Mozilla, where Rust was originally conceived, have already talked about this risk factor ages ago when they were still working on Servo. Reimplementing battle-tested software in a different language can result in logic bugs being introduced, which no programming language can really prevent. Many times they will actually reintroduce bugs that have already been historically fixed in the original implementation. This doesn’t invalidate the benefits of moving to a very memory safe language, it just needs to be taken into consideration when determining whether it’s worth the risk or the effort.
Honestly I have no idea whether sudo-rs is a good idea or not, but I have my doubts that any of the other people (especially the very vocal kind) chiming in on this do. Any time Rust is involved in the Linux community, a lot of vocal critics with very little knowledge of the language or programming in general seem to appear.
I think a key difference is that firefox is a eternally evolving codebase that has to do new stuff frequently. It may have been painful but it’s worth it to bite the bullet for the sake of the large volume of ongoing changes.
For sudo/coreutils, I feel like those projects are more ‘settled’ and unlikely to need a lot of ongoing work, so the risk/benefit analysis cuts a different way.
Any time Rust is involved in the Linux community, a lot of vocal critics with very little knowledge of the language or programming in general seem to appear
I swear to god sometime last week in a conversation about Rust here, there was one commenter whose entire point was “OK admittedly i don’t code and don’t know much about programming but i got this feeling that memory safety isn’t all what’ it’s cracked up to be”. A confederacy of dunces indeed…
The counterpoint is that, especially with FOSS that does not receive much (if any) corporate backing, developer retention and interest is an important factor.
If I’m donating some of my free time to a FOSS project I’d rather not slug through awful build systems, arcane mailing lists, and memory unsafe languages which may or may not use halfway decent - often homebrew - manual memory management patterns. If the project is written in Rust, it’s a pretty clear indicator that the code will be easily readable, compilable, and safer to modify.
But why the rust? there are quite a large variety of languages with memory protection (for example Java), and freely compiled (for example golang), but for some reason they persistently try to rewrite the whole “world” into rust. I’m not against rust, I’m really curious.
Both java and go seem excessively complex at runtime for fundamental system utilities, featuring garbage collection. Rust, on the other hand, keeps the complexity in the compiler and source, keeping the runtime code simpler. And of course it’s doing that while trying to make it easier to manage memory and harder to make mistakes, without forcing extra runtime logic on you.
For systems programming it makes the most sense out of the languages you mentioned. Languages requiring a runtime (Java/Python) do not fill the bill for system tools IMO. Golang is more arguable, but its memory safety comes through GC which many systems programmers aren’t fans of for a variety of technical and personal reasons.
Rust is meant to be what C++ would be if it were designed today by opiniated system developers and didn’t have to be backwards-compatible.
Those are the technical arguments I would use in a corporate setting.
All that aside, there’s personal preference, and my point is that for FOSS projects that matters too. Rust is fun in a brain-teasy kind of way in the same way that writing C is fun, but without nearly as many footguns. Golang is practical but arguably not as fun. That’s the same logic that draws many programmers to write Haskell projects.
The story of the Fish shell illustrates it quite well; the project gained a lot of development attention and contributions when they decided to rewrite from C++ to Rust, where they achieved a stable release with feature-parity a few months ago. It would have been a remarkably dumb decision for a private company to make, but makes perfect sense when you are trying to attract free talent.
I do think there are long-term benefits in many cases, it just depends on available resources. There are plenty of projects that desperately need a rewrite for maintenance reasons alone so you might as well examine if language switch is worth it. It’s not like there aren’t a lot of success stories, even if there’s projects like sudo-rs where we’re, at best, not sure if there’s tangible benefits.
It’s a generally applicable lesson in why it’s NOT a good idea to change things for the sake of it though (chesterton’s fence, but where most of the actual bits of fence are invisible).
Contrary to popular belief, it is possible to write software in C that is very secure. It takes thought but C has the edge with its small footprint and system integration
At this point I think the “thoughtful” C programmer is a myth and I don’t mean this as an insult. Even the most careful and experienced C gurus still make mistakes that would be much harder to make, if not categorically prevented in something like Rust. A lot of very secure C software is small in footprint, has had stable requirements for years, experienced thousands of hours of real world testing by users and the scrutiny of security experts. What I’m saying is: it should be easier to write secure software, especially with complex requirements or large attack surfaces.
I disagree that C has a notably smaller footprint than Rust for most purposes and system integration is in some cases harder in Rust precisely because of the notorious upfront implementation cost that prevents a lot of potential bugs.
Contrary to popular belief, it is possible to write software in assembly that is very readable. It takes thought but assembly has the edge with its miniscule footprint and zero-dependency runtime.
The problem with assembly is that it is almost impossible to optimize it as a human. Way back in the day instruction sets were written for humans but these days it is highly unlikely that you will be able to write assembly that can outperform a compiler. The reason primary has to do with pipelining and caching since modern CPUs are extremely complex.
Yea I mean it’s possible, but the sooner you bite the bullet and use a more modern language, the sooner you’ll get back to the same level of maturity and start having productivity dividends being paid out thanks to things like being able to get your compiler to prevent use after free bugs and the like.
Not sure how much sudo specifically needs this, maybe new commits are rare. As long as it stays out of LTS for the time being I’m all for it though.
Also not quite sure what you mean by “footprint”
Are you talking about the binary size or the fact that C has a tiny and straightforward language spec?
