'Maybe the problem is you' ... Linus Torvalds wades into Linux kernel Rust driver drama

Re: Fair comment by Linus

If that were the case, yes.

It is not the case. The Rust folk are not trying to change ANYTHING in that API.

They are bindings to allow Rust to work with the C API as it is, and to be maintained by Rust devs.

Saying that I'll block an alternative binding to the API that I maintain is not productive behaviour.

Re: Fair comment by Linus

They didn't submit a patch to the maintainer's subsystem. He was CCd on a change that added wrapper code, out of courtesy, and perhaps to review it. Now, if there were good technical reasons to block it or hold it up for another approach then that would be fine and we wouldn't be talking about it. But "because I don't want this to exist" isn't really a good reason.

Re: Fair comment by Linus

To be fair, the Rust folks offered to shoulder burden of maintaining the Rust part, but that by itself would lead to problems down the road, both of technical and relational natures (egos and stuff).

FFS, this ninny again.

There are some people on The Register forums who spout a lot of crap, but also make a reasonable number of interesting points - enough, at least, that they’re still worth reading.

And then there’s Beast666 who reads like a bot, pollutes the conversation, and never has anything worthwhile to add.

Mr(s) Moderator, can this troll be put down? It’s boring. Can we have a hamster instead? Or even someone with a serious and dangerous addiction to code?

> Make Linux Great Again. Deport the Rust.

Congratulations. You have just confirmed my fears this is a spat which has parallels with racism -- as per the white guy insisting it's a whites only place, and non-whites will not even be tolerated on the outside, can not even be allowed their own clubhouse.

And Linus's "don't go seeking public support for your civil rights" doesn't look good in that respect.

Still whining i see....

Re: Not a trivial problem.

Yes but the type of coding error we care about most is security vulnerabilities. According to Google, Mozilla, and Microsoft, about 70% of those have been due to memory safety issues. C variants are out of the race as far as anyone who cares at all about security is concerned.

Re: Not a trivial problem.

> If Rust was seamlessly able to work with C's ABI, adding Rust code would not be difficult.

Pedantic nitpick : Rust code does seamlessly work with the C ABI.

The problem is the kernel API, or more specifically, the fact that it very deliberately does not have a stable one.

If you try to extend C to make it give the sort of guarantees that Rust has, you would end up with something that looks like Rust and has the same integration issues.

Democracy? There are no democracies here

None of the things described here are democracies; if anything, your worries in regard to the Linux kernel seem fairly related to that project being one man making decisions and also being the figurehead. If it was a democracy one would imagine very different decision-making systems shuddering into motion in reaction to this conflict.

I can perhaps see where you're coming from if we think about how Libre software projects like the Linux kernel have a dimension of governance not really possible for projects tied to the tangible world like nations are. That is to say one of the ways the Linux kernel approaches democratic is that people could fork and maintain changes the existing project won't, which is akin to if a nation had a dictator but also people could portal to alternative universes with ease where different people got to control the entire nation, and rather than citizens voting on their government they could emigrate between those parallel undemocratic worlds.

Well, maybe.

Linus already made the decision that yes rust would in the kernel. Hellwig opposed the patch but he can't actually block it because it's not patching his subsystem, it is wrapping it.

So one wonders if Linus being quiet on the matter is purposeful to foster debate and/or expose those who are going to be a problem. Martin has quit and Hellwig doesn't come off looking great. Linus and Linux can carry on integrating Rust or not, without quite so much drama.

> Rust being the best future,

Rust is the most hyped future, it might be good but then there are other, less hyped languages, that are probably equally as good if not better, depending on what you are wanting or do.

Re: Maybe, just maybe...

Maybe, just maybe... Some of the rust people can team up with the current maintainers and just go, "Let me handle all the Rust aspects of this."

That's exactly what the current situation is. The Rust developers are maintaining bindings to the existing C API. Hellwig is just being an arsehole.

Re: Maybe, just maybe...

> "Let me handle all the Rust aspects of this."

They may as well say "No sooner said than promised."

If you hand the keys to the kernel level DMA API to any programming language then the code that uses that API can not be memory safe. Any code that has direct access to memory or access to hardware that has direct access to memory is by definition unsafe. You can put guard rails in the code but it is difficult to predict and handle all edge cases that might arise. Since hardware drivers must have direct access to hardware they are inherently unsafe. Why some people think that Rust can fix this makes me wonder if they have heard about the use of unsafe in Rust. I sure using Rust can improve safety in some parts of the driver but this can not hold true for the driver itself.

To more directly answer your question, C was originally written to provide as low a "high" level programming language as you could get without resorting to assembly. Over the years many improvements for writing safer C code in the language definition itself and in the C library have been implemented and adhering to them can greatly decrease problems with C code. Unfortunately due to the very nature of C, the safety of the code totally depends on the programmer. Being a life long (40+ years) assembly and C programmer my approach has always been meticulous attention to detail, knowledge of areas that need special attention, and a tough testing regime. It takes me longer to finish programs, but I generally find I need far fewer fixes during and after testing.

There is resource safety (including memory) in C++ although it's still up to the developer to follow the well-established pattern. But since Linus won't allow C++ in the kernel it doesn't matter. Rust gives him the ability to gain some of the benefits of C++ and more without losing face.

People are working on a proposal for C++. However, there are a couple of pertinent issues here:

• It isn't a magic button- it requires your code to carefully be reworked to use it effectively.
• The Linux kernel is not C++, only C. Linus doesn't want to add C++ to the kernel, since there are too many crazy edge cases that crop up, particularly in the sort of code you write for a kernel. Additionally, it is far, far too easy to write code that looks like it does one thing, but does something slightly different. Not what you want when tracking down a low level memory issue.

Come on people, downvoting a question as innocent as that is a bit off. There's a lot of readers of El Reg who are not C/C++ developers with decades of experience and have no programming experience at all.

Hard hats and other Safetyware required beyond this point !!! ==>

Is this a troll ?

or

Have you not researched this 'Question', not even a little, before asking it ?

:)

Short answer IF the original was NOT a Troll !!! :)

Short Answer:

Because creating a 'Memory Safe' C/C++ is just as big a problem as moving 'unsafe' code to Rust.

There will be a performance hit for changing C/C++ and you need to ensure that ALL code still works !!!

The same semi-religious objections to changing C/C++ will arise as with changing Kernel code to support RUST.

Who decides what is changed and what is not ???

Who decides what those changes will be ?

Who is going to be responsible for managing & maintaining the 'NEW' C/C++ version ?

Ditto

Ditto

Hopefully you see the direction this is going in !!!

The real problem is NOT 100% what language you code in BUT the fact that at the lowest level when you have to 'manipulate' hardware etc the code is going to be non-menorysafe. Rust can handle this BUT it is an exception to the reason for using Rust in the first place.

Rust cannot be imposed on people who don't want to use it.

The fact that Rust binding are there WILL impact the work that everyone does and you cannot ignore the consequence of ANY changes even IF you are not resposible for maintaining the code yourself.

It is an example of 'unintended consequences', you cannot always see what your changes MAY impact and you will find that something that WORKS when you are only working in C will have an impact for the Rust devs.

You are therefore FORCED to work with the needs of the Rust Devs, in mind ... this may be something you do not want and as the work is being done by volunteers (mainly) there is NO onus on them to do what they do not want to do !!!

This is a simple example of the issues at hand and the problems that need solving ... NO solution is going to be easy or popular or 100% supported !!!

:)

RE: Why isnt there a memory safe implementation of C/C++??

> Why isnt there a memory safe implementation of C/C++??

Nowadays there is a safe version of C++, the Circle C++ from the talented Sean Baxter (you can play with it in https://godbolt.org/):

https://www.circle-lang.org

The site also contains the proposal paper for current ISO C++.

No, Linus had some very good points about why C++ was inappropriate for the Linux kernel. You can only use a very small subset of C++ features in the core kernel subsystems (no exceptions, no STL, etc) at which point, there's very little benefit but a lot of complications to supporting C++. The issue is less clear for drivers, but even there you cannot use a lot of C++ features since they don't play well with the quirks of a lot of actual hardware. That's also why C is a lot more common for embedded systems than C++.

Re: bigger problem......

They are, and this is the result.

Re: bigger problem......

"how old is he?"

Not very, except, maybe, to a 20-year olf who knows everything.

Re: bigger problem......

"How old is he?" -- https://letmegooglethat.com/?q=linus+torvalds+age

Re: If you want Rust...

They don't want to prove themselves, they want to defecate on someone else's project. The downvoters agree with them.

Where is that pure-Rust kernel, then? We keep coming back to this.

The kernel is old, unsafe, garbage! Agreed! Why not just throw together a linux-compatible kernel in rust from scratch, run it through some tests, and ship it with the rest of the gnu stack. It's so much easier to code when it's memory-safe so it should be easy and quick to implement, heck I'm surprised it hasn't already been done. Then all of these OLD (the worst thing you can be) programmers maintaining Linux can be given something to keep them busy (just let them keep working on the old kernel, they'll never notice it's unused because they don't do TikTok) and ignored.

Interesting to see the ageism creeping repeatedly into the discussion, as if having 40 years of experience doing manual memory management (and miraculously making a working program without guard rails) is proof that you're obsolete and inferior. :)

Erm, https://avahi.org/ ;)

The problem isn't whether or not he approves of it. The problem is that, at least twice now, the rust for linux group have sprung surprise PRs for sub-systems with no, or very little, prior involvement of or discussion with the maintainers of those sub-systems. Their presumption of absolute domain knowledge and the superiority of their position is what is getting people's backs up. In the inodes case, they didn't even understand the semantics of the sub-system they were trying to rustify

Marcan is the most extreme version of it, but the r4l team generally appear to have an issue of assuming they know everything, not communicating with anyone outside the r4l team, then presenting a PR as a fait accompli to the maintainers of a sub-system they're working in, rather than working through the normal process of review and acceptance. It's not a kernel-developer-specific problem they're fighting against, either; any team that is presented with a surprise commit that doesn't follow the expected workflow, from a developer who has decided he knows better, is going to push back and require compliance with their processes.

Re: Linus did not "shoot the messenger"

Yah, definitely the most off-target tagline on El Reg in a long time--undoubtedly an attempt at a joke but wow when humor fails it fails hard dunnit?

Re: Big problems need bigger people.

You're right, that's a very bad analogy.

Good analogy, bad execution of analogy...

Yeah you have it backward. EVs are a small evolution for cars, which were highly computer controlled and technical before hybrids, and which had years of hybridization before they went full EV. Manufacturers were involved in these changes and kept their repair shops up to date throughout the transition. Some manufacturers were very conservative about the transition to electric, as it is a new technology and considerably different from ICEs both in terms of power generation and control systems. The transition was done gradually across many manufacturers and models with careful planning, and undoubtedly with lots and lots of coordination between the designers, manufacturing, and the one place where dealers make money: maintenance.

In other words, it's actually not a bad analogy but only if you actually have a tiny insight into how automotive manufacturing, dealerships, and manufacturers work.

A team leader who can't coordinate and communicate well with the rest of the teams? Deeply entrenched old-school processes and highly profitable existing products? Well.. there's a reason some auto manufacturers were later to the party than others, isn't there?

Linux has the ULTIMATE installed base. Sweeping changes without buy-in simply aren't happening.

Re: The world went to hell when we lost PEEK and POKE

for i = 0 to 255

for j = 0 to 32767

print "write " i " to " j

poke( j, i )

next j

next i

Re: Rusux

OS

There is a Rust OS - called Redox. It's another Unix-like OS, in that it behaves like the Unix standard requires it to. It's kernel is written in Rust too. It's no where near production ready, but what is notable is the timeline. That project went from nothing to having a running user desktop in 3 years flat. That's a pretty rapid rate of development. This bears out one of the oft-cited aspects of developing in Rust - it's faster. This is simply because one is not spending time debugging bugs that are down to memory faults.

Rust is creeping into Linux in the kernel, and may or may not eventually displace C.

