short/mid-term solution is sandboxing C++.

The cool thing about this approach is that it can be designed and implemented without any input from the C++ committee.

The way to think about “memory-safe systems languages” is that they provide *static* memory safety, which provide optimal performance.

But if the language chooses not to statically mitigate defects, then yeah sure, as practitioners we can just choose to employ security measures to guard against them at runtime.

Don’t just take my word for it; the Chromium project makes this pretty clear with their “rule of 2”. Pick no more than two of:

- code which processes untrustworthy inputs
- code written in an unsafe language
- code which runs with no sandbox

The inputs and outputs to programs are typically fixed to the domain and cannot be changed. Meaning: if C++ code cannot be replaced with a memory-safe language, and cannot be rewritten to be memory-safe, the only remaining option is to sandbox it.

“But Yosh, how would we sandbox C++ code at scale?”

While not a perfect solution — Firefox’s RLBox toolkit (https://rlbox.dev/) provides the template for that. It compiles a C program to Wasm, puts it inside a Wasm sandbox, and provides the same API on the outside of the sandbox.

Now if the sandboxes library exhibits UB, it can no longer be used to exploit the rest of the program. Here’s a full writeup of how this works:

https://hacks.mozilla.org/2020/02/securing-firefox-with-webassembly/

Re: the C++ committee voting down the adoption of a memory-safe subset.

IMO the choice was not between “memory-safe C++ subset” and “C++ profiles”. It was between “memory-safe C++ subset” and “C++ code must always be isolated in a sandbox” — AKA “C++ goes to jail now”.

Saving computer folks a search as to what some C/C++/Google folks mean by certain terms:

- “temporal safety”: no use after free / double free
- “spatial safety “: no out of bounds accesses

I had to look these up, because honestly: these are pretty confusing terms. I wish they would at least consistently qualify these as: “{temporal,spatial} memory safety”.

There are a lot more non-memory related uses of the word “temporal” when it comes to safety (e.g. Temporal Logic of Actions - TLA, etc.)

Yay, Hyperlight has been released! I got to help the team (Azure Upstream) write their announcement post.

Y’all, I can’t tell you how exciting I am for this! Real virtual machines! In just 1-2 milliseconds! Instead of 120ms+!

https://opensource.microsoft.com/blog/2024/11/07/introducing-hyperlight-virtual-machine-based-security-for-functions-at-scale/

Like, this allows you to start using virtual machines for just about everything. Put them on the hot path. Get goofy with what you’re isolating. All with real, actual, VM-based security.

Oh heh, Cory Doctorow wrote about BlueSky and I think he’s hitting all the right marks here

https://pluralistic.net/2024/11/02/ulysses-pact/

I think I’ve said this before, but I genuinely believe that broadly speaking communication and other “soft” skills are more important than what are considered “technical” ability. And that becomes increasingly more true as people gain in seniority.

Like, it’s absolutely not an all-or-nothing type of deal. But it’s more that if you can’t effectively work in a group setting, the importance of someone’s individual technical ability increasingly begins rounding to irrelevance.

My new crank pet theory: all portable electronics should fit one or multiple 18650 form-factor batteries. Or else not include their own batteries at all.

https://en.wikipedia.org/wiki/18650_battery