Introducing tmux-rs

There seems to be some rather irrational obsession about this.

Things can seem irrational when you don't understand them.

Another comment in this thread hoped for "a brand new bulletproof tmux-resurrect". The reason there's a desire for such things is closely related to the limitations of non-trivial programs written in C.

They're harder to extend without bugs, harder for new team members to understand, and so on.

The "irrational obsession" has to do with advancing the state of the art beyond a primitive high-level assembler that was developed in the 1970s.

I understand them very well, I just do not think it trumps all other considerations. Also I do not believe that Rust is easier than C. It is also less fun, less portable, and has another annoying ecosytem costs.

There's a lot of subjectivity here. The last serious C code I wrote was in the early 1990s, and I don't miss it at all, because I don't like spending time on low-level details unrelated to the problem domain I'm working on.

I find Rust fun and easy for writing system-level code, and I have enormous appreciation for the degree of correctness-by-construction that it can provide. Generally, if it builds, it works, as long as you're making proper use of the type system - make illegal states unrepresentable, as the saying goes. That's very difficult to do with C.

Rust isn't perfect. For most things, I'd rather be using Haskell, ML, or something on that level. But it's still on a completely different level from C, and rewriting the software ecosystem in it can only be an improvement.

> developed in the 1970s.

It was born in the 1970s and was standardized in the 80s and 90s. It continues to develop. Numerous data types have been added, along with unicode and threads. The C23 standard was released last year.

> It is also less fun

Statistically it is the most fun language there is, based on Stackoverflow. Portability is just a matter of time like with any language.

You can say something similar about COBOL and FORTRAN. C's fundamental flaws aren't being fixed, because that would require a new language.

There comes a point at which it becomes necessary to move on.

It comes from the fact that nearly every useful program written in C has multiple security vulnerabilities just waiting to be found. In the unlikely event that you have a codebase that's free of them, you risk introducing one with any significant change.

What in your mind are the fundamental issues of C? Because memory safety clearly isn't one of them as brand new systems languages are being written without it (Zig).

What's wrong with FORTRAN?

Absolutely zero shade to Zig, because it is still pre-1.0, but if you look at which new systems languages have gained wide adoption recently, instead of languages that are just created, you end up with Rust. And the stated reason industry is adopting it is memory safety.

It’s hard to actually define what Fortran means. There’s features in the standard that are not portable, and many portable features that are not standard. It’s kind of a mess, and getting worse.

Instead of just dogmatically asserting that any C program has security vulnerabilities, and changing C programs is also a security problem, you should look at what tmux's record actually is.

tmux has existed for approaching 18 years, and M. Marriott is still actively improving it as of last week. One can actually look at its record over that time, and, if that record is poor, replace proof by unsupported generalized assertion with proof based upon actual evidence.

* https://cvedetails.com/product/20683/Nicholas-Marriott-Tmux....

C23 is very different than C89. C89 variable declarations are decidedly not fun.

Embed, designated initialization, and constexpr are really nice adds.

Rust is far more portable in practice than C. Your average C program is written either for Unix or for Windows, while Rust has sufficient abstraction power to be able to write most business logic once.

I maintain cargo-nextest, a widely-used test runner for Rust. It is possible to write nextest's runner loop in C, but it would be extraordinarily difficult — each test's state machine has dozens of states, there are several dynamic event sources as inputs, and the event loop relies heavily on epoll/kqueue/the equivalent Windows thing, as abstracted out by Tokio. So most test runners written in C don't even try to approach the quality, reliability, or portability of nextest.

https://nexte.st/docs/design/architecture/runner-loop/

As someone using rust for over 7 years and recently switched to zig for personal projects, there is a lot of nuance. Yes rust is very reliable, it is really good even if you set memory safety aspect aside. But developing in rust is just so painful compared to using a simple language like c or zig and just enjoying the process.

Also dev time is massively shorter and the time I gain is spent on adding more features and tests.

Would recommend building low level projects in something like zig, if you care about build time and don’t want to use a dependency for everything.

The same kinds of things that are wrong with all languages originally designed more than 50 years ago (75 years in Fortran's case) and that have accreted features since then. You end up with long-term fads like class-based object orientation embedded in the language, and that inhibits them evolving towards more principled designs. C++ is in a similar situation.

All of these languages are Turing complete. So ultimately, if you're happy writing code in some language and don't want to change, that's your choice. But the reason Fortran or C or C++ isn't many people's first choice for new projects are closely related to the reasons I've mentioned. There will always be people who want to stick to what they know, but it's not only science that advances one funeral at a time.

