Rust is mostly safety

I&#x27;m a lowly ancient Java programmer and I think Rust is far far more than safety.<p>In my opinion Rust is about doing things right. It may have been about safety at first but I think it is more than that given the work of the community.<p>Yes I know there is the right tool for the right job and is impossible to fill all use cases but IMO Rust is striving for iPhone like usage.<p>I have never seen a more disciplined and balanced community approach to creating PL. Everything seems to be carefully thought out and iterated on. There is a lot to be said to this (although ironically I suppose one could call that safe)!<p>PL is more than the language. It is works, community and mindshare.<p>If Rust was so concerned with safety I don&#x27;t think much work would be done on making it so consumable for all with continuous improvements of compiler error messages, easier syntax and improved documentation.<p>Rust is one of the first languages in a long time that makes you think different.<p>If it is just safety... safety is one overloaded word.

I think Rust is mostly about safety in the same way that skydiving is mostly about safety. Having safety features that you know you can rely on allows you to take risks that you normally wouldn&#x27;t in order to accomplish some really awesome things.<p>(I guess in this analogy C is a parachute that you have to open manually, while Rust is a parachute that always opens at exactly the right altitude, but isn&#x27;t any heavier than a normal parachute.)

I&#x27;ll probably be writing a slightly longer response post to this later, but for now... EDIT: here it is: <a href="http:&#x2F;&#x2F;words.steveklabnik.com&#x2F;fire-mario-not-fire-flowers" rel="nofollow">http:&#x2F;&#x2F;words.steveklabnik.com&#x2F;fire-mario-not-fire-flowers</a><p>I think the core of it is this:<p>&gt; Safety in the systems space is Rust&#x27;s raison d&#x27;être. Especially safe concurrency (or as Aaron put it, fearless concurrency). I do not know how else to put it.<p>But you just did! That is, I think &quot;fearless concurrency&quot; is a better pitch for Rust than &quot;memory safety.&quot; The former is &quot;Hey, you know that thing that&#x27;s really hard for you? Rust makes it easy.&quot; The latter is, as Dave[1] says, &quot;eat your vegetables.&quot;<p>I&#x27;m not advocating that Rust lose its focus on safety from an implementation perspective. What I am saying is that the abstract notation of &quot;safety&quot; isn&#x27;t compelling to a lot of people. So, if we want to make the industry more safe by bringing Rust to them, we have to find a way to make Rust compelling to those people.<p>1: <a href="https:&#x2F;&#x2F;thefeedbackloop.xyz&#x2F;safety-is-rusts-fireflower&#x2F;" rel="nofollow">https:&#x2F;&#x2F;thefeedbackloop.xyz&#x2F;safety-is-rusts-fireflower&#x2F;</a>

I was surprised to see Ada in the list of unsafe languages, since it always was sold to me as being designed for safety. A bit of searching leads me to believe that Ada is better about memory even though it mostly uses types for safety, and better enforcement of bounds on array access should solve overflow issues regardless. Am I missing something?

Rust is about letting the compiler slap you for your mistakes in the privacy of your own Xterm, instead of letting Jenkins do it 10 minutes later, in front of all your co-workers.

Its the safe <i>and</i> performant that attracts me.<p>If you look at Rust from C then the point is safety, but if you look at it from the other direction, e.g from F# then what attracts you is that you will get the <i>same</i> safety guarantees (and perhaps a few more) but without the GC and heap overhead.

In case you missed that there&#x27;s a big disillusioned C++ crowd out there.<p>Just hear the pain: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13276351" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=13276351</a><p>And some of them are watching you with great interest.

I agree with the premise of the article.<p>However, I feel that Steve Klabnik is trying to dispel myths about Rust not being anything &quot;but&quot; safety, to shape how other Rust developers talk about Rust, not denying that Rust&#x27;s central purpose is around being a safe language.<p>This is because there is a lot of miscommunication about Rust. A lot of people who aren&#x27;t immediately sold on the language walk away thinking it&#x27;s slow (it&#x27;s not), it&#x27;s complicated (not really), and not production ready (it actually is). And that&#x27;s because Rust developers don&#x27;t know how to talk about Rust. I am guilty, for one.<p>Since Steve is such a huge part of RustLang development, it&#x27;s his duty to direct the conscious effort to promote the language.<p>No reason to get into a debate over click-baity titles. :)

The issue with safety is that nothing is really safe. Once you have some level of safety in your programming language, you realize that there are still a lot of other sources of hazard (hardware errors, programming logic errors etc.)<p>So I guess, it would be better to say that Rust is about decreasing unsafetyness or whatever the correct word for that is.<p>edit: since I see posts about Go, this is evidently another approach toward decreasing unsafetyness by providing fewer and easier to understand primitives so that the programming logic is harder to write wrong. It might come at a moderate cost for some applications.

