Or just fork if the maintainers want to go their way. If your solution has its merits it will find its fans.

While everyone is free to fork and maintain React. It's by no means an easy task, specially if it's not their job like Dan's is.

Plus, industry tends to gravitate towards what is popular. Network effects an all. So if a massively popular tool is subpar, the complications of it aren't without impact.

And no one is immune to criticism. LLMs are criticised for their sycophancy but some humans are no different when it comes to gatekeeping criticism.

Little it helped that even React developers were saying that it was the wrong tool for plenty use cases.

Worst of all?

The entire nuance of choosing the right tool for the job has been long lost on most developers. Even the comments I read on HN make me question where the engineering part of the job starts.

Non-technical MBA's seem to have a hard time grasping that a JS-only platform is not a panacea and comes with serious tradeoffs.

That's exactly why we have different languages and tools, because they adapt differently to different projects, teams and problems.

But as soon as you get into the silly "tool X is better period" arguments, then all the nuance of choosing the right tool for the job is lost.

I believe that depends on the sophistication of algorithms. High-level algorithms (especially if they involve concurrency or parallelism) are much easier to write in Rust (or in C++) than in C, which gives them a pretty good chance to be at least as fast as any reasonably safe C implementation.

For low-level algorithms, of course, it's really hard to beat polished C code.

> Out-of-the-box, I’m guessing people will use too many cargo packages, each that are over-engineered or written by less-experienced developers, so it will be less efficient and less performant.

I don't think that this is going to be a problem. The Tor Project developers I've interacted with sounded quite serious about security. Forbidding non-blessed cargo packages is pretty trivial.

> In addition, you could more easily inadvertently introduce security problems.

What do you mean?

Or, you could look at other projects who have been using Rust for many years, and consider these factors there too. The folks who have have generally concluded the opposite.

Debian forky has Rust in the kernel on by default.

The parent poster's point is seemingly to reject "this is simply the better thing" (ie: "small code is better") and instead to focus on "for what we are doing it is the better thing". Why would "basic" profiler use be better than "niche" or "advanced" profiler use if for that context basic would actually have been inferior (for whatever value of basic we choose to go with)?

It seems to me that the reality we're often confronted with is that "better" is contextual, and I would say that "basic" or "smaller" are contextual too.

This sort of gamification of discourse is poison if you actually care about good faith or reasonable discussions. HN is not a good place for either.

1. Programmer skill and talent are not enough to achieve similar security properties with memory-unsafe languages as with memory-safe languages.

2. Therefore, "memory-safe languages are technically superior, period, for applications processing untrusted data where security is an important goal", is not an un-nuanced argument nor a Rust fanboy argument, but self-evident.

That still leaves a lot of room for other languages (Rust is not my favorite language), but it pushes back against the developer equivalent of doctors and pilots resisting the adoption of checklists for decades because "I wouldn't make those kinds of mistakes so stop messing with my work".

1. Programmer skill and talent are not enough to achieve similar security properties with memory-unsafe languages as with memory-safe languages.

2. Therefore, "memory-safe languages are technically superior, period, for applications processing untrusted data where security is an important goal"

but the problem entirely boils down to what comes next:

3a. Therefore everything should use rust.

3b. Therefore everything processing untrusted data where security is an important goal should use rust. (Some folks like to stretch what could possibly process untrusted data to turn this into 3a, but there is a difference.)

3c. Therefore most programs really should be written with a garbage-collector, or if they really need to be low-level or high performance they should use an appropriate stack to avoid gc while remaining safe (whether that's Rust, Ada+SPARK, formally-verified assembly, or whatever).

I think you make an important oversight with these claims, which is that you can enforce logical safety over a memory unsafe language and have a much higher degree of safety than memory safety. Formally verified C doesn't change the language, you can in principle take C code run through compcert and compile it elsewhere. It's still a memory unsafe language, but we can express a much higher degree of safety than simple memory safety.

Another aspect to consider is that all garbage collected languages are memory safe. A language like Python actually has a far greater degree of memory safety than a language like Rust because it offers no ability to break memory safety (without calling into foreign code), while Rust lets you do it within unsafe blocks using raw pointers. That being said, anybody who would suggest using Python over Rust in a security-focused context is completely out of their mind.

In serious places where security is critical and margin for error is low, formal verification has existed for decades and is the standard. Any operation - specifically in the context where security is critical - which is not formally verifying its software is a mickey mouse operation, because they're fundamentally compromising on security to an unacceptable degree. I think it would be nice to have a formal verification toolchain and language extension for Rust to allow for full logical safety, but last I checked this area was still a work in progress for the language.

