Given how long and widely C++ has been a dominant language, I don’t think anyone can reasonably expect to get rid of all the unsafe code, regardless of approach. There is a lot of it.
However, changing the proposition from “get good at Rust and rewrite these projects from scratch” to “adopt some incremental changes using the existing tooling and skills you already have” would lower the barrier to entry considerably. I think this more practical approach would be likely to reach far more projects.
There’s been plenty of interop options between C++ and just about anything for decades. If languages like D, that made it piss easy, weren’t gonna change people’s minds, nothing can. Ditching C++ is the only way forward.
I’m a bit surprised that it’s supposed to be this bad, given that Mozilla uses it in Firefox and there’s the whole CXX toolchain.
Granted, Rust was not designed from the ground up to be C+±like, but I’m really not sure that’s a good idea anyways.
Wanting bug-free programs without wanting functional programming paradigms is a bit like:
Of course, if we’re able to migrate a lot of old C++ codebases to a slightly better standard relatively easily, then that is still something…
Probably seems like a little thing but I found it quite annoying in practice, and there are other things like not being able to combine serde-derive and cxx FFI on the same struct.
Sounds like you’ll always have to do this little dance for any string you want to pass through, so I can definitely see how that could become quite annoying.
For not being able to combine serde-derive and cxx FFI on the same struct, there’s a simple trick that can be used for many such situations:
I gave C++ and D as an example. A language that for all intents and purposes is irrelevant despite being exactly what everyone wanted, something like Java/C#, but with no compromise and direct bindings to C/C++. And why I’m more apologetic to the idea of something more drastically different like Rust as opposed to another touched up clone of C.
Unfortunately, I don’t think D is good enough to prove your point. From your follow-up comment:
A language that for all intents and purposes is irrelevant despite being exactly what everyone wanted,
As someone who uses D, I can attest that it is not what everyone wanted; at least not yet. Despite all the great things in the language, the ergonomics around actually using it are mediocre at best: Several of its appealing features quickly turn it into a noisy language, error messages are often so obtuse as to be useless (especially with templates and contracts in play), and Phobos (the standard library) is practically made of paper cuts. Also, the only notable async support is a fragile mess, and garbage collection is too deeply embedded into both the stdlib and the ecosystem.
(To be fair, D could be vastly improved with better defaults and standard library. That might happen in time, as Walter and the other maintainers have shown interest, but it’s just wishful thinking for now.)
Also, D is an entirely different language from C++, and as such, would require code rewrites in order to bring safety to existing projects. It’s not really comparable to a C++ extension.
If you’re hoping for the standard lib to have things built on evolving standards and ecosystems like HTTP clients, then I doubt that will ever happen. There are plenty of examples of why that would be a terrible idea (urllib, std::regex, etc).
This has been one of my biggest frustrations while learning Rust. I’m coming from .NET which has an incredible wealth of official System and Microsoft libraries all of which are robust and well documented.
Rust on the other hand has the bare minimum std library, with everything else implemented by the community. There isn’t even a std async library. It’s insane.
Even the popular community libraries are severely lacking in documentation or inexplicably unmaintained.
Rust has a ton of potential but it desperately needs some broad funding to align the fundamentals to a decent standard.
Probably not going to happen. I will say that it’s less bad than you might think, because there is more-or-less an unofficial extended stdlib, i.e. high-quality, widely used libraries which are maintained by people in the Rust team.
But yeah, I’m involved in a somewhat larger project and we’ve cracked 1000 transitive dependencies a few weeks ago, and I can tell you for free that I don’t personally know the maintainers of all of those.
If this was more of a security-critical project, there’s probably a dozen or so direct dependencies that we would have implemented ourselves instead.
The inherent problem with this kind of solution is that if you don’t break backwards compatibility, you don’t get rid off all the insecure code.
And if you do break backwards compatibility, there’s not much reason to stick to C++ rather than going for Rust with its established ecosystem…
Given how long and widely C++ has been a dominant language, I don’t think anyone can reasonably expect to get rid of all the unsafe code, regardless of approach. There is a lot of it.