If you&#x27;re a C++ programmer, Rust is mostly about memory safety.<p>If you&#x27;re a Java programmer, Rust is mostly about tighter resource usage.<p>If you&#x27;re a Python programmer, Rust is mostly about type safety and speed.

<i>I do not mean to pick on C++: the same problems plague C, Ada, Alef, Pascal, Mesa, PL&#x2F;I, Algol, Forth, Fortran ... show me a language with manual memory management and threading, and I will show you an engineering tragedy waiting to happen.</i><p>I think if programming is to make progress as a field, then we need to develop a methodology for figuring out how to quantify the cost-benefit trade-offs around &quot;engineering tragedies waiting to happen.&quot; The fact that we have all of these endless debates that resemble arguments about religion shows that we are missing some key processes and pieces of knowledge as a field. Instead of developing those, we still get enamored of nifty ideas. That&#x27;s because we can&#x27;t gather data and have productive discussions around <i>costs.</i><p>There are significant emergent costs encountered when &quot;programming in the large.&quot; A lot of these seem to be anti-synergistic with powerful language features and &quot;nifty ideas.&quot; How do we quantify this? There are significant institutional risks encountered when maintaining applications over time spans longer than several years. There are hard to quantify costs associated with frequent short delays and lags in tools. There are difficult to quantify costs associated with the fragility of development environment setups. In my experience most of the cost of software development is embodied in these myriad &quot;nickel and dime&quot; packets, and that much of the religious-war arguing about programming languages is actually about those costs.<p>(For the record, I think Rust has a bunch of nifty ideas. I think they&#x27;re going down the right track.)

The original Rust author make great points about safety. I think this new thrust on marketing emerges from Rust Roadmap 2017 which puts Rust usage in industry as one of the major goal. Currently Rust is about Go&#x27;s age but nowhere close in usage. As the roadmap says &quot;Production use measures our design success; it&#x27;s the ultimate reality check.&quot; I agree with that.

&gt; countless lives lost<p>I have no doubt that people have had their lives ruined, or even died, as the result of flaws in system programming, but is anyone actually tracking this? Is it &quot;countless?&quot;

&gt; Modula-3, Eiffel, Sather<p>Nice to see these languages on Rust&#x27;s team radar, specially Sather.<p>Just shows how you guys have researched prior work, congratulations.

The author states: &quot;A few valiant attempts at bringing GC into systems programming -- Modula-3, Eiffel, Sather, D, Go -- have typically cut themselves off from too many tasks due to tracing GC overhead and runtime-system incompatibility, and still failed to provide a safe concurrency model.&quot;<p>Nim follows a different approach.<p>Details: <a href="http:&#x2F;&#x2F;nim-lang.org&#x2F;docs&#x2F;manual.html#threads" rel="nofollow">http:&#x2F;&#x2F;nim-lang.org&#x2F;docs&#x2F;manual.html#threads</a><p>Benchmark (with Rust): <a href="https:&#x2F;&#x2F;github.com&#x2F;costajob&#x2F;app-servers" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;costajob&#x2F;app-servers</a>

I think Rust is not about safety, but about reusability. Do you like to take on a dependency on someone&#x27;s code when it is in C? The answer is: roll your own code. Rust means the end of that.<p>Rust means software that can be written once and used &quot;forever&quot;. Thus it enables true open source. In comparison C&#x2F;C++ pay a mere lip-service, by also giving you, along with the code, lots of reasons to worry.<p>This is the real innovation behind Rust.

I think it&#x27;s a bit funny that in an industry that (supposedly) prides itself on &quot;meritocracy&quot;, there are many people that refuse to use (or learn) performant memory-safe languages, when memory-safe code is always better than memory-unsafe code (in terms of resource usage, reduction of bugs, etc, etc.).

It&#x27;s a shame there is no mention of ATS, which also attempts safe systems programming usings an advanced type system.

What about bare-metal options? Is there any development effort in that direction?<p>Most of the C that I do these days is Arm Cortex-Mx work. Realtime cooperative multi-tasking using an RTOS on the bare metal. It seems like Rust would be a great option for that kind of work if the low-level ecosystem were complete enough.

I completely agree. This is what I wrote on Reddit in response to Klabnik&#x27;s post:<p>Rust can make such an important contribution to such an important slice of the software world, that I really fear that trying to make a better pitch and get as many adopters as quickly as possible might create a community that would pull Rust in directions that would make it <i>less</i> useful, not more.<p>Current C&#x2F;C++ developers really do need more safety. They don&#x27;t need a more pleasant language. Non C&#x2F;C++ developers don&#x27;t really need a language with no GC. Now, by &quot;don&#x27;t need&quot; I absolutely don&#x27;t mean &quot;won&#x27;t benefit from&quot;. But one of the things we can learn from James Gosling about language design is, don&#x27;t focus on features that are useful; don&#x27;t even focus on features that are <i>very</i> useful; focus on features that are absolutely indispensable... and compromise on all the rest. The people behind Java were mostly Lispers, but they came to the conclusion that what the industry really, really needs, is garbage collection and good dynamic linking and that those have a bigger impact than clever language design, so they put all that in the VM and wrapped it in a language that they made as familiar and as non-threatening as possible, which even meant adopting features from C&#x2F;C++ that they <i>knew</i> were wrong (fall-through in switch&#x2F;case, automatic numeric widening), all so they could lower the language adoption cost, and sell people the really revolutionary stuff in the VM. Gosling said, &quot;we sold them a wolf in sheep&#x27;s clothing&quot;. I would recommend watching the first ~25 minutes of this talk[1] to anyone who&#x27;s interested in marketing and maintaining a programming language.<p>If Rust would <i>only</i> win over 10% of C&#x2F;C++ programmers who <i>today</i> understand the need for safety, say, in the next 5-10 years, that would make it the highest-impact, most <i>important</i> language of the past two decades. In that area of the software world change is very, very slow, and you must be patient, but that&#x27;s where Rust could make the biggest difference because that&#x27;s where its safety is indispensable. A few articles on Rust in some ancient trade journals that you thought nobody reads because those who do aren&#x27;t on Twitter and aren&#x27;t in your circle may do you more good than a vigorous discussion on Reddit or the front page of HN. Even the organizational structure in organizations that <i>need</i> Rust looks very different from the one in companies that are better represented on Reddit&#x2F;HN, so you may need to market to a different kind of people. So please, be patient and focus your marketing on those that really <i>need</i> Rust, not on those outside that group you think you can win over most quickly because they move at a faster pace.<p>[1]: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Dq2WQuWVrgQ" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Dq2WQuWVrgQ</a>

This is a little off topic, but when I looked at his post I thought, &quot;Wait .. is that LiveJournel?&quot; .. and yes it is apparently. Or at least a fork of it called DreamWidth.<p>Interesting to see forks of older OSS Perl web apps still in use today.

I haven&#x27;t used Rust, but generally speaking wouldn&#x27;t you say that safety in some sense includes the other nice features? For instance, if it were safe but not fast (like, say, a GC language) it wouldn&#x27;t be useful. So it has to be safe and fast (which it sounds to me like it is). Okay, so what if it were safe, fast, but a real hassle to use? Well that&#x27;s not very useful either. So it has to be safe, fast, and usable. Just like Moxie&#x27;s approach to security: focus on usability, so people actually use the damn thing. And it sounds like all the other nice features make Rust more usable.

&quot;Our engineering discipline has this dirty secret, but it is not so secret anymore: every day the world stumbles forward on creaky, malfunctioning, vulnerable, error-prone systems software and every day the toll in human misery increases. Billions of dollars, countless lives lost.&quot;<p>Billions of dollars and countless lives lost? I&#x27;m not saying that buffer overruns aren&#x27;t a thing but this seems like marketing claims without substance. Yes, I read through the examples below, still think he&#x27;s overstating it.

&gt; [Go] failed to provide a safe concurrency model.<p>What did he mean by this?

