from Hacker News

Fish in a Barrel Memory Safety Bounty Program

by Titanous on 7/27/20, 5:51 PM with 23 comments

  • by f00zz on 7/27/20, 7:56 PM

    Sorry, but I'm not seeing how this will help. If I take e.g. libpng and rewrite it in Rust, then it's basically a new project. I don't understand how a patch replacing all existing code will be accepted upstream, or how the many projects using libpng will be convinced to use my new library.
  • by kingkilr on 7/27/20, 6:17 PM

    One of the folks behind the bounty here. Happy to answer questions.
  • by hackcasual on 7/27/20, 6:24 PM

    > Q: What if the maintainers won't accept the patch?

    > A: The Fish in a Barrel Memory Safety Bounty only rewards contributions that are merged upstream. We strongly encourage people interested in pursuing a bounty to work with, not against, open source maintainers and to behave respectfully.

    It's good to see this called out specifically, but I can't help but think this is attaching a monetary incentive to badger a project to accept a patch that at the very least requires changes to the project build system

  • by rurban on 7/29/20, 12:06 PM

    Rewriting stuff in memory safe languages would be a worthwhile goal, but then they go on by providing bounties to write Linux Kernel drivers in Rust.

    Rust is memory safe only in documentation but not in practise.[1] Rather provide bounties for real memory safe languages. Rust is also neither type safe[2] nor concurrency safe[3].

    1: eg https://github.com/rust-lang/rust/issues?q=is%3Aissue+is%3Ao... but this is just the surface. alloca is not only unsafe but also security critical. Rust stack allocates too much unchecked.

    2. https://doc.rust-lang.org/reference/unsafe-blocks.html

    3. Races as eg with https://doc.rust-lang.org/reference/items/static-items.html?... requiring manual mutexes