[lelanthran]

I'm not saying that a large number of CVEs won't be prevented in Rust, I'm saying that so few bugs are CVEs that the trade-off is not always worth it.

If you have 1000s of bug reports, of which 5 are CVEs, and then have 3 of those 5 be preventable, most dev teams are still going to consider the cost/benefit of going through the pain of developing a long-term product in Rust, or of switching to Rust altogether.

[bschwindHN]

> of which 5 are CVEs

Those 5 are just the ones you know about...

[lelanthran]

> Those 5 are just the ones you know about...

It's pointless making a cost/benefit analysis on things that probably don't exist.

[girvo]

I suppose it comes down to risk assessment; if those CVEs are critical “fix this now or the world catches fire”, then their relative infrequency seems to be outweighed by their impact, no?

[lelanthran]

> I suppose it comes down to risk assessment; if those CVEs are critical “fix this now or the world catches fire”, then their relative infrequency seems to be outweighed by their impact, no?

No.