I have been anxious about using Rust as webserver. But so far there is no mature framework that I think can use. I had a look at few like mio and iron framework etc. It has no mature Websocket implementation or an http package mature enough to be used in production. I am looking forward to make an ultra efficient PubSub server that supports HTTP poll and Websockets. Hope my dream comes true :)

I think that safety is often doing small things clearly. When you read about thread safe computing, you end up with many rules FP make impossible. So even it&#x27;s mostly safety, it encompasses a larger area in disguise.

Even if Rust adds increasingly more &quot;unsafe&quot; features in order to appeal to new developer groups, I agree that it should remain a &quot;100% safe by default language&quot;, and they should continuously try to improve the performance of the safe code, rather than get lazy and say developers can just use the unsafe syntax if they want 3x the performance. This would only lead more and more developers to increase the usage of unsafe code. It would be even worse if Rust would allow unsafe code by default for any future feature.

How is Rust better than and different from D?<p><pre><code> https:&#x2F;&#x2F;dlang.org&#x2F; </code></pre> Does anyone concerned about security use D?

As someone looking at this influx of discussion from the point of view of a curious bystander, I can&#x27;t help but be annoyed by two persistent misconceptions that keep being perpetuated in many statements of this kind.<p>1) Memory safety is or should be a top priority for all software everywhere. The OP goes so far as to state: &quot;When someone says they &quot;don&#x27;t have safety problems&quot; in C++, I am astonished: a statement that must be made in ignorance, if not outright negligence.&quot;<p>This is borderline offensive nonsense. There are plenty of areas in software design where memory safety is either a peripheral concern or wholly irrelevant - numerical simulations (where crashes are preferable to recoverable errors and performance is the chief concern), games and other examples abound. It&#x27;s perfectly true that memory safety issues have plagued security software, low level system utilities and other software, it&#x27;s true that Rust offers a promising approach to tackle many of these issues at compile time and that this is an important and likely underappreciated advantage for many usecases. There&#x27;s no need to resort to blatant hyperbole and accusations of negligence against those who find C++ and other languages perfectly adequate for their needs and don&#x27;t see memory safety as the overriding priority everywhere. Resorting to such tactics isn&#x27;t just a bad PR move, it actively prevents people from noticing the very real and interesting technical properties that Rust has that have little to do with memory safety.<p>2) Rust is just as fast or faster than C++.<p>Rust is certainly much closer to C++ in performance than to most higher level interpreted languages for most usecases and is often (perhaps even usually) fast enough. Leave it at that. From the point of view of high performance programming, Rust isn&#x27;t anywhere close to C++ for CPU-bound numerical work. For instance, it does not do tail call optimizations, has no support for explicit vectorization (I understand that&#x27;s forthcoming), no equivalent to -ffast-math (thereby limiting automatic vectorization, use of FMA instructions in all but the most trivial cases, etc.), no support for custom allocators and so on. I&#x27;m also not sure if it&#x27;s possible to do the equivalent of an OpenMP parallel-for on an array without extra runtime overhead (compared to C&#x2F;C++) without resorting to unsafe code, perhaps someone can correct me if it&#x27;s doable.<p>Over the past week or so, motivated largely by a number of more insightful comments here on HN from the Rust userbase, I&#x27;ve tried out Rust for the first time, and found it to be quite an interesting language. The traits system faciliates simple, modular design and makes it easy to do static dispatch without resorting to CRTP-like syntactic drudgery. The algebraic&#x2F;variant types open up design patterns I hadn&#x27;t seriously considered before in the context of performance-sensitive code (variant types feature in other languages, but are usually expensive or limited in other ways). The tooling is genuinely excellent (albeit very opinionated) and easily comparable to the best alternatives in other languages. I&#x27;m not yet sure if I have an immediate use for Rust in my own projects (due to the performance issues listed above and easier, higher level alternatives in cases where performance is irrelevant), but I will be closely following the development of Rust and it&#x27;s definitely on my shortlist of languages to return to in the future.<p>However, I would have never discovered any of this had I not objected to the usual &quot;memory&#x2F;thread safety&quot; story in a previous HN discussion and received a number of insightful comments in return. I think focusing on the safety rationale alone and reiterating the two hyperbolized misconceptions I listed above does a real disservice to the growth of a very promising language. I think Steve Klabnik&#x27;s blog post to which the OP responds is a real step in the right direction and I hope the community takes it seriously. Personally, I know a few programmers who&#x27;ve entirely ignored Rust due to the existing perception (&quot;it&#x27;s about memory safety and nothing else&quot;) and in the future I&#x27;ll suggest Rust as worthy of a serious look as an interesting alternative to the prevailing C++-style designs. I&#x27;m certainly glad I tried it.

