I guess what you mean is that Rust doesn't advertise the compiler as being bug-free?
The massive difference here is that C++ has no soundness guarantees even when the compiler is working as intended, whereas Rust actually does in fact give soundness guarantees in the absence of compiler bugs.
Rust doesn’t have a formal specification other than “whatever the fuck our team hallucinated in this compiler version”
That's simply not true. The Reference, while not an ISO-style formal spec, does actually specify most of the intended language behavior, and incrementally approaches completion over time. But even if you insist on an ISO-style formal spec, there's Ferrocene: https://ferrous-systems.com/blog/the-ferrocene-language-specification-is-here/
it fucks your day because you’re not careful
The cve-rs vulnerability is actually not really something you'd ever write by accident. Also note that the bug report has multiple versions because, even though a "full" solution is pending some deeper compiler changes, the first ~~two~~ three versions of the exploit are now caught by the compiler. So, like I said, the compiler bugs do get fixed over time.
Yeah, and that falls under the first category, bugs in the compiler: https://github.com/rust-lang/rust/issues/25860
(All exploits in that repo are possible due to that bug.)
Borrow checking...existed in C++ too
Wat? That's absolutely not true; even today lifetime-tracking in C++ tools is still basically a research topic.
...someone found memory bugs in Rust, again, because it is NOT soundly memory safe.
It's not clear what you're talking about here. In general, there are two ways that a language promising soundness can be unsound: a bug in the compiler, or a problem in the language definition itself permitting unsound code. (unsafe changes the prerequisites for unsoundness, placing more burden on the user to ensure that certain invariants are upheld; if the code upholds these invariants, but there's still unsoundness, then that falls into the "bug in Rust" category, but unsoundness of incorrect unsafe code is not a bug in Rust.)
Rust has had both types of bugs. Compiler bugs can be (and are) fixed without breaking (correct) user code. Bugs in the language definition are, fortunately, fixable at edition boundaries (or in rare cases by making a small breaking change, as when the behavior of extern "C" changed).
It's neither arbitrary nor magic; it's math. And unsafe doesn't disable the type system, it just lets you dereference raw pointers.
"You don't have the hiring and firing power."
-- Kitty, Arrested Development
I know!! How can Jigsaw claim it "works fine"? He'd probably say something like "it's battle-tested and state of the art." What does that even mean??
Hello, Rust developer. [My name, etc.] It works fine, and is written in C++. [Rest of challenge is the same.]
Truly diabolical
Maybe? But also, maybe not? ChromeOS is not just for "people who are already interested in Linux." It's true that only techies are likely to care about ChromeOS vs some hypothetical non-Google OS/distro, but the vendors are techies, so if a vendor wanted to sell a Chromebook-like product without involving Google, they'd presumably be interested in an OS/distro like the one the article is talking about.
But if something like this existed, consumer vendors such as Dell might pre-install it.
Exactly; the OP image is saying that there's no point to doing that.
You didn't say "programmers should be aware that rust doesn’t automatically mean safe". You said:
You then went on to mention
unsafe, conflating "security" and "safety"; Rust's guarantees are around safety, not security, so it sounds like you really mean "more safe" here. But Rust does make software more safe than C++: it prohibits memory safety issues that are permitted by C++.You then acknowledged:
...which seems to be the opposite of your original statement that Rust doesn't make software "more secure". But in the same comment:
...well, no, there IS a guarantee that Rust is "automatically" (memory) safe, and to violate that safety, your program must either explicitly opt out of that "automatic" guarantee (using
unsafe) or exploit (intentionally or not) a compiler bug.This is also true! "Safety" is a property of proofs: it means that a specific undesirable thing cannot happen. The C++ compiler doesn't provide safety properties[1]. The opposite of "safety" is "liveness", meaning that some desirable thing does happen, and C++ does arguably provide certain liveness properties, in particular RAII, which guarantees that destructors will be called when leaving a call-stack frame.
[1] This is probably over-broad, but I can't think of any safety properties C++ the language does provide. You can enforce your own safety properties in library code, and the standard library provides some; for instance, mutexes have safety guarantees.