Lol, if you believe such surveys.

zig is trying its best to also be memory safe (at runtime, if you want it) whereas c is stuck in the past (you can add on sanitizers, but they arent built into the language)

I think you have no idea how big the C ecosystem is. I am not sure what cargo-nextest is, but I have seen people solve the most challenging programs in C.

Memory safety is certainly a pretty fundamental problem with C. Zig actually addresses some of those issues, even if it's not fully "memory safe" by definition. Besides, the fact that new systems languages are being written without memory safety doesn't make it a good idea. People write all sorts of languages for all sorts of reasons.

C's lack of memory safety covers a broad range of concerns, including manual memory management, unrestricted pointers, null pointers (Tony Hoare's "billion dollar mistake"), buffer overflows, use-after-free, integer promotions, and so on.

Its weak type system is another fundamental limitation, closely related to its limited support for abstraction. The weakness of the standard library reflects this. The weak type system means that the static guarantees it provides are minimal. There were excuses for all this in 1975, there aren't any more.

Undefined behavior is more of an issue in C than in most languages. Again, not something you ideally want in a systems language.

Language-level concurrency support is virtually nonexistent.

Use of textual preprocessing, with limited semantic integration, as a language feature. Aside from the effects on the meaning of source code, it also makes building C programs more complex.

And again, the reason C23 hasn't addressed any of this significantly is because of fundamental limitations in the nature of the language. You can't "fix" these things without developing a new language.

That search misses this: https://www.cvedetails.com/cve/CVE-2020-27347/

That is still quite a good record, but my statement stands. It is supported by decades of my experience working in C-derived languages. You don't have to accept my experience or believe my statement, of course, it's all the same to me.

As I mentioned, cargo-nextest is a widely used test runner for Rust -- you're welcome to check out its website for its feature set.

It is possible to do this in C, because it compiles to machine code in the end. But would be out of reach for all but the most talented of C teams working over many years, and the portability costs would be massive. As a result, I don't know of a test runner that comes anywhere close to the feature set and portability of nextest that's written in C.

> I think you have no idea how big the C ecosystem is.

I'm definitely aware that the C ecosystem is much larger than the Rust ecosystem.

I like C and various parts of C++ and I'm still writing new code in those languages. But for any component that could be exposed to malicious data, security is a never-ending game of whack-a-mole. I'm not saying everyone must move away, just that when people do, this is a big reason why.

I also doesn't seem like anything most people would spend a lot of time on. I run my tests using "make" which somewhat poor but does the job. So from a programming side, what exactly do you think would be difficult to implement in C?

I think this narrative of the unfixable fundamental flaws in C is a lot of nonsense. There are certainly a lot of dangerous aspects, but most are rather easily avoided. Rust has an advantage, with temporal memory safety. I do not think C++, Zig, or Go have a fundamental advantage. There is certainly a lot of bad C code out, but instead of changing language, you could also just write modern C code.

That's a little like closing the barn door after the horse has already bolted because if you're concerned about security, then running any untrusted software in your terminal multiplexer is already a bad idea, regardless of whether your multiplexer is written in a memory-safe language or not.

...and before someone moans that I'm a C-fanboy, I'm really not. I've been writing software exclusively in memory-safe languages for 10+ years now. But I'm also pragmatic about when arguments about a RiR (rewrite-in-rust) are sensible and when they're not. In tmux's specific case, arguing about security misses the point.

> I also doesn't seem like anything most people would spend a lot of time on.

That's because the conditions created by C make solving this problem very hard, not because the problem isn't worth solving.

It is still a hard problem with Rust, requiring heavy use of async state machines to manage a rather extraordinary level of complexity. But at least it is possible for essentially a solo dev like myself to do in a robust, largely bug-free manner.

> I run my tests using "make" which somewhat poor but does the job.

Right, "make" is indeed not quite a high-performance enterprise-grade test runner with parallel test execution, high-quality reporting, signal handling, dynamic status querying, timeouts, retries, flaky test detection, mutual exclusion between tests, a DSL that lets you specify sets of tests, flexible configuration, archiving tests to run on another computer, sharding test runs, JUnit support, wrapper scripts, setup scripts, and several other features. Make doesn't even properly support Windows, which is table stakes for a portable test runner.

You're welcome to peruse the design documents:

https://nexte.st/docs/design/architecture/runner-loop/ (already linked above)

https://nexte.st/docs/design/architecture/signal-handling/

https://nexte.st/docs/design/architecture/input-handling/

Looks like you think only in windows and linux. Ok, but how much of your rust runs on freeRTOS or bare metal and on how many processor families? C? Runs on all of them. 6502? No Problem? 8051? Clearly! CRC16C? Yes. Eco32? yup. i386? Is developed to run C. Arm64, Arm? They too. They run Minix in their internal controlling hardware. Written in C...

