How is it flawed? If the intent is to investigate Linux packages isn't the repositories of Linux distributions the best place to study?
Debian for example packages PyPi packages and the maintainer could introduce a backdoor in the version provided by Debian. Only focusing on PyPi wouldn't catch that case.
Programmers make stupid mistakes in the safest languages too, even more so today when software is a career and not a hobby. What does it matter if the memory allocation is safe when the programmer exposes all user sessions to the internet because reading Dockers' documentation is too much work? Even Github did a variant of this with all their resources.
Because memory vulnerabilities don't make programs immune to other dumb mistakes. You get these vulnerabilities on top of everything else that can go wrong in a program.
Manual checking of memory management correctness takes extra time and effort to review, debug, instrument, fuzz, etc. things that the compiler could be checking automatically and reliably. This misplaced effort wastes resources and takes focus away from dealing with all the other problems.
There's also a common line of thinking that that because working in C is hard, C programmers must be smarter and more diligent, so they wouldn't make dumb mistakes like the easy-language programmers do. I don't like such elitist view, but even if true, the better programmers can allocate their smarts to something more productive than expertise in programs corrupting themselves.
Because memory vulnerabilities don't make programs immune to other dumb mistakes. You get these vulnerabilities on top of everything else that can go wrong in a program.
The issue is that these great new tools don't just fix the old vulnerabilities, they also provide a lot of new, powerful footguns for people to play with. They're shipping 2000 feet of rope with every language when all we need is 6 feet to hang ourselves.
There has been a bunch of failed C killers, and C++ has massively shat the bed, so I understand that people are jaded.
However, this pessimistic tradeoff is just not true in case of Rust — it has been focused from the start on preventing footguns, and actually does a great job of it. You don't trade one kind of failure for another, you replace them with compilation errors, and they've even invested a lot of effort into making these errors clear and useful.
Assuming the stock of replaceable batteries is large enough to handle them all being replaced simultaneously, that the replacement batteries are not likewise compromised, and that the battery is indeed the compromised component.
Realistically just replacing the pagers is not only safer but also probably cheaper.
Most of the time it's just incompetence, they import the 1823 js libraries and ask for all the permissions their libraries could use in that corner case that happens once every 1760 years.
You choose your circles and can be selective about who you let in. I've met plenty of adults some 50+ who reason worse than many 15 year olds.
I've seen this escalate in media for many years, where loud childish points are celebrated. One current example is how republicans are "weird", and repeated by everyone for the last week, and a talking point even in international media (I'm not from the US). That's the story I'm told about US elections, that democrats think republicans are weird.
And everything that catches our attention will be repeated since they see it working and this destructive cycle continues. The idiocracy is here.
Not OP, but as someone who hates ads and values privacy, switching to a phone built by the world's largest data broker / advertising agency seems like a bit of wrong turn.
iOS has many - many! - issues, but it is a more privacy-respecting platform than Android is. I'm not saying this to knock Android; I would dearly love it if Google weren't such a data hoover. I'd switch over and never look back.
I thought about it but it’s not really an option if you need certain apps / push notifications. If the options are Android without google play services vs iPhone, the realistic option is iPhone.
GrapheneOS has a neat feature called profiles, so you can have a profile with play services when needed but your main one can be de-googled. Push notifications and apps are cancer anyways, try to live without them.
Why? They've always been this way. I still remember when my friend couldn't see any of my (windows and android at the time) devices but I saw all of his on bluetooth. They've never liked competition.
This is apple, this is how they do business. I don't think anyone using their products will care though, they'll find a way to spin it into something that is good for them.
Debian for example packages PyPi packages and the maintainer could introduce a backdoor in the version provided by Debian. Only focusing on PyPi wouldn't catch that case.
reply