| You are obviously a far more knowledgeable person than I am, so please don't take the following questions as dismissive of your expertise. I'm genuinely trying to learn. > for example calling directly from Rust into C without any expression of the semantics means you have no mechanism for reasoning about ownership Right. But since C cannot express Rust's ownership semantics, could one really do better? Does that mean that as long as there's significant amounts of C in Linux, then Linux should never introduce any language with stronger semantics than C? That seems unfortunate. > and that removes many of the security benefits of writing code in Rust in the first place. I've always thought of the idea being that _as long as the necessary manual reasoning is correct_, downstream Rust users _do_ get those benefits. But of course interfacing with C, lacking the necessary semantics, requires the interface writer to manually assure them. Wouldn't anything more demand more than C can deliver? > If you have a strong description of the semantics of the C code then you can write Rust bindings that expose that, but you're then constraining the maintainers of the C codebase in terms of their ability to make arbitrary changes without considering the impact that has on the Rust consumers. OK, but that seems like a political/social/organizational aspect far more than a technical problem with C-Rust-interop? |
(To be clear I have spent many nights drinking with Christoph and think he's entirely in the wrong here)