Rust is not portable at all compared with C code.

It's fun when you don't use it for work. And the most people don't use it for work but just rewrite any tool they can find.

Nextest works on a variety of platforms and architectures -- a lot more than x86_64 Windows and Linux. Porting to new platforms tends to be quite straightforward as long as someone's made Tokio work on that platform. (This is the power of abstraction! Turning MxN portability problems into M+N ones.)

C definitely has a place, but "Rust is not portable at all compared with C code" is simply not correct. A lot more Rust code works across Windows and Unix than C code does. Rust's portability story is different from C's, much better in many ways but worse in others. In practice I do think Rust ends up being more portable than C in most practical scenarios -- for example, look at how things like `eza` work on Windows, the number one developer platform worldwide.

You never run curl dumping to stdout? You never cat or less a file you downloaded? You never ssh to servers run by other people?

> Another comment in this thread hoped for "a brand new bulletproof tmux-resurrect". The reason there's a desire for such things is closely related to the limitations of non-trivial programs written in C.

I don't follow; tmux-resurrect isn't written in C and is mostly useful to keep sessions across reboots.

> There are certainly a lot of dangerous aspects, but most are rather easily avoided.

This is an almost childish claim. If they're so easily avoided, how do you explain the enormously long list of CVEs for C and C++ programs?

> I do not think C++, Zig, or Go have a fundamental advantage.

We agree on that. They objectively do not. They're all an attempt to continue the C legacy. Go specifically is particularly ridiculous, having been designed quite recently by people from the 1970s who steadfastly refused to learn any lessons from the last 50 years of programming language development.

To be clear: I'm from the 1970s as well. I learned FORTRAN in 1977. But unlike the designers of Go, I didn't allow my understanding of programming language design to stagnate in the 1970s. I learned things. I studied things. I discovered things.

Do you believe that C is the ultimate in system programming language design? If you agree that it's not, then what are we arguing about exactly?

FORTRAN means what it's always meant. The standard is a guide for the implementor. The user needs to code to the implementation.

It's a different way of thinking about languages than most people usually do, but it's been true for FORTRAN since the 1950s and is true to some extent of every language with multiple implementations today.

Wow, that's the most condescending opening to a comment I've seen in a while.

What adoption? Blog posts? Echo chambers? Rust peaked. The hype pushers don't want to believe it but that is the reality. Absolutely zero shade to Rust.

You support my point while also missing it.

> You never run curl dumping to stdout?

Not against untrusted URLs, no.

> You never cat or less a file you downloaded?

I don’t download untrusted files.

> You never ssh to servers run by other people?

100% no.

——-

Sounds like what you need more is a VM ;) executing anything untrusted in a secure environment is a dumb move.

No, I'm disagreeing with you that it's getting worse, as well as that it's all that bad in the first place.

No, that is likely not true. There are platforms today for which C-based tmux runs but Rust never will. It's not that we are simply waiting for the backport of Rust to magically appear for them, it's quite a certainty that it will basically never appear.

Seeming as I'm getting downvoted, let me explain my point better -- and please hear me through because I'm genuinely making some balanced arguments here rather than just viewing things as "black and white":

If you care about security enough to be concerned about memory-safety bugs in tmux, then tmux is already a fail, regardless of whether it's written in Rust. I detailed some features in another comment about some of tmux's features that basically make it spyware for untrusted code. And that's got nothing to do with the language it is written in.

But assuming you only care about terminal output and trust the software you execute, then you still have a hundred other libraries written in C between and tmux and the internet: openssh, libcurl, openssl, glibc, and so on and so forth. I'd actually welcome seeing many other those rewritten in Rust (or another memory safe language). So rewriting tmux before them is a lot like closing the barn door after the horse has already bolted.

Thus if you're genuinely concerned about memory safety security vulnerabilities then the only safe way to work with untrusted output is in a VM.

As it happens, this is exactly how highly secure systems operate. Their developers work on VMs which are tightly locked down by the vendor and easy to destroy if they become compromised.

Literally the only way to solve the problem you describe is to assume the entire stack is already compromised and thus run it in a sandbox.

So does rewriting tmux in Rust improve security? Yes, technically you're right. But it makes almost zero practical benefit compared to everything else. Memory-safety in tmux is not your weak link here. Not even remotely.

