Linus Torvalds told attendees of the Open Source Summit Europe conference today that he is hopeful the foundational work needed to add support for the Rust programming language will be laid in a forthcoming version 6.1 of the Linux operating system.
It would take several additional releases of Linux to add full support for Rust, but the ability to more easily build and deploy applications written in Rust will go a long way toward improving the overall state of application security on Linux platforms.
The Open Source Security Foundation (OpenSSF), an arm of the Linux Foundation, has called for replacing programming languages like Java that are not memory-safe as part of a larger plan to secure open source software supply chains. Rust is a memory-safe language that employs a compiler to track the ownership of values that can be used once and a borrow checker that manages how data is used without relying on traditional garbage collection techniques.
Earlier this week, the Rust Foundation allied with OpenSSF and JFrog to address other security issues that might arise as applications are developed in Rust.
It’s not clear just how many developers are adopting Rust, but Torvalds said he personally was looking forward to learning the Rust syntax—using a recently-acquired laptop based on an Arm processor—should the maintainers of Linux approve the effort. However, Torvalds also left open the possibility that adding support for Rust might not be as successful as initially hoped.
Torvalds also bemoaned the overall state of cybersecurity transparency at the operating system level. Many of the bugs that are encountered at the hardware level cannot be shared with the entire open source community, so any fix to those efforts is not subject to the same level of peer review as the rest of the operating system. The overall situation is improving, but it’s still very painful from a development perspective, he said. Secrecy is counter to the open source ethos, he said.
As new applications are built using a memory-safe programming language, the overall security posture of an organization will steadily improve. The challenge, of course, is that the number of developers that know how to build applications using those languages is still relatively small. Of course, replacing trillions of lines of code that have already been constructed using a variety of legacy non-memory-safe languages represents a gargantuan task that might never be fully completed—but shifting to a modern programming language is a major step in the right direction when it comes to application security.
There may even come a day when the way applications are coded is a lot more secure by default than it is today. That may not necessarily resolve every application security issue, but as the programming languages become inherently more secure, the pressure on developers to become cybersecurity experts should ease—assuming, of course, they are willing to learn a new way to write code.
