[jasonpeacock]

> But I worry about older software compiled with an older version of Rust which does not have this fixed

That's true for everything, right? Anyone running older versions of Java, Python, Ruby, Go, C++ (gcc/llvm), etc. that don't update all are exposed to unpatched security vulnerabilities, in both their 3P library dependencies, stdlib, and compilers/interpreters.

I don't see how Rust can force people to update any more than any other language.

[vbrandl]

Maybe by releasing often (every 6 weeks or out of band for bug fixes like this), they make it easier to use a current version of the compiler, in comparison to the old Java release cycle of multiple years.

Also testing the compiler against the whole ecosystem on crates.io before releasing a new version helps building trust in the backwards compatibility of new compiler versions.

So they are doing something to establish a culture where updating your compiler regularly is encouraged. I don't have actual numbers and I don't know how enterprise Rust shops handle their compiler versions, but they are doing things to encourage (not force) users to keep their compilers up to date.

[nonameiguess]

Virtually every other language has a stable ABI and dynamically links the standard library, so if you have a vulnerability in the standard library, update it and you're good to go. With Rust, you need to also recompile every program and other library on the system that uses std, which is likely all of them.

[watermelon0]

Golang, which is most used system language in the last few years, also bundles stdlib.

Additionally, quite a lot of software seems to be distributed in self-contained format; for example many Java apps (even those intended to be installed on a server) come bundled with JRE, and Linux GUI apps and games are usually distributed in Flatpak/Snap/AppImage.

Of course let's not forget about distributing software as Docker images, which is probably the most common way software is installed in many server environments.

[masklinn]

Tbf in python or java you can update the runtime without having to touch the program.