Disclaimer: I've developed terminal emulators, shells and terminal multiplexers in memory safe languages. My latest project makes heavy use of tmux integrations (again, in a memory safe language) so I'm very familiar with tmux's quirks. I also have a background in DevSecOps. You could almost say this topic is my specialist subject ;) The Rust hype is a generally good thing but misplaced in this very specific discussion.

Do you run your web browser in a VM and skip security updates for it since it doesn’t matter anyway?

I know you say you’re not viewing things in black and white, but “run in a VM or don’t care about security and vulnerabilities don’t matter” is exactly that.

I’m talking specifically about tmux.

I’ve already said there are other applications I do think benefit from a memory safe rewrite.

> It's not that we are simply waiting for the backport of Rust to magically appear for them, it's quite a certainty that it will basically never appear.

Abstraction happens on the level where tmux requirement is irrelevant. When the usage of Rust gets wider, people start adding support on compiler level for other needs. It is inevitable.

Why is it any different? All your arguments apply there as well.

Not really.

I don’t need to access untrusted sources from tmux. I do from Firefox.

Tmux has a smaller, easier to audit code base. Browsers are large, complicated and sprawling projects. That makes browsers a much larger attack surface.

Browsers already have sandboxing and other mitigations. Tmux doesn’t. Which means there are lower hanging fruit to fix in the terminal vs web browser.

Browsers are used by more people than tmux. So it’s a juicer target for zero-days.

We also already have Rust-based multiplexers for people who are worried about memory safety. There isn’t for web browsing.

Security is a scale of risk rather than something that is black and white. At some point the scales will tip and rewriting tmux in rust makes sense. But as said earlier, we already have Rust-based multiplexers for that eventuality. Whereas the need to harden browsers is much more urgent.

Context matters when it comes to InfoSec. At this point in time, rewriting tmux in Rust offers marginal gains vs rewriting a browser in Rust.

>You end up with long-term fads like class-based object orientation embedded in the language, and that inhibits them evolving towards more principled designs.

And what makes you think today's "principled designs" won't get the boot a few years down the line too? These things are cyclical and rarely based on any real mathematical reasoning.

The browser having a larger attack service is an argument for the browser being more important to run in a VM, not less.

Maybe you never expose your terminal to untrusted data, but that’s not the norm. Most people occasionally do things in their terminals like clone repositories and look at their READMEs, ssh to computers they don’t own, read email, even browse the web.

Note that I’m not arguing that tmux must be rewritten in rust for security. I’m saying that C code is virtually guaranteed to have vulnerabilities, and this is a major reason why people want to rewrite things in rust.

If you want to argue that tmux doesn’t have any vulnerabilities, I find that very unlikely, but you do you.

If you want to argue that rewriting tmux in rust isn’t worth the effort, you may be right, but you’re arguing against something I didn’t say.

It's also not about sticking to what I already know for me. I don't currently know FORTRAN but wish to learn FORTRAN.

There are more factors to language use than design pattern fads. Like efficiency for example, which almost any modern garbage collected or managed language cannot meet beyond a certain level. And that usually gets worse the more "powerful abstractions" one adds. I want to learn FORTRAN because I have been told it has real benefits in terms of ergonomics for efficient code, ie normal looking FORTRAN code is faster than normal looking C/C++/Rust.

Efficiency is a real, concrete and measurable quantity. It is not subject to the fad of the day.

How many users and eyes do these "low CVE" Rust, Go whatever projects have?

While I'd hardly disagree C and even C++ is lacking in memory safety compared to some newer languages, you are forgetting to normalize for sheer scale and userbase. If you have a Go project with the scale of popularity of Linux or Chrome or so on, then we can compare bug counts directly.

This conversation is about the merits of rewriting in Rust due to memory safety.

My replies have been specifically about that those merits.

The only reason other arguments have been included is because people like to expand that scope. For example where you said (and I’m paraphrasing) that tmux isn’t free from bugs. Clearly I don’t believe that any software is 100% bug free. But that doesn’t mean that rewriting tmux in rust brings any pragmatic improvements to the table when weighed up against all the other options and concerns.

That might be what you’re talking about but it sure isn’t what I’m talking about and I never said a single word about the actual merits of rewriting vs keeping something in C.

I summarized my actual statements in the previous comment. You might infer (and quite reasonably so) a claim that a rust rewrite would be more secure. But any statement about the overall usefulness of such an endeavor is solely in your imagination.

It is not suited to cases where the machine state is experienced by the user at all times (games, hardware-control, real-time transactions). It is very suited to cases where the machine is expected to act like a SSBN, disappearing from view until a large floating-point calculation is ready.