Purpose of this page:
Provide pointers to security-related informations that show Tcl is doing the right thing.
Sarnold: although lots of system applications are written in C/C++, we can consider that writing a new application in these languages is a lot more work, and lead to security holes.
And scripting languages are now strong, so according to Ousterhout's Dichotomy, we should write in C/C++/Java the critical part of the application that cannot be written in a scripting language, or would be unbeareably slow.
The rest of this page is trying to compare Tcl security against other programming languages to serve Tcl marketing. (Of course, we will exclude C/C++/whatever compiled language from this comparison)
- Tcl is immune to many "format string vulnerabilities"
- Tcl programs are immune to buffer overflows (as long as the Tcl interpreter is)
- No Y2K bug
- Full Unicode support, where most other languages need special syntax and still have problems handling UTF-8 strings.
- Tcl can be compiled with Threads. AOLServer has been multithreaded long before Apache/PHP.
- Backwards-compatibility: Tcl provides the best effort in this dimension.
- Safe interps makes it possible to run user-defined scripts without fearing an attack.
About safe interps: it is a feature missing in almost every other language (Java has a similar functionality, but with such complexity that I cannot even think of it).
- You do not have to check nils as in Java, Python, Lua...
- It is easy to manage Tcl packages. With starkits and starpacks, deployment is easy. You would not ask yourself a long time what package is outdated or missing to make work your application.
- Prowrap and ActiveState tools can encrypt the sources.
- Although there is no official debugger, interactive debugging in GUI mode is terrific. Just embed tkcon in your project and you have a full control on your application under your fingertips.
- There is a huge testing work that has been done on the Tcl interpreter, as well as the Tk toolkit. Tcl has been ported to a wide range of existing systems. Tk is one of the most well-tested GUI toolkits.
[ Tcl Marketing | Category Security ]