[zeveb]

> curl is currently one of the most distributed and most widely used software components in the universe, be it open or proprietary and there are easily way over three billion instances of it running in appliances, servers, computers and devices across the globe. Right now. In your phone. In your car. In your TV. In your computer. Etc.

And every one of those three billion devices is vulnerable, due to the use of C.

> I feel a need to underscore the fact that none of the memory safe languages anyone would suggest we should switch to have been around for 19 years

False: Common Lisp has been around since 1994 (23 years), and in substantially the same shape for longer still. Standard ML has been around since 1990 (27 years). OCaml has been around since 1996 (21 years). Smalltalk has been around since 1984 (33 years). Each of those languages is more memory-safe than C and has facilities which help prevent other C-like errors. Each is capable of speeds approaching that of C, esp. for a problem like URl fetching (e.g. I just tried fetching http://www.google.com/ with both curl & DRAKMA — a Common Lisp package for URL fetching: curl reliably ran in about .065 seconds & DRAKMA reliably ran in about .14 seconds; I have no reason to believe that DRAKMA is particularly well-optimised; no doubt it could get even faster if desired).

I think this really is a textbook example of the Blub Paradox: someone using C thinks that for the most part it's a reasonable choice in order to achieve certain goals, while someone used to a better language is able to see that C is simply unfit for purpose: programs written in it will inevitably have security flaws which will inevitably cause harm — particularly when three billion devices, many unpatched, are running them.

[kazinator]

Another thing: Drakma also isn't anywhere near 150,000 LOC:

  $ time git clone https://github.com/edicl/drakma.git
  Cloning into 'drakma'...
  remote: Counting objects: 991, done.
  remote: Total 991 (delta 0), reused 0 (delta 0), pack-reused 991
  Receiving objects: 100% (991/991), 343.00 KiB | 0 bytes/s,  done.
  Resolving deltas: 100% (610/610), done.
  Checking connectivity... done.

  real	0m1.476s
  user	0m0.148s
  sys	0m0.060s

  $ cd drakma
  drakma $ find . -name '*.lisp' -o -name '*.asd' | xargs wc -l
     868 ./request.lisp
     107 ./encoding.lisp
     122 ./read.lisp
     281 ./specials.lisp
      75 ./packages.lisp
     123 ./test/drakma-test.lisp
     333 ./cookies.lisp
      63 ./drakma.asd
     109 ./conditions.lisp
      37 ./drakma-test.asd
     357 ./util.lisp
    2475 total

[pjmlp]

> I think this really is a textbook example of the Blub Paradox:....

It was already like that in the 90's.

When I learned C, I was using Turbo Pascal 5.5 and getting up to speed with newly released Turbo Pascal 6.0.

Besides the improved portability over Pascal dialects, I didn't saw any compelling feature over what Turbo Pascal was capable of.

[kazinator]

We should stop using Pythagoras' a^2 = b^2 + c^2. The last commit to that was like 2500 years ago. (Core engine only, not counting some syntactic sugar).

[snakeanus]

> And every one of those three billion devices is vulnerable, due to the use of C. Due to the use of unsafe C implementations.

You would have the same problems if you used an unsafe CL or rust implementation.