Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

as soon as I saw the large amount of unsafe code, I stopped considering it at all

So in that case you wouldn’t use any software written in plain C, right?



At the risk of projection, that comment reads to me as an attempt at playing gotcha.

It's not necessarily that unsafe code is categorically bad and nobody should ever use software that is written without strong static guarantees. It's that, in a language like Rust that has such a high level of compile-time checking, and whose community places such a high premium on it, relying heavily on unsafe becomes a red flag. It implies that the author of the code has a tendency to play fast and loose in a way that you might not want to welcome into your own codebase if you don't have to.

Where unsafe is supposed to be treated as a sort of pinky swear that says, "The compiler couldn't guarantee that this is safe, so I did," that starts to get scary, because any errors will undercut the safety guarantees that the compiler is supposed to be enforcing on your own code. And a large volume of unsafe code implies a large manual verification burden, and a larger volume of code that's easy to accidentally break. And the more of it that should be manually verified there is, the lower the chances that it is actually being manually verified. So it threatens to defeat the ostensible purpose of choosing a language like Rust in the first place.

That's not to say that programming Rust that way is wrong or evil in any objective sense. But it's something that needs to play into a decision on whether to take a dependency on such code. When you link code, you're inviting it into your process space, and you now have to accept responsibility for anything it does while it's in there.


relying heavily on unsafe becomes a red flag. It implies that the author of the code has a tendency to play fast and loose

It does not imply that. It might mean that the author knows what he's doing. Or not. We don't know without auditing the code.

defeat the ostensible purpose of choosing a language like Rust in the first place

The OP didn't try to choose a language - they tried to choose a piece of software that solves their problem. Seemed like the software was rejected on wrong grounds.


To your first comment, I hadn't intended there to use 'implies' to mean logical implication. There's room in the vernacular 'implies' for "or maybe not."

Though I think that we can trot out logical implication in response to your second comment: Considering taking actix-web as a dependency logically implies that you have chosen to write your program in Rust. Or, at least, the only language I'm aware of being able to import Rust modules is Rust.


> We don't know without auditing the code

or when you really audit the code, find a problem, submit a patch and then the author dismisses your patch as "boring"


Yes. I try not to use things built in C when there are other alternatives. Why? https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=use+after+f...


It is actually easier to introduce an undefined behavior in unsafe rust than in C, since rust use the guarantee that two mutable references living that the same time cannot aliase to optimize code.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: