[GoLUG] Writing an internet server

Wed Aug 27 06:42:39 EDT 2025

27 Aug 2025 09:40:05 Ron <ron at bclug.ca>:

>> I'm not even going to reply to most of your mail as it is frankly completely out of touch with reality.
>
> Says guy who thinks rewriting over a million lines of code will produce
> a JS engine immune to security vulnerabilities.
>
> And claims / complains JS is slower than... before introducing JIT? And thinks an even slower JS engine is a Good Idea™.
>
>
You miss out critical parts of what I said which was browsers were faster.

Microsofts or rather Jonathan Normans Jit disabling feature in edge actually made sites faster and more secure in most cases actually now that you bring it up. I guess you don't know of his work because  you surely don't follow black hat events and browser exploits.

>
>
>> Everyone knows browser security is terrible
>
> Typical FUD, "everyone knows $not_true_thing".

[
> Considering exposure, install base, and daily usage, plus the decade the
> big tech companies worked on hardening browsers, it's no wonder you
> can't provide links to frequent cases of users getting pwned and just
> throw out unsupported allegations.
>

I'm noy going to go to the trouble of links. I have better things to do but every year black hat events result in taking over a computer via a browser exploit so yes your browser can be hacked right now due to C. They hide the monthly vulnerabilities as "potential memory corruption" fixes under even more clicks than they used to.

> Anything in the past 10 years in JS that was half as bad as "Heart
> bleed" in bash?  I'm not recalling any such thing.
>

Fun fact it didn't affect OpenBSD services too much (DOS) but again due to C. I didn't even patch OpenBSD urgently.

> Even if true, users are not getting their systems hacked very often this
> way. It's more frequent for big hacks to be either social engineering or
> unpatched software.
>

People who can either get payed enough not to or you don't know about it. Social engineering is indeed easier.

>
>> Mozilla hardly if at all maintain v8 they just plug it in.
>
> They have their own JS engine (they call it a JS Virtual Machine) called SpiderMonkey, they've *never* used V8. You have no idea what you are talking about.
>

Fair enough then they could switch to v8 and develop a secure version?

>
>> Rust isn't even the language that Hoare invented or wanted. You would think Mozilla would evaluate all existing languages before inventing a new one that turned out to be inferior.
>
> I suppose your citation for that is "my feelings" again?
>

Look it up or waste 8 seconds of a microwaves worth of energy having chatgpt or copilot do it for you. I think it was probably his own dark themed site.

>
>> Ada was built with far more money and expertise than Mozilla could afford and more time than Google, Mozilla or Microsoft would afford.
>
> That doesn't make it the best choice for running in a browser.

C is possibly the worst choice but still they continue.

>
>
> Also, you conveniently ignore how this Ada code would get distributed to
> a billion users. Binary executable files?
>

Ada has first class C interfacing?

> Are malware developers somehow unable to learn Ada?
>
> Does Ada not allow for executing `rm -fr ~` or other creative nastiness?
>
> Would Ada code need to run in a sandbox then? Which does not exist that I know of (could be wrong). Something JS has already and is battle tested daily by a billion users...
>

No actually you could use SPARK mode for critical parts like execution and guarantee that the logic is correct it won't crash and can't be exploited. Though you could like pledge etc. for C.

>
>
> Ada seems like a great language, but that doesn't make it the best
> language for every application.
>

I disagree. I use Dart because of Flutter but as a language I wish Flutter was written in Ada. The best tool for the job is about libraries.