Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
 [flagged] US Government may require open source software to use memory safe languages (federalregister.gov)
12 points by fork-bomber on Sept 23, 2023 | hide | past | favorite | 18 comments


I’m not seeing “require” in this document. It looks like the document is proposing education and funding for memory safe projects here.


Following the link to the whitehouse.gov cybersecurity policy doc, it looks like this is for Strategic Objective 3.4 - USE FEDERAL GRANTS AND OTHER INCENTIVES TO BUILD IN SECURITY. (pdf warning):

https://www.whitehouse.gov/wp-content/uploads/2023/03/Nation...

And I don't have a problem with this. Years ago the National Security Agency contributed the SELinux kernel module, which improved the security of Linux - not only for Americans, but the entire world. I see this as something that the federal government has identified as a problem and they're asking for input on what to fund. And since it's OSS, everyone benefits.


Please change this incorrect click bait title.

It’s a project to encourage their use. I have also heard about them being required in the future in government roles that are security sensitive which is quite reasonable.


Bad title then


> As highlighted in the National Cybersecurity Strategy and its Implementation Plan Initiative 4.2.1, the ONCD has established an Open-Source Software Security Initiative (OS3I) to champion the adoption of memory safe programming languages and open-source software security.

This says nothing about "requiring" OSS to use memory safe languages. This headline is misleading.


> In 2021, following the aftermath of the Log4Shell vulnerability

> Supporting rewrites of critical open-source software components in memory safe languages

Let's get everyone onto this Java thing I've been hearing so much about.


While I could see making this a requirement for USG usage, it seems like pretty big overreach outside of that. It would also interfere with the steady supply of 0days the NSA et. al. need.


What languages are memory safe? or are they avoiding to say Rust?


Ada SPARK: https://en.wikipedia.org/wiki/SPARK_(programming_language)


Ada


I'm going to change the license on my products to "You are NOT allowed to use this. Don't ask. Don't use"

It's not like people are suddenly going to respect licenses.


Ha ha ha.

Plenty of OSS is created outside the USA. Good luck applying any such mandates.


I skimmed through the document and don't see anything about them trying to force anyone to use memory safe languages. Looks more like "let's lead the way with using memory safe languages and good security practices, and think how we can encourage others to follow" which is a pretty good thing IMHO.


Let them. The faster they put this in place, the faster they will learn the consequences of their incompetence.


Using memory-safe languages eliminates entire classes of bugs, and this here is where the real money is:

> Supporting rewrites of critical open-source software components in memory safe languages

There is so, so much open-source software in dire need of funding. Actually getting someone to pay for maintenance - even if it is the US government - is a good thing.

Relevant xkcd: https://xkcd.com/2347/


That's all we need. A version of sqlite that takes 10x more memory and cpu. And at the same time is incompatible and unusable.


Rust is memory safe if you chose to use it that way. So is c/c++. Rust has no “defined behavior”, unlike c/c++ which has clear defined behavior (via the standard).

Yes I jump to rust when it’s not mentioned… copium


You can argue endlessly about nuances yet people are being spied on because of mem issues




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: