Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

the python interpreter, CPython, is uh, written in C. CRuby, too.

if C was so insecure, you would expect that interpreting python would be just as "insecure" as writing C.



That's so clearly false that it hardly deserves a response. I'm spending more time wondering if you are trolling that why you are wrong. But in case you aren't trolling:

1) A lot of "Python" security vulnerabilities are caused by "C"-problems (overflow errors, etc). [1] and [2] are a couple from this year.

2) You'd expect interpreting python to be more secure than C because the interpreter acts as a filter over input reducing the attack surface, meaning that potentially vulnerable paths are minimised are better tested than if an entire program was in C.

[1] http://www.cvedetails.com/cve/CVE-2014-7185/

[2] http://www.cvedetails.com/cve/CVE-2014-1912/


No, because writing a VM constitutes a reduction in attack surface. Implement a bytecode instruction properly once, and it's good everywhere it's used. Implement a correct garbage collector, and you don't have to worry about use-after-free anywhere in your Python code. You still have to worry about it in your C, though, and you have to make sure it's done correctly Every Single Place you do it. And if you think programmers are up to that task, go browse the CVEs for a while.

Look, I know lots of people like you think that C isn't that hard to get secure code from. But if you were correct, we wouldn't be living in the security cesspool of memory bugs we are now.


Technically you are correct: "C is not insecure". In the same way as "English is not offensive"

However programs written in C may or may not be insecure.

Of those programs you would expect a compiler or interpreter, that has been tested in the wild on millions of programs, and so you are more likely to find the security bugs. Also we hope these programs are written by very talented engineers.

On the other hand Joe Enterprise hacking up a greenfield web service for the first time in C ... more likely to have security bugs.

If Joe Enterprise moves from C to Java. Less likely to have security bugs.


Historical accident. People choose C, because nowadays it happens to be everywhere, which eases porting but there are lots of languages that could be used instead, if people valued safety.


What is the LOC for the CPython interpreter?

Now, what is the combined LOC for all Python code that uses the CPython interpreter (and those LOC are in a higher-level language).

Now compare that to the amount of C code that that would amount to if all of that code was written (or, tried to be written) in C instead.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: