• 1 Post
  • 286 Comments
Joined 1 year ago
cake
Cake day: August 18th, 2023

help-circle









  • I understand what you’re saying, but I want to do whatever I can to promote the shift in attitudes that’s already happening across the industry.

    And being late or never delivering out of fear of shipping buggy code is even worse.

    From a business perspective, yes, usually true. But shipping buggy software can also harm your company’s reputation. I doubt that this has been researched enough yet to be quantifiable, but it’s easy to think of companies who were well known for shipping bugs (Microsoft, CD Projekt Red) and eventually suffered in one way or another for it. In both of those cases, you’re probably right; Windows was good enough in the 90s to dominate the desktop market, and Cyberpunk 2077 was enough of a technical marvel (for those who had the hardware to experience it) that it probably bolstered the studio’s reputation more than harmed it. But could Microsoft have weathered the transition to mobile OSes better if it hadn’t left so many consumers yearning for more reliable software? And is Microsoft not partly to blame for the general public just expecting computers to be generally flaky and unreliable?

    Imagine if OSes in the 90s crashed as rarely as desktop OSes today. Imagine if desktop OSes today crashed as rarely as mobile OSes today. Imagine if mobile OSes crashed rarely enough that the average consumer never experienced it. Wouldn’t that be a better state of things overall?




  • This article somehow links to both the Reference and the Ferrocene spec, but still concludes that an official non-Ferrocene spec is necessary.

    Why doesn’t the Ferrocene spec accomplish what the author wants? He states:

    In other words, without a clear and authoritative specification, Rust cannot be used to achieve EAL5.

    What? Why can’t the Ferrocene spec (and compiler) be used? Do Ferrocene and TÜV SÜD not count as “some group of experts”?

    (Regarding the author’s opening paragraphs, the Reference does make the same distinction about drop scopes for variables versus temporaries, though I can see why he finds the Ferrocene spec clearer. But that doesn’t demonstrate that the Reference is useless as a stand-in for a specification.)



  • There is indeed a caveat in the introduction to the Reference that there may be statements in it that are specific to rustc. However, the authors strive to keep statements about the implementation separate from statements about the language.

    The main reason there’s not yet an “official” spec is that creating one takes enormous time and money, which are always limited resources. (Note that both C and C++ had no formal standard for over a decade after their initial release.) The Reference is “good enough” to make a formal spec not strictly necessary, and the existence of Ferrocene makes it even less necessary, since anyone who absolutely needs a spec can use Ferrocene.