[sesteel]

Traditionally, government people have trust issues with programming languages as the compiler is, itself, an attack vector. If you are using a nightly release of the compiler, it may be assumed by some that the compiler is not vetted for security and could inject unstable or malicious code into another critical codebase. Also, Rust is considered very young for security type work, people rightly assume there are unfound weaknesses due to the newness of the language and related libraries.

Nevertheless, the government has allowed people to use Java for decades for highly secure codebases and it has had all kinds of issues.

[apta]

> Nevertheless, the government has allowed people to use Java for decades for highly secure codebases and it has had all kinds of issues.

That's interesting. What sorts of issues? Do you have sources for further reading?

[knightofmars]

It's just a passing swipe at Java, everyone's favorite language to hate. All languages have "had all kinds of issues", which are remedied by regular maintenance cycles that patch the required elements (JVM, libs, etc) when CVEs are announced. Java is in a unique position because it has been used extensively in government contract work. Some of that work was done well and some of it wasn't, which largely was based on the capability of the contractor used to do the work. It doesn't matter (well to an extent) what language you're writing your code in if you don't apply proper security precautions (SQL injection for example). Additionally, a number of years ago _desktop_ and _applet_ Java caused major security problems for businesses and governments (similar to the problems with Adobe Flash).

[sesteel]

I don't hate Java, it is a tool like any other. I only bring it up because I have extensive experience with it being used in the government realm.

It was not a passing comment. Exporting sensitive systems to other countries takes special care. There are hoops to jump through and Java made that job more difficult throughout the years. Many times you don't know a system will be exported until you have already built the system.

Additionally, Java went through a period where vulnerabilities were found frequently but the patches took time to develop and deploy.

[knightofmars]

I apologize if that came off wrong, the "everyone's favorite language to hate" was tongue-in-cheek and not intended to infer you had an outright hatred of Java. As a parallel in the past I did government contract work (though mine was probably more limited than what you seem to be implying) with Java systems as well.

[sesteel]

No worries; I'm just trying to be clear.

[moksly]

Governments have issues with non-stable code because it changes rapidly, is untested and a security risk. Facebook moves fast and break things.

I think it exposes a key difference between a FAANG company and a lot of other development though. Because most of use simply use the programming languages as tools, but Facebook is actually going to change the Rust language to fit their needs.

[steveklabnik]

> Facebook is actually going to change the Rust language to fit their needs.

... hm?

[cj]

Related:

> Facebook was initially coded in pure, vanilla PHP, but over the years, [they] needed more capabilities [...] so, FB developed their own proprietary programming language based on PHP, which they dubbed Hack."

https://www.quora.com/Is-Facebook-still-coded-in-PHP

[steveklabnik]

Okay, so this is speculation, basically. I thought that may be what the parent was saying, but wasn't sure.

[pjmlp]

Beyond applets, which sandbox wasn't as good a thought out, and even JavaScript suffers from issues to this day like cross site scripting and bitcoin mining,what are those Java issues in regular desktop and JEE/Spring servers?