But for new code / drivers, writing them in rust where these types of bugs just can’t happen (or happen much much less) is a win for all of us, why wouldn’t we do this? C++ isn’t going to give us any of that any decade soon, and the C++ language committee issues seem to be pointing out that everyone better be abandoning that language as soon as possible if they wish to have any codebase that can be maintained for any length of time.
Rust also gives us the ability to define our in-kernel apis in ways that make them almost impossible to get wrong when using them. We have way too many difficult/tricky apis that require way too much maintainer review just to “ensure that you got this right” that is a combination of both how our apis have evolved over the years (how many different ways can you use a ‘struct cdev’ in a safe way?) and how C doesn’t allow us to express apis in a way that makes them easier/safer to use. Forcing us maintainers of these apis to rethink them is a GOOD thing, as it is causing us to clean them up for EVERYONE, C users included already, making Linux better overall.
And yes, the Rust bindings look like magic to me in places, someone with very little Rust experience, but I’m willing to learn and work with the developers who have stepped up to help out here. To not want to learn and change based on new evidence (see my point about reading every kernel bug we have.)
Rust isn’t a “silver bullet” that will solve all of our problems, but it sure will help in a huge number of places, so for new stuff going forward, why wouldn’t we want that?
Greg is a great level head in the kernel regarding rust, at least among the senior maintainers. I hope he can convince some of the more hostile maintainers to accept the new status quo that includes Rust in the Kernel at all levels.
Took way too long, but finally some support from the top leadership for rust?
Linus has also declared Rust as basically inevitable before, since more and more kernel maintainers retire and not many young devs learn C anymore, at least not to a proficiency where you can handle kernel development.
Phoronix’s comment section is as toxic as it can be, but i found out a comment that puts into words better similar thoughts I have on this:
How about the Linux Foundation forks over a few million to fund the thing in its name?
They could hire more engineers, more testing, more QA. Yet they don’t.
And while at it, maybe Mozilla or any other stakeholder with resources could revamp Rust to produce lightweight binaries, have a stable compiler and for it to be way quicker in compilation?
No? Okay, but then why do all these foundations/organizations exist? And why do they hold such vast amounts of resources, while extorting the projects they claim to help?
I’d only add that it’s not only about the kernel - they are home to a project that could be in the medium-long term a serious alternative to Google’s blink/Apple’s webkit, and of course an alternative to the hegemony of Chrome, but they actively chose to just not give them a single cent. Yes I am talking about Servo.
revamp Rust to produce lightweight binaries, have a stable compiler and for it to be way quicker in compilation
It really isn’t that simple though. Rust’s compiler isn’t stable because the language itself is still being improved. This type of thing will only improve as adoption increases and real-world problems get ironed out. You can’t just throw money and devs at it and expect the problem to be solved.
It’s also not like the developers don’t care about compile time, but the nature of the language (strict compiler checks which catch things before runtime) will inherently lead to something slower that other languages’ compilers. There are probably still improvements they can make, but it’s not as simple as just deciding to rewrite/revamp it and expecting massive speedups.
You can’t just throw money and devs at it and expect the problem to be solved.
Then nobody will throw money at any project at all, because everything eventually will be solved by “magick”.
Destinating more resources to that quickens and makes better that process, though, incentivating people to work on it and test it.
I’m not a programmer so i don’t have much skin in the game, but from how it’s described it seems like a good idea to me and rust seems like a solid language to me. I do understand the concern from devs who don’t know rust and don’t want to learn it, but i guess that also depends on how much they would actually have to interact with it.
The main problem is that Rust is immature. It’s still evolving, and the unreliable compiler slowly generates bloated binaries.
It’s a great idea, and it will get there, but shoving something incomplete into the mainline Linux kernel isn’t the way to start.
A Rust-only fork, on the other hand, would do much more to test and prove Rust’s utility in such a space.
To point it out for folks unfamiliar with Rust, I consider this comment borderline misinformation.
I don’t know in what world the Rust compiler is considered unreliable. In my experience, it is one of the most reliable toolchains across all programming languages.
The Rust compiler is slow, because it does so many more checks than the C compiler, which is what these devs want. This is also barely relevant while actually developing, because then incremental compilation kicks in, which makes subsequent builds rather quick.
And Rust binaries are primarily larger than C binaries, because it does not use dynamic linking of dependencies. In the kernel, you cannot use dynamic linking anyways, because you need a running kernel to have a filesystem from which to dynamically load these.
Fixing things that aren’t broken serves only to break them.
Sounds like something is broken.
As someone who has seen almost EVERY kernel bugfix and security issue for the past 15+ years (well hopefully all of them end up in the stable trees, we do miss some at times when maintainers/developers forget to mark them as bugfixes), and who sees EVERY kernel CVE issued, I think I can speak on this topic.
The majority of bugs (quantity, not quality/severity) we have are due to the stupid little corner cases in C that are totally gone in Rust. Things like simple overwrites of memory (not that rust can catch all of these by far), error path cleanups, forgetting to check error values, and use-after-free mistakes. That’s why I’m wanting to see Rust get into the kernel, these types of issues just go away, allowing developers and maintainers more time to focus on the REAL bugs that happen (i.e. logic issues, race conditions, etc.)
I’ll take “why is my codebase full of technical debt” for 500, Alex.
But for new code/drivers
Considering the amount of CVEs the kernel puts out, I’d argue there’s plenty there that’s broken, and could be fixed by implementing them in a language less broken than C.
But I know my language and never make mistakes. Don’t know how many times I hear that. If that was true we wouldn’t be having by these problems.
