[yodon]

Logic bugs can exist in any language. Buffer overruns, unallocated memory uses, use after free, pretty much all of the first generation of internet vulns, those are signs the code was written in a non-memory managed language.

The fact that you CAN write memory safe code in C does not mean all maintenance programmers of your project will always write memory safe code in all their commits.

Memory managed languages unquestionably reduce the surface area of bugs one has to worry about, and in particular they eliminate the class of vulnerabilities that was most prevalent in web servers prior to the widespread adoption of memory safe languages.

[johnisgood]

You're going in circles. You've made the same point three times now without adding anything new.

Yes, memory-safe languages eliminate vulnerability classes. I said that in my first reply. Yes, people make mistakes in C. Obvious. None of this tells us anything about this specific web framework.

You dismissed it as "a terrible idea" based on the language alone. That's lazy analysis. Either review the actual code and find the bugs, or admit you're just cargo-culting the "C bad" narrative without looking at the implementation.

Have you actually examined this codebase or not?

[yodon]

The project is a framework for building applications on top of. The issue isn't the framework code. It's the application layer code that gets written and maintained for years to come on top of what may well be a brilliantly written framework layer.

Given that you don't disagree that C is an inherently riskier language to write in than memory managed languages, I can only conclude that what you're opposed to is the fact that I'm saying the quiet parts out loud. I'm not saying the quiet parts for you, you know them, I'm saying them for the junior devs who stumble across this page of senior devs waxing poetic about how wonderful C is. Every dev should know how to write C, but it's equally important to know its generally the wrong language to choose for a web server, which is what's being discussed here.

[johnisgood]

My problem is that you talk about insecurity because you saw "in C", yet you have not actually reviewed the code. You simply concluded (allegedly) that it is unsafe because it is written "in C". Review the code first. Written "in C" does not automatically make it unsafe. Do you agree?

That is my only problem.

Yes, I agree that every developer should know how to write C (useful skill, reference implementations should be written in C due to its simplicity), but I do not think that using C for writing a web framework is a bad thing. To each their own. It might have issues, but as I have said, it can be analyzed and reviewed through the methods I have previously said so[1]. I have no clue if this code has any issues, I have not reviewed it myself, so it is for not me to claim either way.

Are we in a disagreement or not?

[1] See https://news.ycombinator.com/item?id=45527495.