Mozilla, where Rust was originally conceived, have already talked about this risk factor ages ago when they were still working on Servo. Reimplementing battle-tested software in a different language can result in logic bugs being introduced, which no programming language can really prevent. Many times they will actually reintroduce bugs that have already been historically fixed in the original implementation. This doesn’t invalidate the benefits of moving to a very memory safe language, it just needs to be taken into consideration when determining whether it’s worth the risk or the effort.
Honestly I have no idea whether sudo-rs is a good idea or not, but I have my doubts that any of the other people (especially the very vocal kind) chiming in on this do. Any time Rust is involved in the Linux community, a lot of vocal critics with very little knowledge of the language or programming in general seem to appear.
I think a key difference is that firefox is a eternally evolving codebase that has to do new stuff frequently. It may have been painful but it’s worth it to bite the bullet for the sake of the large volume of ongoing changes.
For sudo/coreutils, I feel like those projects are more ‘settled’ and unlikely to need a lot of ongoing work, so the risk/benefit analysis cuts a different way.
I swear to god sometime last week in a conversation about Rust here, there was one commenter whose entire point was “OK admittedly i don’t code and don’t know much about programming but i got this feeling that memory safety isn’t all what’ it’s cracked up to be”. A confederacy of dunces indeed…
This is why its generally better to only write new code in more memory safe langs instead of rewriting everything
The counterpoint is that, especially with FOSS that does not receive much (if any) corporate backing, developer retention and interest is an important factor.
If I’m donating some of my free time to a FOSS project I’d rather not slug through awful build systems, arcane mailing lists, and memory unsafe languages which may or may not use halfway decent - often homebrew - manual memory management patterns. If the project is written in Rust, it’s a pretty clear indicator that the code will be easily readable, compilable, and safer to modify.
But why the rust? there are quite a large variety of languages with memory protection (for example Java), and freely compiled (for example golang), but for some reason they persistently try to rewrite the whole “world” into rust. I’m not against rust, I’m really curious.
Both java and go seem excessively complex at runtime for fundamental system utilities, featuring garbage collection. Rust, on the other hand, keeps the complexity in the compiler and source, keeping the runtime code simpler. And of course it’s doing that while trying to make it easier to manage memory and harder to make mistakes, without forcing extra runtime logic on you.
For systems programming it makes the most sense out of the languages you mentioned. Languages requiring a runtime (Java/Python) do not fill the bill for system tools IMO. Golang is more arguable, but its memory safety comes through GC which many systems programmers aren’t fans of for a variety of technical and personal reasons.
Rust is meant to be what C++ would be if it were designed today by opiniated system developers and didn’t have to be backwards-compatible.
Those are the technical arguments I would use in a corporate setting.
All that aside, there’s personal preference, and my point is that for FOSS projects that matters too. Rust is fun in a brain-teasy kind of way in the same way that writing C is fun, but without nearly as many footguns. Golang is practical but arguably not as fun. That’s the same logic that draws many programmers to write Haskell projects.
The story of the Fish shell illustrates it quite well; the project gained a lot of development attention and contributions when they decided to rewrite from C++ to Rust, where they achieved a stable release with feature-parity a few months ago. It would have been a remarkably dumb decision for a private company to make, but makes perfect sense when you are trying to attract free talent.
Many things do use go, the issue with Java lies in its massive runtime burden (also not a great language IMO)
Java isn’t an exciting language, sure.
Kotlin is, though.
Agreed, Kotlin’s a lot nicer.
I do think there are long-term benefits in many cases, it just depends on available resources. There are plenty of projects that desperately need a rewrite for maintenance reasons alone so you might as well examine if language switch is worth it. It’s not like there aren’t a lot of success stories, even if there’s projects like sudo-rs where we’re, at best, not sure if there’s tangible benefits.
It’s a generally applicable lesson in why it’s NOT a good idea to change things for the sake of it though (chesterton’s fence, but where most of the actual bits of fence are invisible).
Contrary to popular belief, it is possible to write software in C that is very secure. It takes thought but C has the edge with its small footprint and system integration
At this point I think the “thoughtful” C programmer is a myth and I don’t mean this as an insult. Even the most careful and experienced C gurus still make mistakes that would be much harder to make, if not categorically prevented in something like Rust. A lot of very secure C software is small in footprint, has had stable requirements for years, experienced thousands of hours of real world testing by users and the scrutiny of security experts. What I’m saying is: it should be easier to write secure software, especially with complex requirements or large attack surfaces.
I disagree that C has a notably smaller footprint than Rust for most purposes and system integration is in some cases harder in Rust precisely because of the notorious upfront implementation cost that prevents a lot of potential bugs.
Contrary to popular belief, it is possible to write software in assembly that is very readable. It takes thought but assembly has the edge with its miniscule footprint and zero-dependency runtime.
I wouldn’t go that far
The problem with assembly is that it is almost impossible to optimize it as a human. Way back in the day instruction sets were written for humans but these days it is highly unlikely that you will be able to write assembly that can outperform a compiler. The reason primary has to do with pipelining and caching since modern CPUs are extremely complex.
https://esolangs.org/wiki/Brainfuck
Yea I mean it’s possible, but the sooner you bite the bullet and use a more modern language, the sooner you’ll get back to the same level of maturity and start having productivity dividends being paid out thanks to things like being able to get your compiler to prevent use after free bugs and the like.
Not sure how much sudo specifically needs this, maybe new commits are rare. As long as it stays out of LTS for the time being I’m all for it though.
Also not quite sure what you mean by “footprint”
Are you talking about the binary size or the fact that C has a tiny and straightforward language spec?