No other programming language is as widespread and easily available for everything. This has made curl one of the most portable projects out there and is part of the explanation for curl’s success.
Does writing safe code in C require more carefulness and more “tricks” than writing the same code in a more modern language better designed to be “safe” ? Yes it does. But we’ve done most of that job already and maintaining that level isn’t as hard or troublesome.
The simple fact is that most of our past vulnerabilities happened because of logical mistakes in the code. Logical mistakes that aren’t really language bound and they would not be fixed simply by changing language.
So I looked at https://curl.haxx.se/docs/security.html
And I’ll stop here, so far 7 out of 11 vulnerabilities would probably have been avoided with a safer language. Looks like the vast majority of these issues wouldn’t have been possible in safe Rust.
Update (2017-04-10): The Changelog (via Jim Rea):
Daniel Stenberg joined the show to talk about curl and libcurl and how he has spent at least 2 hours every day for the past 17 years working on and maintaining curl. That’s over 13k hours! We covered the origins of curl, how he chooses projects to work on, why he has remained so dedicated to curl all these years, the various version control systems curl has used, licensing, and more.
Stay up-to-date by subscribing to the Comments RSS Feed for this post.