this post was submitted on 19 Mar 2024
145 points (92.9% liked)
Programming
17540 readers
77 users here now
Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!
Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.
Hope you enjoy the instance!
Rules
Rules
- Follow the programming.dev instance rules
- Keep content related to programming in some way
- If you're posting long videos try to add in some form of tldr for those who don't want to watch videos
Wormhole
Follow the wormhole through a path of communities !webdev@programming.dev
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Mr Stroustrup can spin it however he likes, but 70% of CVEs are caused by memory errors in unsafe languages like C and C++. That isn't happening because the majority of their devs are idiots. The language is the problem.
Talking about "but there are tools" and "hold on a minute, there a ways to write safe C++" is missing. It's way too easy to write memory unsafe code in C++. The opposite is true of other languages and that's why they are being recommended (dare I say pushed) over C++. To write memory unsafe Rust for example, you really, really have to want to.
C++ is his baby, Of course he won't acknowledge it and it was entirely predictable he would blame the programmers. The language will be the equivalent of COBOL in a decade or two.
CC BY-NC-SA 4.0
If "just don't be an idiot" worked in the real world we wouldn't have any need for laws or safety regulations or certifications. It's not and never has been a compelling argument.
Writing C++ is like walking around a construction site without a hard hat and going "ah I don't need it, I'll just make sure nothing falls on my head." Yeah sure, buddy, we'll make sure that's written on your tombstone.
Yes, right. We could completely erase one third of exploitable vulnerabilities (by your numbers) only by switching to modern languages.
There is no good argument against that. Why wait for C or C++ to try and implement get another weird "solution" for those problems? (That no one uses then anyway)