Opinion Linus Torvalds is happy to tell you that Linux release numbers aren’t a big deal.
As the Linux supremo said of the 6.0 release: “Despite the major number change, there’s nothing fundamentally different about this release – I’ve long eschewed the notion that major numbers are meaningful, and the only reason for a ‘hierarchical’ numbering system is to make the numbers easier to remember and distinguish.”
With 6.1, however, there is something fundamentally different. For the first time in Linux’s history, in addition to C, you’ll be able to use another language, Rust, for kernel development.
Why? As Wedson Almeida Filho of Google’s Android Team said, “We feel that Rust is now ready to join C as a practical language for implementing the kernel. It can help us reduce the number of potential bugs and security vulnerabilities in privileged code while playing nicely with the core kernel and preserving its performance characteristics.”
Specifically, as Alex Gaynor and Geoffrey Thomas explained at the 2019 Linux Security Summit, almost two-thirds of Linux kernel security holes [PDF] come from memory safety issues. And where do they originate? Inherent weaknesses in C and C++. Rust, on the other hand, dodges these issues by using far safer application programming interfaces (APIs). Rust is simply safer than C.
Recently, the US National Security Agency (NSA), which is in charge of securing code as well as breaking it, suggested that one of the best things you can do for your program’s security is to use memory-safe languages such as Rust instead of C. Of course, there are other such languages, such as Swift, Go, or C#, but they don’t lend themselves for the kind of low-level programming needed for an operating system.
This isn’t just a theory. It works. Google, for example, is now using Rust extensively in Android. There the “goal is not to convert existing C/C++ to Rust, but rather to shift development of new code to memory-safe languages over time”
The result? “As the amount of new memory-unsafe code entering Android has decreased, so too has the number of memory safety vulnerabilities. From 2019 to 2022 it has dropped from 76 percent down to 35 percent of Android’s total vulnerabilities. 2022 is the first year where memory safety vulnerabilities do not represent a majority of Android’s vulnerabilities.” That’s not too shabby.
Of course, just because something is safer didn’t mean that everyone wanted to adopt it. After all, developers have spent almost 30 years working on Linux in C. Developers were all concerned about the sheer amount of work needed to bring Rust into Linux. For example, to get the Rust Linux NVMe driver to work, 70 non-standard Rust extensions were needed.
But, as Torvalds told me earlier this year, “We’ve been using exceptions to standard C for decades.”
If you’ve cut your programming teeth on C and sleep with a copy of K&R under your pillow, don’t worry. Rust will not be replacing C in the kernel anytime this decade.
As Torvalds has explained, Rust will “just have the core infrastructure (i.e. no serious use case yet).” Specifically, you can expect to see Rust make its first appearance in Linux drivers.
Miguel Ojeda, a Linux kernel developer who spearheaded efforts to bring Rust into the kernel, added: “The kernel is a huge project with a lot of stakeholders. Since the beginning, it was clear that adding a second ‘main’ language to the kernel would have both technical and management challenges.”
So, Ojeda explained, the first Rust work you’ll see in the Linux kernels will be “Rust abstractions for subsystems and write drivers and other modules.”
What does that mean for old-school developers? In Ojeda’s introduction to his latest patch set, he said, “the facilities introduced are part of the ‘Rust core.’ They do not interact with the C side in new major ways (no new C types used; only
memchr, additional error codes, and some more
printk format strings).”
Ojeda also added, “Virtually all the code has been in linux-next for months.”
In other words, Rust is being slowly and steadily introduced into the kernel. There are no quick changes being shoved down kernel developers’ throats. Indeed, most of these most recent changes won’t even be making it into the 6.1 kernel. They’re much more likely to make their first appearance in the 6.2 kernel.
But, with the release of 6.1, which, fingers crossed, should appear on December 12, Rust will officially make Linux a two-language operating system. And, that, my friends, is big news indeed. ®