However, changing the proposition from “get good at Rust and rewrite these projects from scratch” to “adopt some incremental changes using the existing tooling and skills you already have” would lower the barrier to entry considerably. I think this more practical approach would be likely to reach far more projects.
There’s been plenty of interop options between C++ and just about anything for decades. If languages like D, that made it piss easy, weren’t gonna change people’s minds, nothing can. Ditching C++ is the only way forward.
Interop between Rust and C++ is pretty bad actually - I can understand wanting to avoid that.
However I still agree. I can’t see opt-in mechanisms like this moving the needle.
I’m a bit surprised that it’s supposed to be this bad, given that Mozilla uses it in Firefox and there’s the whole CXX toolchain.
Granted, Rust was not designed from the ground up to be C+±like, but I’m really not sure that’s a good idea anyways.
Wanting bug-free programs without wanting functional programming paradigms is a bit like:
Of course, if we’re able to migrate a lot of old C++ codebases to a slightly better standard relatively easily, then that is still something…
The biggest issue is move constructors. Explanation here: https://cxx.rs/binding/cxxstring.html#restrictions
Probably seems like a little thing but I found it quite annoying in practice, and there are other things like not being able to combine serde-derive and cxx FFI on the same struct.
Sounds like you’ll always have to do this little dance for any string you want to pass through, so I can definitely see how that could become quite annoying.
For not being able to combine serde-derive and cxx FFI on the same struct, there’s a simple trick that can be used for many such situations:
struct CxxThingamabob { ... } #[derive(Serialize, Deserialize)] #[serde(transparent)] struct SerializableCxxThingamabob(CxxThingamabob);
That just moves the Serde implementation to a different struct, so that you can choose which one you want by either wrapping or unwrapping it.
I gave C++ and D as an example. A language that for all intents and purposes is irrelevant despite being exactly what everyone wanted, something like Java/C#, but with no compromise and direct bindings to C/C++. And why I’m more apologetic to the idea of something more drastically different like Rust as opposed to another touched up clone of C.
Unfortunately, I don’t think D is good enough to prove your point. From your follow-up comment:
As someone who uses D, I can attest that it is not what everyone wanted; at least not yet. Despite all the great things in the language, the ergonomics around actually using it are mediocre at best: Several of its appealing features quickly turn it into a noisy language, error messages are often so obtuse as to be useless (especially with templates and contracts in play), and Phobos (the standard library) is practically made of paper cuts. Also, the only notable async support is a fragile mess, and garbage collection is too deeply embedded into both the stdlib and the ecosystem.
(To be fair, D could be vastly improved with better defaults and standard library. That might happen in time, as Walter and the other maintainers have shown interest, but it’s just wishful thinking for now.)
Also, D is an entirely different language from C++, and as such, would require code rewrites in order to bring safety to existing projects. It’s not really comparable to a C++ extension.
wake me up when Rust fixes its’ supply chain attacks susceptibility (solid stdlib and rejecting external crates, including transitive deps
If you’re hoping for the standard lib to have things built on evolving standards and ecosystems like HTTP clients, then I doubt that will ever happen. There are plenty of examples of why that would be a terrible idea (
urllib
,std::regex
, etc).This has been one of my biggest frustrations while learning Rust. I’m coming from .NET which has an incredible wealth of official System and Microsoft libraries all of which are robust and well documented.
Rust on the other hand has the bare minimum std library, with everything else implemented by the community. There isn’t even a std async library. It’s insane.
Even the popular community libraries are severely lacking in documentation or inexplicably unmaintained.
Rust has a ton of potential but it desperately needs some broad funding to align the fundamentals to a decent standard.
Probably not going to happen. I will say that it’s less bad than you might think, because there is more-or-less an unofficial extended stdlib, i.e. high-quality, widely used libraries which are maintained by people in the Rust team.
But yeah, I’m involved in a somewhat larger project and we’ve cracked 1000 transitive dependencies a few weeks ago, and I can tell you for free that I don’t personally know the maintainers of all of those.
If this was more of a security-critical project, there’s probably a dozen or so direct dependencies that we would have implemented ourselves instead.