[chipdart]

> The constant stream of CVEs (...)

It's a function of popularity and widespread use. The only languages that do not feature CVEs are the ones that are not used.

Eve Rust started to feature in CVEs, including memory safety problems in it's standard library. Somehow that fact is omitted from these discussions.

> (...) even experts failing to use those languages correctly (...)

I couldn't help noticing you felt the need to resort to weasel words like "correctly" to add color to an unsubstantiated personal assertion.

What's the best example you can come up with to support your opinion?

> C++ isn’t horrible but it’s harder to use, harder to find good developers (...)

This personal assertion is comical, as recruiters are systematically targeting C++ developers for Rust positions, and Rust is notoriously bad for newbies to onboard onto.

I'd prefer these debates were kept at an objective and substantiated level, but it seems that's too much to ask. It seems it's easier to throw unsubstantiated claims around and wait to see if half the bullshit sticks.

[acdha]

> Somehow that fact is omitted from these discussions.

Oh, please. Nobody is saying that Rust is perfect, only that the defect rate in normal usage is considerably lower and tend to be concentrated in areas like “unsafe” blocks rather than spread randomly around the code base.

> I couldn't help noticing you felt the need to resort to weasel words like "correctly" to add color to an unsubstantiated personal assertion. … This personal assertion is comical, as recruiters are systematically targeting C++ developers for Rust positions, and Rust is notoriously bad for newbies to onboard onto.

“Correctly” isn’t a weasel word, especially not in the context of describing how a program functions. I was referring to the common excuse that has cropped up over decades where language proponents try to blame problems on the user rather than acknowledging that certain features are hard to use safely.

I’ve been hearing people say that C/C++ are fine and you just need better programmers since the 90s, which has not been an effective strategy in reducing the number of security vulnerabilities. My comment about easier to learn was written in the context of reaching the level needed to reliably write safe code, not just producing a compilable program which doesn’t immediately crash since even large, elite teams with enormous resources struggle with memory safety bugs in large C/C++ code bases.

For example, Android reports halving their code rollback rate and a significant reduction in the number of vulnerabilities by switching to memory-safe languages. Clearly relying on programmer vigilance and testing was not as effective as picking tools which made certain classes of error much harder.

https://security.googleblog.com/2024/09/eliminating-memory-s...

[chipdart]

> Oh, please. Nobody is saying that Rust is perfect (...)

This is the kind of fallacies that dominate Rust fanboy's discourse.

You start off by mindlessly commenting on "constant stream of CVEs", but when you're faced with the reality that Rust also piles up CVEs then you start to try to move goalposts around. Odd how you switched from CVE talk to vague allusions of "perfection", as if now CVEs don't matter.

That's the problem with your type of fanaticism: you stop makint technical claims and instead resort to sweeping baseless accusations,as if that was a positive trait on a language and it's community.

> “Correctly” isn’t a weasel word, especially not in the context of describing how a program functions.

It is. There is no way around it.

> My comment about easier to learn was written in the context of reaching the level needed to reliably write safe code (...)

Again with the goalpost-moving/weasel word combo.

Rust is notoriously unfriendly to beginners and imposes an unparalleled learning curve. Around a quarter of new developers outright give up and quit over how unusable it is to them. This is acknowledged by the Rust community itself as demonstrated by the last annual Rust survey. There is no way around it. I don't know why anyone would try to waste time handwaving over this.

> For example, Android reports halving their code rollback rate and a significant reduction in the number of vulnerabilities by (...)

Here's the problem with this sort of specious reasoning. You are cherry-picking an example of how a project invested heavily in memory safety and therefore ended up lowering vulnerabilities. You ignore how much work was invested into processes and prioritizing specific types of problems. You instead decide to ignore everything and anything, and opt to go the simplistic path of pretending that the only step required to achieve these gains is onboarding a magical tool, as if nothing else was a factor.

Do you understand how this blend of cargo cult mentality is silly and unproductive?

I get it that you feel the need to promote a tool you like. That's fine. But if you had a case you wouldn't feel compelled to frame all your arguments on artificial scenarios you try to pin on all other tools, would you?

[Capricorn2481]

> This is the kind of fallacies that dominate Rust fanboy's discourse

Take a chill pill, you have completely derailed you argument with personal attacks in place of substance. You would have to be willfully ignorant to think Rust isn't safer than C++, and I say that as someone who refuses to use Rust.

[acdha]

Your accusations of fanaticism are most amusing given how you’re misrepresenting what I wrote and accusing me of fanboy behavior, specious reasons, cargo cult mentality, not making technical claims (talk about projection!), etc. I don’t why you have such a chip on your shoulder about memory safe languages but I would politely suggest that your current approach is not effective advocacy.

[uecker]

The wording is very unfortunate, he makes valid points though.