Linus Torvalds: C vs. Rust Debate Has ‘Religious Undertones’
VIENNA — C and Rust contributors to the Linux kernel have run into a collision course, erupting in a controversy that Linus Torvalds, Linux’s creator, described as having “almost religious war undertones.” During today’s Open Source Summit keynote here, Torvalds said that while the controversy involves healthy arguments, some are becoming very negative.
The contention between the two camps erupted when one of the kernel maintainers, who is also a C programmer, quit over “non-technical nonsense” involved in adapting a C plugin for Rust.
Torvalds likened the controversy to the vi versus emacs cultural wars over which was the superior text editor, also known as the “editor wars.”
“I think I actually enjoy it. I enjoy arguments. I think one of the nice parts about Rust has been how it’s livened up some of the discussions, and some of the arguments get nasty… I think it shows how much people care. At the same time, I’m not quite sure why Rust has been such a contentious area,” Torvalds said. “It reminds me of when I was young, and people were arguing about vi versus emacs, but for some reason, the whole Rust versus C discussion has taken almost religious overtones in certain areas.”
Kernel developers: @Linus__Torvalds at #OSSummit: « For some reason the whole @rustlang versus C discussion is taking almost religious overtones. » @thenewstack pic.twitter.com/6TL7CaViRK
— BC Gain (@bcamerongain) September 16, 2024
Cultural Clash
At issue is a cultural clash between the C language and the Rust language when it comes to submitting changes across language boundaries. Modifying something that’s a C interface on behalf of Rust people might make sense from the Rust point of view (and vice versa), while the C people seek Rust contributions to plug into C.
The controversy traces back to over three years ago when the idea was introduced that Rust, offering certain security benefits that C did not, could become part of the kernel and potentially replace it. Despite this, the project didn’t come to a standstill.
For example, the famous buffer overflow hacks or vulnerabilities that could be generated with C and a CPU have now become almost outdated. While Rust offers certain security features and drawbacks, it’s also much harder to learn compared to C, which is easier to grasp.
Earlier this month, Wedson Almeida Filho, a Microsoft engineer, wrote in a message that he was “removing” himself as a maintainer of the Rust for Linux project.
“I am retiring from the project. After almost four years, I find myself lacking the energy and enthusiasm I once had to respond to some of the non-technical nonsense, so it’s best to leave it up to those who still have it in them.
“To the Rust for Linux team: thank you, you are great. It was a pleasure working with you all; the times we spent discussing technical issues, finding ways to address soundness holes, etc., were something I always enjoyed and looked forward to. I count myself lucky to have collaborated with such a talented and friendly group.
“I wish all the success to the project. I truly believe the future of kernels is with memory-safe languages. I am no visionary, but if Linux doesn’t internalize this, I’m afraid some other kernel will do to it what it did to Unix.”
He also made reference to a YouTube video on Filesystem in Rust: “To reiterate, no one is trying to force anyone else to learn Rust nor prevent refactorings of C code,” Ojeda wrote.
As Torvalds described today, C is a relatively “simple language,” and that is “one of the reasons I enjoy C, and why a lot of C programmers enjoy C — even if the other side of that picture is that because it’s simple, it’s also very easy to make mistakes,” Torvalds said. “Rust, on the other hand, is a very different thing. There are a lot of people who are used to the C model, and they don’t necessarily like the differences, and that’s okay.”
Divided Schools
Meanwhile, the two C and Rust schools are largely divided. “There are people who just don’t like the notion of Rust and having Rust encroach on their area… People have even talked about the Rust integration being a failure. I’ve mentioned that I don’t think so — we’ve been doing this for a couple of years now, so it’s way too early to even say that,” Torvalds said. “But I also think even if it were to become a failure (and I don’t think it will), that’s how you learn. So, I see the outreach thing as positive, even if the arguments are not necessarily always so.”
The challenge is the idea that a memory-safe architecture makes certain assumptions about the infrastructure, Torvalds said. “It’s the infrastructure people who might be scared, as an example, but it has become very public. It’s the infrastructure people who seem to resist some of the changes. To be fair, I mean, we’ve done a lot of changes to the C infrastructure too,” Torvalds said. “The kind of code the kernel does is not normal C. It’s not just that we write things in a certain way, it’s also that we have a lot of tools on the C side that enforce infrastructure rules that are not part of the language,” Torvalds said. “Part of this is our locking safety. We actually do have a lot of memory safety infrastructure on the C side that is not technically part of C itself — it’s part of our infrastructure for the kernel, where we have debug builds that make the kernel go much slower, but they test a lot more of the memory safety stuff.”
Obviously, Rust and C each have their benefits, and Rust lovers offer great arguments in their favor (the code is good once it’s compiled, more extensive, etc.) while workhorse C is easier to learn and benefits from decades of use. The context applies to the very kernel-centric development of eBPF.
As Liz Rice, chief open source officer, Isovalent at Cisco, told The New Stack, Rust is newer and has “really strong benefits, but not everybody immediately knows how to write Rust. A lot of people who are working on the eBPF subsystem in the kernel are not going to suddenly turn around and learn Rust so they can do their job, right?” Rice said. “I’ve seen people talking about that as in, ‘Oh, well, why do we need the eBPF verifier? If we did everything in Rust, then you removed it,’” Rice said. “But I think that’s not quite understanding the full purpose of the eBPF verifier when people say that. You can have eBPF code written in Rust and compiled to eBPF bytecode, so if you’re a Rust developer who wants to write eBPF, you can do that.”
As Polar Signals CEO and founder Frederic Branczyk told The New Stack: “There are plenty of examples in Rust where you have to do some unsafe stuff, and then you build a safe abstraction on top of that,” Branczyk said. “So, like, I’m definitely not of the opinion that Rust is going to be the savior of everything. I’m a big Rust fan, by the way, but I think C is actually a pretty good language to write an operating system, but Rust can do a lot of the job as well.”
