It was not too long ago we talked about the first Rust CVE in the Linux kernel, which caused system crashes. That same day, 159 other CVEs were issued for C code. While that shows progress with Rust, it also highlights something more concerning; the kernel has bugs that hide for years before anyone finds them.
A research blog published on Pebblebed demonstrates how bugs often stay hidden for years before they are discovered and fixed.
That same day, 159 other CVEs were issued for C code. While that shows progress with Rust,
How? From https://github.com/torvalds/linux rust code 0.3% of linux kernel. 1/160 = 0.00625 = 0.625 % cve on that day rust.
Only 1 sample, probability might way off. But not look like progress?
You cannot do that analysis with one sample. Why pick one day? That is an arbatary amount? Pick the 1 hour or minute that the CVE was released and you will find rust might be responsible for 100% of CVEs, Take a Week or year and that number drops dramatically. Pick the next day and that drops to 0%. You can select any % you want if you change what time period you are looking at.
The fact that there has been one cve in 5 years of rust in the kernel is a bigger tell. There will be more rust CVEs, and each one is going to be big news as they happen so rarely.
Because article list 159 other on day. And then call progress.
Original blog post: https://pebblebed.com/blog/kernel-bugs