write only medium

I guess you meant "write once"?

---

Anyway, this won't prevent attacks that somehow swap the CD being read, or the backend logic for where to read the data from.

You cited Git as an example, but in Git it's possible to e.g. force-push a branch and if someone later fetches it with no previous knowledge they will get the original version.

The problem is the "with non previous knowledge" and is the reason this isn't a storage issue. The way you would solve this in git would be to fetch a specific commit, i.e. you need to already know the hash of the data you want.

For the Wayback Machine this could be as simple as embedding that hash in the url. That way when someone tries to fetch that url in the future they know what to expect and can verify the website data matches the hash.

This won't however work if you don't already have such hash or you don't trust the source of it, and I don't think there's something that will ever work in those cases.

So, basically, you are managing Arenas of variables instead of managing the lifetime of every single, individual variable, one at a time.

How does that handle stuff like vector reallocation? Does it keep both the old and the new vector allocation around until the arena scope ends? That seems very wasteful and I doubt it is how the release allocator handles it.

What's cool with that is you can manage the memory differently for each allocation by using a different type of allocator, which give you more control if desired.

This creates the risk of using the wrong allocator for deallocating.

Do you want to talk about the covariant, invariant, contravariant and invariant in Rust? Because that's a hell of a topic to manage the lifetime in Rust. Don't forget, you have to manage that for /every/single/ variables, one a time. Good luck keeping you sanity in a large project.

Variance is the property of a type, not a variable. You don't have to "manage" variance, you just have to respect it. And lifetime variance as a concept is something that exists in C/C++/Zig too and has to be respected, but the compiler generally does nothing to tell you about it. If someone doesn't understand that then I fear for what they will write in a language that doesn't make it clear to them.

Here is a good talk about what I try to tell you: Individual Element Thinking

I'm not going to spend my time watching a video just to reply to some random guy online, but I will try to give it a go later on if I have time in case it is actually interesting.

Security goes beyond "smart pointers". Just think of the fact Rust doesn't have shared libraries.

Shared libraries are in fact a massive source of unsafety since there's almost no way to guarantee compatibility between the two sides.

And being able to track dependencies with a proper package manager like cargo already does a pretty good job at tracking what you need to update.

Because Rust also has that fyi

Most of which are actually denial-of-service, unmaintained crates, or unsoundness in some crates.

Unsoundness "vulnerabilities" which would just be considered "documentation issues" in languagues that don't take memory safety as seriously, or maybe they would never be found because you have to go out of your way to actually hit them.

Zig uses allocators, which will inform you if you are leaking memory.

Does that hold for the release allocator too? It also requires the leak to happen in your testing (not differently from C/C++'s sanitizers)

Zig comes with defer/errdefer to simplify the resource cleanup (and for ergonomics).

Which you can forget to use though.

• Zig comes with Optionals to manage nulls.
• Zig comes with slices (ptr + size) to manage all the bound-checking.
• Zig automatically check for overflow/underflow arithmetic.
• Zig will check for pointer alignments when casting between pointer types.

All of this is good, but does very little to ensure temporal memory safety.

To summarize, you really need to /want/ to fuck up to fail your memory management...

I don't see an argument for this. It still seems very much possible to fuck up temporal memory safety without realizing and without hitting it in testing.

52.5% of the popular crates have unsafe code

Which is not unexpected to me. Half of Rust's point is to encapsulate unsafe code and provide a safe interface for it so that it can be locally checked. This is the only practical way that verification can happen, while C/C++/Zig basically force you to do whole-program verification (generally not practicable) or relying on testing/fuzzing/sanitizers (which will never guarantee safety).

If you think this is normal then imagine what other people think of the linux community though!

But here's the issue: the parent comment didn't even provide reasons why they think Windows sucks or examples/episodes where this was a problem for them. It adds nothing to the discussion, just free hate.

Lots of major companies like Microsoft and IBM also contribute to Linux, it doesn't make them saints nor even necessarily compare to what they get for using the volunteer dev work inside Linux.

Most of those companies actually contribute to the kernel or to foundational software used on servers, but few contribute to the userspace for desktop consumers on the level that Valve does.

Zig is "c", but modern and safe.

Zig is safer than C, but not on a level that is comparable to Rust, so it lacks its biggest selling point. Unfortunately just being a more modern language is not enough to sell it.

So imagine if trying to fit in a C-like cousin failed

C++ was not added to Linux because Linus Torvalds thought it was an horrible language, not because it was not possible to integrate in the kernel.

No, macros can see only the tokens you give them. They have no notion of the fact that crate::functions is a module, that PluginFunction is a trait and that functions_map is a variable. Not even the compiler may know those informations when the macro is expanded.

If you really really want to do this, you can use something like inventory. Note that inventory uses a special linker section to do this, which some consider a hack. This is also not supported on WASM if you want to target it.

CEO bonuses should be awarded 10 years after their mandate

Would it makes sense to provide a "share nothing" runtime implementation that can be injected at startup?

Isn't this tokio::task::spawn_local?

It also seems to require a GC though...

newxml is GC only, for simplicity sake.

Pointers are not guaranteed to be safe

So I guess they are forbidden in @safe mode?

but it's being replaced by something else instead

Do you know what is the replacement? I tried looking up DIP1000 but it only says "superceded" without mentioning by what.

This makes me wonder how ready D is for someone that wants to extensively use @safe though.

For local variables, one should use pointers, otherwise ref does references that are guaranteed to be valid to their lifetime, and thus have said limitations.

Should I take this to mean that pointers instead are not guaranteed to be valid, and thus are not memory safe?

Note that Rust does not "solve" memory management for you, it just checks whether yours is memory safe. Initially you might rely on the borrow checker for those checks, but as you become more and more used to Rust you'll start to anticipate it and write code that already safisfies it. So ultimately you'll still learn how to safely deal with memory management, just in a different way.

Rust for Linux used to be developed in parallel to the mainline Linux before Linus Torvalds merged support in the main tree.

"safe by default" can be done by starting your files with @safe:

Last time I heard about that it was much more limited than Rust, for example it even disallowed taking references to local variables. Has something changed since then?

But the one time I looked at a rust git repo I couldn't even find where the code to do a thing was.

IMO that tells more about how the project was organized and names things than the language used.

So I think probably, the best way IS to go the way linus did. Just go ahead and write a very basic working kernel in rust. If the project is popular it will gain momentum.

As the other commenter pointed out, there's Redox. The issue is that this completly disregards an incremental approach: you have to rewrite everything before it comes usable, you can't do it piece by piece. Currently the approach of Rust for Linux is not even to rewrite things, but to allow writing new drivers in Rust.

Trying to slowly adapt parts of the kernel to rust and then complain when long term C developers don't want to learn a new language in order to help isn't going to make many friends on that team.

Have you seen the conference video? That's not just refusal to learn a new language, it's open hostility. And it's not the only instance, for example Asahi Lina also reported unreasonable behaviour by some maintainers just because she wrote Rust code, even when Rust was not involved.

The reputation loss is probably worse than whatever fine they end up paying

Time to pull a Meta/X and change name

Unfortunately some things will IMO always remain a natural monopoly. For example good luck trying to convince developers to write their apps for all those different operating systems.

That doesn't really excuse its behavior in the video though.