I know anytime Rust is brought up, someone brings up logical safety, and patterns are annoying. Rust obviously has a lot of tricks up its sleeve to automatically detect issues that a language like C++ cannot. Naive Rust is preferable over naive usage of a memory unsafe language. The problem is that in a serious security critical context, "naive" is completely unacceptable. If security is a core goal, there can be no replacement for fully blown logical safety enforcing strict behavioral and structural guarantees in every single facet of the codebase. I know the line, that logical safety is excruciatingly labor intensive and so the tradeoff with using Rust is that it affords some of the safety of formally spec'd and proven code. The problem is that the amount it affords you is completely marginal. The safety gap between C and Rust is much smaller than the safety gap between Rust and formally proven correct SPARK. It's just the reality. I'm loathe to see a future where marketing hype sees a degeneration of tools because it was presented as a serious alternative.

In almost (?) all garbage collected languages you can get data races in a multi threaded context. You will not get those memory errors in Rust.

You've probably heard that "It is difficult to get a man to understand something, when his salary depends on his not understanding it" and so of course we shouldn't expect such people to say "Don't write this in C++" when they can instead get paid to teach "How to write this in C++" for 2-3 days and feel like they made the world a better place on top.

It so happens Rust is my favourite language, or at least, my favourite general purpose language, but it's also true that I am currently mostly paid to write C# and I see absolutely no reason why I'd say "No, this should be Rust" for most work I do in C#

https://gitlab.torproject.org/tpo/core/arti

> (So far, it's a not-very-complete client. But watch this space!)

Is that comment outdated? The blog post gave me a different impression. If Arti is not ready yet, shouldn't that have been made clear in the blog post and in the various posts here? Not directing it at you, amelius.

The Rust specialty is memory safety and performance in an relatively unconstrained environment (usually a PC), with multithreading. Unsurprisingly, because that's how it started, that's what a web browser is.

But Tor is also this. Security is extremely important as Tor will be under attack by the most resourceful hackers (state actors, ...), and the typical platform for Tor is a linux multicore PC, not some tiny embedded system or some weird platform, and because it may involve a lot of data and it is latency-sensitive, performance matters.

I don't know enough of these projects but I think it could also take another approach and use Zig in the same way Tigerbeetle uses it. But Zig may lack maturity, and it would be a big change. I think it is relevant because Tigerbeetle is all about determinism: do the same thing twice and the memory image should be exactly the same. I think it has value when it comes to security but also fingerprinting resistance, plus, it could open the way for dedicated Tor machines, maybe running some RTOS for even more determinism.

The big thing is memory allocation, sometimes, on tiny systems, you can't malloc() at all, you also have to be careful about your stack, which is often no more than a few kB. Rust, like modern C++ tend to abstract away these things, which is perfectly fine on Linux and a good thing when you have a lot of dynamic structures, but one a tiny system, you usually want full control. Rust can do that, I think, like C++, it is just not what it does best. C works well because it does nothing unless you explicitly ask for it, and Zig took that philosophy and ran away with it, making memory allocation even more explicit.

What makes you say that?

So unless they provide some Tor specific nuance, it's more or less applicable to wide range of applications.

On the other hand, most developers have no need of writing `unsafe` Rust. The same tools used for static and dynamic analysis of C codebases are available to Rust (ASAN and friends) and it is a good idea to use them when writing `unsafe` (plus miri).

The reason I'm replying is that "the impact of Rust on memory safety" is always a conversation that gets outsized amounts of ink that it drains focus away from other things. I would argue that sum types and exhaustive pattern matching are way more important to minimize logic bugs, even if they aren't enough. You can still have a directory traversal bug letting a remote service write outside of the directory your local service meant to allow. You can still have TOCTOU bugs. You can still have DoS attacks if your codebase doesn't handle all cases carefully. Race conditions can still happen. Specific libraries might be able to protect from some of these, and library reuse increases the likelihood of of these being handled sanely (but doesn't ensure it). Rust doesn't protect against every potential logic error. It never claimed to, and arguing against it is arguing against a strawman. What safe-Rust does claim is no memory safety bugs, no data races, and to provide language and tooling features to model your business logic and deal with complexity.

Admittedly I stopped after going through a bunch of useless stuff related to CVE-2017-8823 (which was initially reported as remotely exploitable with no proof at all).

