Timeline for Why does the US government disallow dynamic languages for secure projects?
Current License: CC BY-SA 3.0
32 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Nov 5, 2014 at 21:39 | answer | added | nobody | timeline score: 3 | |
| Nov 5, 2014 at 15:59 | answer | added | Roman Starkov | timeline score: 6 | |
| Jan 29, 2014 at 21:13 | comment | added | Andres F. | @romkyns But that's not what I said. As a fan of static typing, I'm well aware it gets rid of whole categories of bugs, which is what I argued ("another layer that helps the correctness [...]"). I wouldn't use dynamic typing for mission-critical software. | |
| Jan 29, 2014 at 20:42 | comment | added | Roman Starkov | @AndresF. It won't get rid of all bugs but it sure makes a whole category of bugs impossible. Saying it doesn't get rid of bugs is severely understating it... | |
| Jan 25, 2014 at 11:40 | history | notice added | maple_shaft♦ | Needs detailed answers | |
| Jan 25, 2014 at 11:39 | history | protected | maple_shaft♦ | ||
| Aug 10, 2013 at 6:21 | comment | added | jk. | @gbjbaanb you are right i'd expect HR data for forces to be at least secret if not top secret. however the software might be a lower level if it doesn't hold real data yet | |
| Aug 3, 2013 at 23:18 | comment | added | GrandmasterB | When dealing with a large organization of any type, there's a reasonably decent chance that the requirements are largely arbitrary and/or political. But I agree with Ramhound, the only ones who can answer this for sure are the people who are putting it in the requirements. | |
| Aug 1, 2013 at 16:14 | comment | added | Ramhound | @Patrick We can speculate until the end of time why Ruby wasn't allowed in your project. At the end of the day Ruby wasn't allowed because per the requirements and specifications of the project it was determined supporting Ruby would cause a problem. The best way to understand the specific reasons is have those people find out what those reasons are. We can only speculate as a community, through personal experience, most the speculation while has merits are simply wrong. The US Military has no problem using dynamic programming languages, its often used, when its called for and approved. | |
| Aug 1, 2013 at 15:44 | vote | accept | Patrick | ||
| Aug 1, 2013 at 4:16 | comment | added | Patrick | @gbjbaanb The type of data in this system is along the lines of: what food was eaten at each meal, amount/type of exercise, and a public q&a about health. The term HR data was a little misleading, it's more about general health & habits | |
| Aug 1, 2013 at 4:15 | answer | added | Michael Jasper | timeline score: 32 | |
| Aug 1, 2013 at 2:45 | comment | added | isekaijin | Statically typed languages, especially those with few or no type safety escape hatches, let you prove things about the behavior of your code, which provides immense help when designing and implementing security-critical systems, where the dynamic language quality assurance standard "dunno, man, try it and see" is simply not enough. Forgetting tiny ad-hoc details like the inconsistency between nil.to_s and [nil].to_s in Ruby is one major source of bugs in programs. | |
| S Jul 31, 2013 at 22:37 | history | suggested | Peter Mortensen | CC BY-SA 3.0 | Copy edited. |
| Jul 31, 2013 at 21:57 | review | Suggested edits | |||
| S Jul 31, 2013 at 22:37 | |||||
| Jul 31, 2013 at 12:12 | comment | added | Andres F. | @gbjbaanb I guess the OP meant that loss of life is not the worst case scenario here. | |
| Jul 31, 2013 at 11:23 | comment | added | gbjbaanb | HR data is not "low security level". I'd expect a company to keep my employment and personal data as secure as they could. | |
| Jul 31, 2013 at 11:14 | comment | added | Walter Mitty | I hesitate to provide an answer, because this is outside my area of expertise. I will offer the opinion that dynamic languages create an environment where decidability is orders of magnitude more difficult than in static languages. In dynamic languages, the distinction between "code" and "data" becomes somewhat subjective. An object can be data in one context, and the same object can be code in some later context. | |
| Jul 31, 2013 at 10:51 | answer | added | Martin Wickman | timeline score: 2 | |
| Jul 31, 2013 at 10:13 | answer | added | Sulthan | timeline score: 13 | |
| Jul 30, 2013 at 22:05 | comment | added | Greg Hendershott | There are "dynamic" (in the sense of duck typing) languages that don't allow the sort of monkey-patching you can do in Ruby or JS. I'd guess the monkey-patching is the worrisome aspect, not so much the duck typing per se? | |
| Jul 30, 2013 at 20:45 | history | tweeted | twitter.com/#!/StackProgrammer/status/362312981423460353 | ||
| Jul 30, 2013 at 18:03 | comment | added | Tulains Córdova | You don't want missile control software writen in PHP + JavaScript. | |
| Jul 30, 2013 at 17:52 | comment | added | Robert Harvey | Possibly relevant: williamedwardscoder.tumblr.com/post/42912076785/… | |
| Jul 30, 2013 at 17:51 | comment | added | Patrick | @RobertHarvey Unfortunately I do not have access to the rejection reason, this is what I got from a person on that team | |
| Jul 30, 2013 at 17:46 | comment | added | Steven Evers | Maybe I'm just pontificating here, but what would define the speed of adoption as being slow or fast? Does the ability to ship a website written using a language justify it as suitable for adoption? Maybe a functional IDE? Or is the ability to statically analyze for known classes of security vulnerabilities define a language as being adoptable? | |
| Jul 30, 2013 at 17:27 | answer | added | Bill | timeline score: 50 | |
| Jul 30, 2013 at 16:32 | answer | added | user40980 | timeline score: 125 | |
| Jul 30, 2013 at 16:21 | answer | added | Thomas Owens♦ | timeline score: 33 | |
| Jul 30, 2013 at 16:17 | comment | added | Andres F. | Only way to know for sure is if your acquaintances ask their employers for the reason. But I can risk a guess: static type checking is another layer that helps the correctness of mission-critical software. It won't get rid of bugs, of course, but it's a step in the right direction: the computer is doing some of the work for you. (Yes, I'm aware this is holy wars territory). | |
| Jul 30, 2013 at 16:16 | comment | added | Robert Harvey | I think it's a little more than that... Do you have the actual rejection reason? Which branch of the military was it? | |
| Jul 30, 2013 at 16:11 | history | asked | Patrick | CC BY-SA 3.0 |