Any troopers want to implement a non-C++ version?

[taoeffect]

C/C++ and security do not mix.

These languages are ancient, prone to vulnerabilities, and should be discarded for security-related projects.

Since Ricochet has defined a protocol, it makes it easier for someone to create an implementation in safer languages.

[taoeffect]

There is also the option of using a language like Elm or ClojureScript or TypeScript and creating native desktop apps out of them using Electron or similar (& something like Cardova for mobile).

[taoeffect]

Changed title to just be "non-C++". I'll use this comment to list various safer (and interesting) languages Ricochet could be implemented in.

• Racket. If you want type checking, has Typed Racket. Has support for creating desktop GUIs and self-executing binaries.
• Rust. Is like a safe version of C++. Clunky syntax and manual memory management still, but compiler and design forces memory and thread safety.
• TypeScript, Elm, ClojureScript, CoffeeScript, ES6... etc. See previous comment for links and details.
• OCaml. Safe, performant, smart compiler, and elegant-looking syntax. However, seems to have a steep learning curve and I don't know its desktop GUI story. A superior native OCaml TLS implementation exists.
• Go. Easy to learn, simple syntax, and growing community. Supposedly some folks are developing GUI related libraries for it, but I don't know how mature they are. However, it can call out to C/C++.
• Haskell. I don't know enough about it to comment really... but it's been both praised for its safety and also critiqued for its steep learning curve and confusion surrounding lazy evaluation.

[burdges]

Meh. Ricochet should end up relatively isolated behind Tor. Is it using authenticated hidden services yet? If not, work on that first. If so, we're only facing attacks by contacts, so maybe a little quality time with valgrind first.

As for alternative language choices :

• Python has the best Tor control support via stem : https://stem.torproject.org/api/control.html Why not a simple text mode Ricochet client in Python for the paranoid people?
• Afaik Rust is the only language you list with an active effort towards a Tor control port library : https://github.com/du5t/puccinia Rust has efforts to automate the process of building Rust bindings for C++ libraries too. You could replace only the "dangerous" bits of C++ code by Rust code.
• Avoid writing non-web GUIs in Go since Go does not play so well with outside libraries.
• I love Haskell. Ain't too hard to learn either since the community is fabulous. It's fancy research language terminology does however scare off folks who might wish to contribute.

[photm5]

Me and some friends have started implementing the ricochet protocol in Haskell. It was our project at JugendHackt Berlin (A hackathon) and we’re still working on it. You can take a look at it: https://github.com/Jugendhackt/haskell-ricochet

[taoeffect]

@shak-mar That's great news! Very cool stuff! :+1: Posted a tweet. :smile:

[special]

It's entirely possible to write secure software in C or C++. Ricochet is also focused on being usable secure software, which is part of the reason for using C++; Qt gives us the ability to write a decent user interface.

There are also some prototype Go implementations by others. Maybe we should collect these on a wiki page somewhere.

https://github.com/yawning/ricochet https://github.com/s-rah/go-ricochet

[taoeffect]

It's entirely possible to write secure software in C or C++.

No one said it wasn't possible. C and C++, however, make it far more likely that the software will have security related bugs, and just bugs in general.

Maybe we should collect these on a wiki page somewhere.

I think that's a great idea!

I've started one here: https://github.com/ricochet-im/ricochet/wiki/Third-Party-Implementations-of-the-Ricochet-Protocol

[whatisgravity]

Are these just leveraging the control API and not running their own instance of Tor like richochet C++ client does?