I went through the tor repository (not vidalia though) and read a bunch of conversations about some of the memory related bugs but none of those were exploitable either (exploitable as in remote execution, not a DoS) and most of the (not so many) bugs were actually logical bugs.

I really don't care what they decide to do with their project and honestly anything that can potentially improve the security of such a system is fine by me but I really think they're doing themselves and the language a disservice by communicating the way they do.

Also, as a side note, even with a C codebase there is SO MUCH you could (and should) do to minimize the impact of a vulnerability that the fact that some choose to present just rewriting code in a different language is not even funny.

Every change you make could be violating a some assumption made elsewhere, maybe even 20 years ago, and subtly break code at distance. C's type system doesn't carry much information, and is hostile to static analysis, which makes changes in large codebases difficult, laborious, and risky.

Rust is a linter and static analyzer cranked up to maximum. The whole language has been designed around having necessary information for static analysis easily available and reliable. Rust is built around disallowing or containing coding patterns that create dead-ends for static analysis. C never had this focus, so even trivial checks devolve into whole-program analysis and quickly hit undecidability (e.g. in Rust whenever you have &mut reference, you know for sure that it's valid, non-null, initialized, and that no other code anywhere can mutate it at the same time, and no other thread will even look at it. In C when you have a pointer to an object, eh, good luck!)

Kanto is flat, it's the only region in Japan that could sustain feeding such a massive population and could allow building the first mega city on the planet.

Combine that with the massive engineering and rail experience Japanese have, and it's no surprise imho that combined with favorable geography they could build it quickly.

[1] https://upload.wikimedia.org/wikipedia/commons/2/28/Topograp...

edit: getting downvoted to hell, but I think my question is valid. What does it mean "no AI"? Are we just limiting ourselves to the render?

It means no AI. If I say you used no AI but had an LLM write or refine the script, I would have lied.

You may be getting downvoted because your comment's tone can read as accusatively presumptive. "Who knows" isn't a useful contribution to almost any discussion. Which is a shame, because you raise an interesting point–I would personally feel fine saying no AI was used to do work even if I used AI to help me with research. (Provided I read all the primary sources.)

Good luck telling Swiss pharma or any other of their specialized industries to live without immigrants, they can close tomorrow. Immigrants are an insane boost to Swiss economy.

Also, I lived and been in Switzerland few times after, there's virtually no problematic immigrants. I've never ever felt the slightest danger, even walking at night with nobody but the kind of immigrants you don't like, you just don't.

Even though foreigners are overrepresented compared to locals (as in any other country in the world with immigrants they are the poorest and thus more inclined) the absolute numbers are very very low.

So no, higher or lower number of immigrants don't have linear correlations. Switzerland has an insane number of expats and immigrants as % of the population, insanely higher than the US or other countries like Poland or Italy, yet their crime numbers are fractional.

36% of the workforce is foreign born.

In Zurich, Geneve, Lausanne, 44%+ of the residents are foreigners, and more than half the workforce is foreigners. And that's even ignoring how many people work there but reside in neighbouring countries (France border is close to Geneve and Lausanne is close and even has a boat between the two sides mostly carrying workers).

If you think that a Swiss national (which has several advantages from a hiring perspective) is going to be cleaning your toilet, no matter the money, without having higher paying options you're absolutely out of your mind.

Albeit it's density is lower than comparable Belgium, Switzerland is crossed by the alps so the real available land is much smaller, virtually all of the residents live in 30% of the space.

In any case, that's the beauty of Switzerland: Swiss citizens can decide for themselves. I've seen many referendums in Switzerland and I've rarely seen Swiss citizens vote against their interest. Proposals have often an initial support, which fades as people discuss it and investigate it more.

Populism has really low grip there, politicians riding emotions have little legislative power.

Of course land and real estate is limited, they can't keep growing at these numbers.

But stating that it's failed till now, is just a statement of "I've never lived in Switzerland and I have no clue what I'm talking about".

Low paying jobs are predominantly staffed by foreigners. Swiss youth has a huge array of opportunities even without education, let alone many interesting tricks to not work a lot and still make money.

As someone not very familiar with Switzerland I'm curious what you mean by this, as I assume from your wording you don't simply mean generous benefits available to unemployed and low wage people?

So many swiss play the "get hired and try to get fired asap to go on a two years sabbatical".

Another country which has a similar strict immigration regime - Singapore. And for a direct opposite, there's the Gulf countries, which let everyone and their dog in, so that they can be part of the slaving class for the locals.

We live in the world were everything is now "vibed" really.