Userland

Rust is creeping into the Linux userland too. There is a Rust re-implementation of the standard gnu coreutils (things like ls, cat, all the standard cli tools). This project "uutils" was started by some in (I think) Mozilla who decided it was high time he learned Rust, and chose this as a learning project. It blew up from that self-teaching start. The interesting thing is that the end result is an improvement, not just a slaveish translation of the original C.

Hardware, and a Very Big Bet

Rust has an interesting facet - "Fearless Concurrency", which may have played a part in that. It was used in Firefox's implementation of CSS - which is why it's so fast. I mention it because there's an important aspect of Rust that may become very important in the future.

Rust's syntax means that the compile knows for sure the ownership of objects. Can a piece of code change a piece of data, or read it? It knows this. This means that Rust can easily implement CSP, i.e it implements "Channels" much as golang does, but doesn't need a garbage collector. The important bit is, how is this implemented under the hood?

I think that the Channels are - at present - implemented by the compiler as shared memory (in the sense that the receiving thread is accessing memory written to by the sending thread). So far, so very Symetric Multi Processing / shared memory / computers as we know them today.

However, there's no hard and fast reason why the compiler should do this, other than that is the hardware architecture upon which most code in the world is run today. And the thing about this hardware architecture is that, today, it truly sucks. It's the reason we've had Meltdown, Spectre, and all the other cache fault based probings of sensitive data in one program by another. All major CPU architectures have fallen for this, Intel, AMD, ARM, ARMs of various flavours (including Apple).

An alternative hardware architecture would be that all CPU cores are entirely separate, with their own memory controller, L3, L2, L1 cache, joined together on a "network" allowing rapid exchange of data between cores via only that network, and not via L3 cache. No shared memory. Data gets transferred between core only if the software explicitly does that. We've had real hardware architectures like this in the past - Transputers - and back then they looked like that' what we were going to have to use. The Cell processor in the PS3 was also like this internally (between it's SPEs). The problem today is that it's utterly incompatible with all current operating systems, and most multithreaded software (except for golang, Rust, Erlang).

This is where Rust could come in. It could take the code written to use "Channels" and implement that across real, physical channels. The source code need not change for building on a hardware architecture radically different to today's SMP. And that'd make it a lot easier to ditch problems with shared caches.

Today, hardware is stuck with SMP because of the software, and the software is stuck on SMP because no one wants to re-write it. The point is that if a re-write were to happen and it was done in a Rust-channel way, so long as the compiler was changed the hardware could also change, but the re-written source could stay as is.

So, I think there is far more at stake in this Linux/Rust question than first meets the eye, and it's probably the case that even today's Rust efforts in Linux aren't looking far enough ahead. A kernel written in a way so as to be largely independent of whether the underlying hardware is SMP or more Transputer like would be a very, very potent asset. It wouldn't help the software it's hosting unless that too was re-written in a strictly go-like or Rust way.

However, I fear that what I'm suggesting above would take massive coordination between many different organisations, and it's effectively socially impossible. We can't even get simple decisions about wrapping APIs written in one language in a way to benefit another without some unholy row breaking out.

Re: Oxide OS

I sort of agree BUT it does smack of 'Go away and build your OWN OS ... (that should keep THEM out of my hair for a few years !!!) ... problem solved'.

The idea appears to be valid but not doable in a reasonable timescale.

What is more reasonable is to 'leverage' the experience of the existing maintainers to incrementally 'upgrade' the kernel with rust, which should/could reduce the timescale.

This, of course, is the reason for this article and all the bad blood ... the working together phase is being 'forced' due to a lack of patience and a little respect.

It could be doable but the approach needs to be more nuanced and *BOTH* sides need to be prepared to learn.

I am neither pro or against rust BUT would like to see better communications to see IF this idea has 'legs' or not !!!

:)

Re: Oxide OS

Are there enough developers and time? Won't AI be creating everything by the time it's comparable? ;)

Re: Oxide OS

They're already doing that. Apparently, it's hard. :D

Re: mean geeks

Are you shaming shaming?

The only "open discussion" from marcan was him openly discussing the idea of compiling secret blackmail dossiers on people who disagreed with him.

Re: uh wasn't USENET where Linus started it all...

USENET was a little different. The barrier to entry means you get a different class of troll. See also, Mastodon a year ago.