Ok, but when I read that article on TheRegister, it also linked to this not-totally-unrelated story below [0]. And I guess whenever the Crowdstrike/Microsoft/Delta Airlines litigation gets resolved we'll get a better idea who is/isn't actually considered to be liable for bugs in cybersecurity. (And there was no (publicly-disclosed) liability lawsuit for Salt Typhoon that I'm aware of, even though that breach is far more damaging.)
I wish they would have gone more indepth about the current compiler work, such as stack defenses or fbounds-safety. It should cover OOB read and write safety, which is 70-80% of C's memory vulnerabilities, for a marginal performance overhead and with abi compatibility.
Because C and C++ not Python, they are ISO standards with multiple implementations, in a mix of vendors.
While such improvements are very much welcomed, not everyone uses clang, nor clang supports every kind of computer and OS used in the world.
mimd 28 days ago [-]
Since the rest of the advisory is demanding full scale rewrites into a new language based on llvm that has officially nuetered it's gcc port, I don't think they really care about those sorts of concerns. Hence my annoyance at their proposal. The fbounds devs do, as the design allows for modified source to be still compilable in alternative toolchains that do not support fbounds (you can remove them via macros) and they are working to add it to gcc. And I don't think its going to matter much soon if it's limited to gcc/llvm, as all the proprietary vendors left and right are dropping their 30+ year compilers to piggyback off llvm (I don't exactly agree with this btw, but it is what it is).
[0]: "Abandoned AWS S3 buckets can be reused in supply-chain attacks that would make SolarWinds look 'insignificant'" https://www.theregister.com/2025/02/04/abandoned_aws_s3/
https://clang.llvm.org/docs/BoundsSafety.html
While such improvements are very much welcomed, not everyone uses clang, nor clang supports every kind of computer and OS used in the world.