| >I think that’s missing the point I was trying to make. I think Daniel Stenberg missed the point of some of the comments. (At least the prominent ones I saw.) >We use C for a whole range of reasons as I tried to lay out there in spite of the security challenges the language brings. The availability and practicality of old ecosystems are valid justifications but it's orthogonal to the "memory bugs caused by the language vs the human". There's nuance and you have to distinguish multiple conversations: 1) curl should have been written in a memory safe language (past tense) 2) curl should be rewritten in a memory safe language (future tense -- e.g. maybe use Rust) 3) setting aside curl's 19 years of wide deployment challenges, D.S. could have been a better spokesman for the benefits memory safe languages Daniel's response is mostly to #1. However, some of the criticism is really conversation #3. Understandably, #3 is somewhat harder for D.S. to adopt because it requires distancing himself from the 19 years of curl as a successful utility and instead, consider how a language's design affect programmers' bug count. Many felt that D.S. citing curl's bugs as "human logic errors" instead of "language-induced errors" undermines his point when conversation #3 is the framework. So maybe some of the new nitpicking of counting CVE bugs is more about conversations #2 & #3. The #2 may not be realistic for another 10 years... or maybe never because of various deployment hurdles. However, we can still discuss #3. |