Yael Grauer joined Bryan, Adam, Steve Klabnik, and the Oxide Friends to talk about her recent Consumer Reports article on memory safety and memory safe languages. How do we inform the general public? How do we persuade practitioners and companies? Thanks for joining us, Yael!In addition to Bryan Cantrill and Adam Leventhal, we were joined by special guest Yael Grauer, and Steve Klabnik.Some of the topics we hit on, in the order that we hit them (experiment in turning the show live-chat into notes):

Nahum: https://www.backblaze.com/blog/the-3-2-1-backup-strategy/ if anyone wants to read up on the 3-2-1 Backup strategy. ?

Cyborus: can we get a link to the talk?

Nahum: https://www.youtube.com/watch?v=Q9s2NxILBK8


Nahum: https://digital-lab-wp.consumerreports.org/wp-content/uploads/2023/01/Memory-Safety-Convening-Report-.pdf via https://digital-lab-wp.consumerreports.org/2023/01/23/new-report-future-of-memory-safety/


Nahum: https://en.wikipedia.org/wiki/Pegasus_(spyware)


Cyborus: "can we talk" => "hey. you. have a panic attack. anyways i got a cool sandwich"

AaronW: "of course we should have seatbelts" ?

MattCampbell: but then you've got the C die-hards who say that Rust itself is too complex

AaronW: https://twitter.com/markrussinovich/status/1571995117233504257?s=46


DanCrossNYC: People used to say the same thing about PL/I and recently the COBOL people have been saying the same thing. Nothing new under the sun.

statuscalamitous: https://blog.yossarian.net/2023/02/11/The-unsafe-language-doom-principle


DanCrossNYC: People who still want to treat C as a high-level assembler are saying the same stuff the PL/I people were saying when I was young.

Eric Likness - carpetbomberz.com: In support of Yael, Ralph Nader wasn't/isn't an automotive engineer and he could still argue for lowering safety risks to car buyers. It's advocacy.

cdaringe: As an ocaml user, i was hoping revery would take off https://github.com/revery-ui/revery


statuscalamitous: https://press.princeton.edu/books/hardcover/9780691174952/the-tyranny-of-metrics


Saethlin: Wake up babe, new 0xide reading assignment dropped

AaronW: Labelled like a can of pringles -- "20% more malloc() free()!"

Nahum: Relevant to rules based accounting: https://www.schneier.com/blog/archives/2023/02/hacking-the-tax-code.html


drew: Rigorous definitions of “unsafe code” just wont cut it ig

ig: 40% less direct pointer arithmetic than the leading brand of operating systems

a172: How does principle based accounting even work? Like, how do you define if something violates the principle or not, without just turning it back into rules based?

Eden: Checkboxes are meaningful for operational checklists. Aviation and medicine use them pretty heavily. Not so meaningful for systemic work like developing a new aircraft or a new surgery.

Eden: So I guess a rules-based approach works for lines of code, but breaks down for project-level decisions such as which language to use.

Saethlin: The S in IoT is for security

benstoltz: ifixit repairability score for HW should have an analog for SW/FW.

DanCrossNYC: That's precisely what the pl/i folks acted like 25 years ago.

sam801: c++ will live on thru carbon, cppfront, and val.

DanCrossNYC: Prediction: carbon is doa.

Saethlin: I'll believe it once anyone uses those

ig: I think the other part is there's some really important pieces of software that everyone uses daily which use memory unsafe languages. Our web browsers, and our operating systems.

AaronW: I live in a condo and I still unplug expensive electronics during a thunderstorm. Maybe it's because I had many electronics fried when I was young, and my first language was C++.

Eric Likness - carpetbomberz.com: Same with answering a landline during a thunderstorm.

DanCrossNYC: Had to stop training during thunderstorms in the Marines.

Eden: My day job is security. ? I rail against compliance checklists on a regular basis because a lot of auditors insist on the checkbox rather than