12 votes The lead developer of curl analyzed its known security vulnerabilities and determined that half of them are related to it being written in C Posted March 9 by Deimos Tags: security, programming languages, c, curl https://daniel.haxx.se/blog/2021/03/09/half-of-curls-vulnerabilities-are-c-mistakes/ Link information This data is scraped automatically and may be incorrect. Title half of curl's vulnerabilities are C mistakes Authors Daniel Stenberg Published Mar 9 2021 Word count 1528 words 2 comments Collapse replies Expand all Comments sorted by most votes newest first order posted relevance OK  drannex March 9 Link Doesn't surprise me. C is a great language, and required for a lot, but because is is C you have a lot of issues, especially when dealing with varying degrees of safety and data. I love writing in... Doesn't surprise me. C is a great language, and required for a lot, but because is is C you have a lot of issues, especially when dealing with varying degrees of safety and data. I love writing in C, but for the most part the last few months I've been switching to D, which is basically C with some OOP built right in, and a relatively decent garbage collector. it's what C should have become (and what C++ always wanted to be). The fact that strings aren't even directly manageable in C, and the 'suggested' functions to bring in strcopy and the like are incredibly inefficient (and even unsage, and has about 4 other replacements that have varying degrees of safety and suggestion for doing the most basic thing of copying a string is a lot of issues that have driven me up a damn wall) and since C doesn't have any sort of core library to handle these things, the different implementations will be used sporadically throughout any program and that leads to a lot of issues. And this can be said for 90% of C's higher language functions - which are required for most programs these days. Sure, you could write almost everything using your own boilerplate or header file but you will be spending weeks reworking the wheel over and over and then you will have your own security issues galore that no one else will understand. C is a great language, especially for operating systems, but anything outside of that and there are worthy replacements that will fit right in with minimal dependencies (I will mention D, once more, because it's an abstracted low level, compiled language that isn't just a wrapper or transpiled language for C like most languages these days and much more stable and useable than Rust that changes every few versions breaking projects. I can spin up a D repo from six years ago, and it'll still likely run very well with minimal, if any, changes). 2 votes Moonchild March 9 Link Parent I'm not a fan of d's deprecation cycles. Most older code won't work at all, but the deprecation cycle makes it hard to make important larger breaks like @safe-by-default. much more stable and useable than Rust I'm not a fan of d's deprecation cycles. Most older code won't work at all, but the deprecation cycle makes it hard to make important larger breaks like @safe-by-default.