BatmanAoD

For what it's worth, I agree with you about branches, and there are various ongoing discussions about how to make working with branches more convenient. I use an experimental feature called "advance branches" that makes it mostly fit my workflows, and the other benefits of jj are sufficient that I haven't switched back to git.

I create log files of runs, temporary helper scripts, build output, etc. in my working copy all the time.

The solution to this is to just have a more aggressive .gitignore. But also, note that the "working copy commit" isn't generally something you want to push or keep; think of it more like a combination of the git staging index and an automatic stash.

Same

You didn't say "programmers should be aware that rust doesn’t automatically mean safe". You said:

People just think that applying arbitrary rules somehow makes software magically more secure...

You then went on to mention unsafe, conflating "security" and "safety"; Rust's guarantees are around safety, not security, so it sounds like you really mean "more safe" here. But Rust does make software more safe than C++: it prohibits memory safety issues that are permitted by C++.

You then acknowledged:

I understand that rust forces things to be more secure

...which seems to be the opposite of your original statement that Rust doesn't make software "more secure". But in the same comment:

It’s not not like there’s some guarantee that rust is automatically safe...

...well, no, there IS a guarantee that Rust is "automatically" (memory) safe, and to violate that safety, your program must either explicitly opt out of that "automatic" guarantee (using unsafe) or exploit (intentionally or not) a compiler bug.

...and C++ is automatically unsafe.

This is also true! "Safety" is a property of proofs: it means that a specific undesirable thing cannot happen. The C++ compiler doesn't provide safety properties[1]. The opposite of "safety" is "liveness", meaning that some desirable thing does happen, and C++ does arguably provide certain liveness properties, in particular RAII, which guarantees that destructors will be called when leaving a call-stack frame.

[1] This is probably over-broad, but I can't think of any safety properties C++ the language does provide. You can enforce your own safety properties in library code, and the standard library provides some; for instance, mutexes have safety guarantees.

I guess what you mean is that Rust doesn't advertise the compiler as being bug-free?

The massive difference here is that C++ has no soundness guarantees even when the compiler is working as intended, whereas Rust actually does in fact give soundness guarantees in the absence of compiler bugs.

Rust doesn’t have a formal specification other than “whatever the fuck our team hallucinated in this compiler version”

That's simply not true. The Reference, while not an ISO-style formal spec, does actually specify most of the intended language behavior, and incrementally approaches completion over time. But even if you insist on an ISO-style formal spec, there's Ferrocene: https://ferrous-systems.com/blog/the-ferrocene-language-specification-is-here/

it fucks your day because you’re not careful

The cve-rs vulnerability is actually not really something you'd ever write by accident. Also note that the bug report has multiple versions because, even though a "full" solution is pending some deeper compiler changes, the first ~~two~~ three versions of the exploit are now caught by the compiler. So, like I said, the compiler bugs do get fixed over time.

Yeah, and that falls under the first category, bugs in the compiler: https://github.com/rust-lang/rust/issues/25860

(All exploits in that repo are possible due to that bug.)

Borrow checking...existed in C++ too

Wat? That's absolutely not true; even today lifetime-tracking in C++ tools is still basically a research topic.

...someone found memory bugs in Rust, again, because it is NOT soundly memory safe.

It's not clear what you're talking about here. In general, there are two ways that a language promising soundness can be unsound: a bug in the compiler, or a problem in the language definition itself permitting unsound code. (unsafe changes the prerequisites for unsoundness, placing more burden on the user to ensure that certain invariants are upheld; if the code upholds these invariants, but there's still unsoundness, then that falls into the "bug in Rust" category, but unsoundness of incorrect unsafe code is not a bug in Rust.)

Rust has had both types of bugs. Compiler bugs can be (and are) fixed without breaking (correct) user code. Bugs in the language definition are, fortunately, fixable at edition boundaries (or in rare cases by making a small breaking change, as when the behavior of extern "C" changed).

It's neither arbitrary nor magic; it's math. And unsafe doesn't disable the type system, it just lets you dereference raw pointers.

"You don't have the hiring and firing power."

-- Kitty, Arrested Development

I know!! How can Jigsaw claim it "works fine"? He'd probably say something like "it's battle-tested and state of the art." What does that even mean??

Hello, Rust developer. [My name, etc.] It works fine, and is written in C++. [Rest of challenge is the same.]

Truly diabolical

Maybe? But also, maybe not? ChromeOS is not just for "people who are already interested in Linux." It's true that only techies are likely to care about ChromeOS vs some hypothetical non-Google OS/distro, but the vendors are techies, so if a vendor wanted to sell a Chromebook-like product without involving Google, they'd presumably be interested in an OS/distro like the one the article is talking about.