The inherent problem with this kind of solution is that if you don’t break backwards compatibility, you don’t get rid off all the insecure code.
And if you do break backwards compatibility, there’s not much reason to stick to C++ rather than going for Rust with its established ecosystem…
wake me up when Rust fixes its’ supply chain attacks susceptibility (solid stdlib and rejecting external crates, including transitive deps
This has been one of my biggest frustrations while learning Rust. I’m coming from .NET which has an incredible wealth of official System and Microsoft libraries all of which are robust and well documented.
Rust on the other hand has the bare minimum std library, with everything else implemented by the community. There isn’t even a std async library. It’s insane.
Even the popular community libraries are severely lacking in documentation or inexplicably unmaintained.
Rust has a ton of potential but it desperately needs some broad funding to align the fundamentals to a decent standard.
Probably not going to happen. I will say that it’s less bad than you might think, because there is more-or-less an unofficial extended stdlib, i.e. high-quality, widely used libraries which are maintained by people in the Rust team.
But yeah, I’m involved in a somewhat larger project and we’ve cracked 1000 transitive dependencies a few weeks ago, and I can tell you for free that I don’t personally know the maintainers of all of those.
If this was more of a security-critical project, there’s probably a dozen or so direct dependencies that we would have implemented ourselves instead.
Given how long and widely C++ has been a dominant language, I don’t think anyone can reasonably expect to get rid of all the unsafe code, regardless of approach. There is a lot of it.
However, changing the proposition from “get good at Rust and rewrite these projects from scratch” to “adopt some incremental changes using the existing tooling and skills you already have” would lower the barrier to entry considerably. I think this more practical approach would be likely to reach far more projects.
There’s been plenty of interop options between C++ and just about anything for decades. If languages like D, that made it piss easy, weren’t gonna change people’s minds, nothing can. Ditching C++ is the only way forward.
Unfortunately, I don’t think D is good enough to prove your point. From your follow-up comment:
A language that for all intents and purposes is irrelevant despite being exactly what everyone wanted,
As someone who uses D, I can attest that it is not what everyone wanted; at least not yet. Despite all the great things in the language, the ergonomics around actually using it are mediocre at best: Several of its appealing features quickly turn it into a noisy language, error messages are often so obtuse as to be useless (especially with templates and contracts in play), and Phobos (the standard library) is practically made of paper cuts. Also, the only notable async support is a fragile mess, and garbage collection is too deeply embedded into both the stdlib and the ecosystem.
(To be fair, D could be vastly improved with better defaults and standard library. That might happen in time, as Walter and the other maintainers have shown interest, but it’s just wishful thinking for now.)
Also, D is an entirely different language from C++, and as such, would require code rewrites in order to bring safety to existing projects. It’s not really comparable to a C++ extension.
Interop between Rust and C++ is pretty bad actually - I can understand wanting to avoid that.
However I still agree. I can’t see opt-in mechanisms like this moving the needle.
Google started work on Carbon due to the difficulty of getting the C++ standards committee to accept any real, fundamental changes to the language. If Google, a grandmaster at manipulating standards committees, couldn’t get something passed, I don’t foresee this proposal getting anywhere.
The C++ standards committee don’t see memory safety or UB as a problem. If they did they wouldn’t keep introducing new footguns, e.g. forgetting return_void() in a coroutine. They still think everyone should just learn the entire C++ spec and not make mistakes.
It boggles the mind that any language - let alone a systems programming language that most of the world’s infrastructure is built upon - wouldn’t adjust their specification to eliminate undefined behavior wherever possible. And C++'s all seem to be in the worst possible places, too.
I think once things get established the people in charge see any attempt to change it as some kind of personal insult, so they just go into defence mode. You see the same thing e.g. with Python - for literally decades they’ve denied that performance matters and it’s really only recently that that has changed.
I think it will only get worse for C++ because the people who understand this stuff have mostly given up on C++.
That’s a wild screenshot.
The big downside is that, for backwards compatibility, the default must still be unsafe code. Ideally this could be toggled with a compiler flag, rather than having to wrap most code in “safe” blocks (like rust, but backwards).
One potential upside that people don’t seem to be discussing is that the safe subset could also be the place to finally start cutting down the bloat of C++. We could encourage most developers to write exclusively in the safe subset, and aim to make that the “much smaller and cleaner language” trying to get out of C++.
Is this going to be re-posted every month?
Anyway, I’ve come to know since then that the proposal was not a part of a damage control campaign, but rather a single person’s attempt at proposing a theoretical real solution. He misguidedly thought that there was actually an interest in some real solutions. There wasn’t, and there isn’t.
The empire are continuing with the strategy of scamming people into believing that they will produce, at some unspecified point, complete magical mushrooms guidelines and real specified and implemented profiles.
The proposal is destined to become perma-vaporware. The dreamy guidelines are going to be perma-WIP, the magical profiles are going to be perma-vapordocs (as in they will never actually exist, not even in theoretical form), and the bureaucracy checks will continue to be cashed.
So not only there was no concrete strike back, it wasn’t even the empire that did it.
Is this going to be re-posted every month?
That was a different community.
Also: https://xkcd.com/1053/
