Fantastic exchange from DConf

Jonathan M Davis via Digitalmars-d digitalmars-d at puremagic.com
Thu May 11 08:53:40 PDT 2017


On Monday, May 08, 2017 23:15:12 H. S. Teoh via Digitalmars-d wrote:
> Recently I've had the dubious privilege of being part of a department
> wide push on the part of my employer to audit our codebases (mostly C,
> with a smattering of C++ and other code, all dealing with various levels
> of network services and running on hardware expected to be "enterprise"
> quality and "secure") and fix security problems and other such bugs,
> with the help of some static analysis tools. I have to say that even
> given my general skepticism about the quality of so-called "enterprise"
> code, I was rather shaken not only to find lots of confirmation of my
> gut feeling that there are major issues in our codebase, but even more
> by just HOW MANY of them there are.

In a way, it's amazing how successful folks can be with software that's
quite buggy. A _lot_ of software works just "well enough" that it gets the
job done but is actually pretty terrible. And I've had coworkers argue to me
before that writing correct software really doesn't matter - it just has to
work well enough to get the job done. And sadly, to a great extent, that's
true.

However, writing software that's works just "well enough" does come at a
cost, and if security is a real concern (as it increasingly is), then that
sort of attitude is not going to cut it. But since the cost often comes
later, I don't think that it's at all clear that we're going to really see a
shift towards languages that prevent such bugs. Up front costs tend to have
a powerful impact on decision making - especially when the cost that could
come later is theoretical rather than guaranteed.

Now, given that D is also a very _productive_ language to write in, it
stands to reduce up front costs as well, and that combined with its ability
to reduce the theoretical security costs, we could have a real win, but with
how entrenched C and C++ are and how much many companies are geared towards
not caring about security or software quality so long as the software seems
to get the job done, I think that it's going to be a _major_ uphill battle
for a language like D to really gain mainstream use on anywhere near the
level that languages like C and C++ have. But for those who are willing to
use a language that makes it harder to write code with memory safety issues,
there's a competitive advantage to be gained.

- Jonathan M Davis



More information about the Digitalmars-d mailing list