Does Rust have template metaprogramming? And does it look more clean and organized than boost&#x27;s C++ implementation?

Rust is great, however the safety aspect gets in the way sometimes<p>The right granularity for error handling is important, as well as making it easy to handle (abort? providing a default value? doing something else?)<p>It&#x27;s not that it is not important, but code usability is important as well, lest it goes on the way of C++ hell (though I don&#x27;t think it can get that bad, there are some warts - like &quot;methods&quot; and traits)

What about stack overflows? I heard that rust no longer protects against those for benchmark reasons.

Safety stopped here: &quot;curl <a href="https:&#x2F;&#x2F;sh.rustup.rs" rel="nofollow">https:&#x2F;&#x2F;sh.rustup.rs</a> -sSf | sh&quot; So did my interest.

io::stdin().read_line(&amp;mut guess).expect(&quot;failed to read line&quot;);<p>My eyes have seen the glory of RUST, it&#x27;s really javascript, right?

The daily post about Rust and Go is getting tiresome... every single day we&#x27;ve got one.

&gt; &quot;<i>Safety in the systems space is Rust&#x27;s raison d&#x27;être.</i>&quot;<p>I think this quote points to the REAL underlying issue here.<p>Rust is a language primarily built for systems programming. It has many strengths to celebrate, and brings curated best practices as well as its own novel features to systems programming.<p>However, most programmers in 2016 aren&#x27;t &quot;systems programmers&quot; anymore. At the very least, most programmers <i>who actively talk-up new technologies on web forums</i> are not systems programmers. The majority (or at least the majority of the vocal and socially engaged) are web developers, mobile developers, CRUD apps and microservices, etc.<p>As interesting as Rust may be in the systems space, it doesn&#x27;t bring much compelling new hype to the table for web stuff.<p>You have yet-another-concurrency-approach? That&#x27;s great, but most web developers rely on an app server or low-level library for that, and seldom have to think about concurrency up at the level of their own code.<p>You have an approach for memory safety without a garbage collector? That&#x27;s great, but most web developers have never even had to think much about garbage collection. Java, Go, etc... the garbage collection performance of all these languages is on a level that makes this a moot point 99.999% of the time.<p>You have a seamless FFI for integrating with C code? That&#x27;s great, but after 20 years of web development I can count on one hand the number of times I&#x27;ve seen a project do this. And those examples were Perl-based CGI apps way back in the day.<p>Rust people seem almost dumbfounded that everyone hasn&#x27;t jumped all over their language yet. And from a systems programmer perspective, memory safety without garbage collection does sound amazing. But you guys really need to understand that Hacker News and Reddit hype is driven by web developers, and that community isn&#x27;t even sure whether or not <i>type safety</i> is a worthwhile feature! So really, it&#x27;s amazing that you&#x27;ve managed to draw as much hype as you have. It&#x27;s not about the mainstream popularity of your language, it&#x27;s about the mainstream popularity of your <i>field</i>.

The memory safety of Rust is over consumed.<p>1. several small languages also introduce the type system to try to solve the memory safety problem. But all of them are less famous. Because there are many reasons that makes a language being accepted massively from other tons.<p>2. in many cases, it is not hard to do manual memory management. There are many great software done with manual memory management. Although I admit the quest to memory management is always wonderful for system. But go to the follow #3.<p>3. linear&#x2F;affine type system[1] is not the panacea. The case of &quot;used exactly once&quot; is just a small case. Forcely to this pattern makes large boilerplates. And constraints and verifications to system can not be done many levels and aspects. Is this truly valuable to add all into type system?<p>4. memory safety of Rust comes with price, which have added many complexities and language burdens to itself. Who like to read the following function declaration?(just borrowed as example):<p>fn foo&lt;&#x27;a, &#x27;b&gt;(x: &amp;&#x27;a str, y: &amp;&#x27;b str) -&gt; &amp;&#x27;a str<p>5. So, finally, the question arises: does the current form of the memory safety of Rust deserve as the hope of next industry language? I&#x27;m afraid...<p>[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Substructural_type_system" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Substructural_type_system</a>