From Newsgroup: comp.os.vms

=?UTF-8?Q?Arne_Vajh=C3=B8j?= <arne@vajhoej.dk> wrote:

I would claim that the adaptation of languages like Python,
JavaScript, Java, C# and PHP is very high in the IT industry.

They are all memory safe. In different ways. But still.

Not very memory safe. Java and C# are a little bit closer.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10t6amn$2gcaq$1@dont-email.me>,
Arne Vajh|+j <arne@vajhoej.dk> wrote:

On 5/2/2026 9:25 PM, Subcommandante XDelta wrote:

I am glad that I have retired.

https://spectrum.ieee.org/ai-cyberattacks-memory-safe-code

Mythos got a lot of PR.

But it is worth noting that Anthropic is a business selling AI.
They are very far from being unbiased.

And not everyone reading the actual publication are
super impressed.

A couple of random links:

https://www.linkedin.com/pulse/reality-mythos-supposed-70-exploitation-rate-roger-grimes-0gw5e/

https://www.flyingpenguin.com/the-boy-that-cried-mythos-verification-is-collapsing-trust-in-anthropic/

The UK goverment's initial findings are one of the better
analyses out there: https://www.aisi.gov.uk/blog/our-evaluation-of-claude-mythos-previews-cyber-capabilities

This, from Mark Abene, is also very interesting: https://markabene.substack.com/p/the-quiet-collapse-of-the-zero-day

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/3/2026 7:27 PM, Scott Dorsey wrote:

=?UTF-8?Q?Arne_Vajh=C3=B8j?= <arne@vajhoej.dk> wrote:

I would claim that the adaptation of languages like Python,
JavaScript, Java, C# and PHP is very high in the IT industry.

They are all memory safe. In different ways. But still.

Not very memory safe. Java and C# are a little bit closer.

It obviously depends on the definition of memory safe.

But I think the most important items from a practical
perspective are:
* protection against buffer overflow
* protection against missing free or double free
* protection against using a pointer/reference
already freed

Those languages all do that.

It is also worth noting that the push for memory safe
languages was initiated by CISA (and NSA) and they consider
those languages memory safe.

https://media.defense.gov/2025/Jun/23/2003742198/-1/-1/0/CSI_MEMORY_SAFE_LANGUAGES_REDUCING_VULNERABILITIES_IN_MODERN_SOFTWARE_DEVELOPMENT.PDF

<quote>
MSLs such as Ada, C#, Delphi/Object Pascal, Go,
Java, Python, Ruby, Rust, and Swift offer built-in protections against
memory safety issues
</quote>

https://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/article/3608324/us-and-international-partners-issue-recommendations-to-secure-software-products/

<quote>
Recommended memory safe programming languages mentioned in the CSI
include C#, Go, Java, Python, Rust, and Swift
</quote>

https://media.defense.gov/2022/Nov/10/2003112742/-1/-1/0/CSI_SOFTWARE_MEMORY_SAFETY.PDF

<quote>
Some examples of
memory safe languages are Python, Java, C#, Go, Delphi/Object Pascal,
Swift, Ruby, Rust, and Ada.
</quote>

https://www.memorysafety.org/docs/memory-safety/

<quote>
Memory safe languages include Rust, Go, C#, Java, Swift, Python, and JavaScript.
</quote>

OK. I don't see PHP mentioned anywhere. But given that Python and
Ruby are on the list, then I cannot see why PHP should not be on the
list.

It is of course worth noting that this list is very long
and include some very popular languages. But if one is not writing
a typical business application where all those languages are good, but
has a hard requirement that it must output a native executable, then
the list shrink a lot and the ones left no longer include top 7
languages.

And another caveat: an application written in a memory safe
language but using an extension written in C/C++ has unsafe
risks!

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10t7s1i$1d1$1@panix2.panix.com>,
Scott Dorsey <kludge@panix.com> wrote:

bill <bill.gunshannon@gmail.com> wrote:

On 5/3/2026 2:45 AM, Lawrence DrCOOliveiro wrote:

On Sun, 3 May 2026 11:25:00 +1000, Subcommandante XDelta wrote:

With $1 Cyberattacks on the Rise, Durable Defenses Pay Off Writing
memory-safe code beats patching your way to safety

Rust seems to be the language du jour for tackling this problem.

Google reported a significant decrease in memory-related bugs after
adopting Rust into the Android code base in a major way. Though,
oddly, not a decrease in bugs overall ...

There was memory safe C 40 years ago. No one was interested.

People in general aren't really interested at fixing security problems
at the source. Memory safe languages and safe computer architectures
have never met much popularity outside academia unfortunately.

We did get java, much to our dismay, and now rust. But actual adoption
is low.

I'm not sure that follows. Java took over an enormous swath of
the industry, and actually did a lot for memory safety.

I agree that generally people aren't interested in security,
however. They give it lip-service, but when push comes to shove
it is one of the first things to fall to the side.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On Sun, 3 May 2026 20:28:23 -0400, Arne Vajh|+j wrote:

Those languages all do that.

Just a note that Python offers documented ways of doing low-level
things, including bypassing memory safety, if you really want to.

OK. I don't see PHP mentioned anywhere.

Funny, that ...

But given that Python and Ruby are on the list, then I cannot see
why PHP should not be on the list.

Could it just possibly be, that the design and implementation of PHP
are so crappy, that nobody can actually be sure it really *is*
memory-safe ... ?
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

Lawrence =?iso-8859-13?q?D=FFOliveiro?= <ldo@nz.invalid> wrote:

Could it just possibly be, that the design and implementation of PHP
are so crappy, that nobody can actually be sure it really *is*
memory-safe ... ?

"We use Fortran because you can't trust engineers with pointers."
-- Manny Salas (pre-Fortran-90)
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/3/2026 10:26 PM, Lawrence DrCOOliveiro wrote:

On Sun, 3 May 2026 20:28:23 -0400, Arne Vajh|+j wrote:

OK. I don't see PHP mentioned anywhere.

Funny, that ...

But given that Python and Ruby are on the list, then I cannot see
why PHP should not be on the list.

Could it just possibly be, that the design and implementation of PHP
are so crappy, that nobody can actually be sure it really *is*
memory-safe ... ?

We need to distinguish between the language definition and the
implementation.

If there are bugs in the implementation then all bets are off.

But the PHP language definition is pretty memory safe.

Garbage collection takes care of the free related issues
just like in all the other languages.

And buffer overflow doesn't happen because PHP extend
as necessary. You can say that a PHP array is really
the equivalent of a Python dict. Strings also get extended
as necessary.

$s = 'ABC';
$s[3] = 'X';
echo $s;

just outputs:

ABCX

we may not like that behavior and prefer an exception.

But no buffer overflow.

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/3/2026 10:46 PM, Scott Dorsey wrote:

Lawrence =?iso-8859-13?q?D=FFOliveiro?= <ldo@nz.invalid> wrote:

Could it just possibly be, that the design and implementation of PHP
are so crappy, that nobody can actually be sure it really *is*
memory-safe ... ?

"We use Fortran because you can't trust engineers with pointers."
-- Manny Salas (pre-Fortran-90)

Anything is possible in Fortran 77.

program dyn
integer*4 stat, b1, b2
integer*4 id
common /vmz/id
integer*4 basi(2)
real*8 basr(1)
equivalence (basi,basr)
common /bas/basi
integer*4 lib$create_vm_zone
integer*4 alloci, allocr
stat = lib$create_vm_zone(id,,,,,100000)
if(iand(stat,1).ne.1) write(*,*) stat
call test1(10, basi(alloci(10)))
call test2(10, basr(allocr(10)))
end
c
integer*4 function alloci(siz)
integer*4 siz
integer*4 stat, p
integer*4 id
common /vmz/id
integer*4 basi(2)
real*8 basr(1)
equivalence (basi,basr)
common /bas/basi
integer*4 lib$get_vm
stat = lib$get_vm(4 * siz, p, id)
if(iand(stat,1).ne.1) write(*,*) stat
alloci = (p - %loc(basi)) / 4 + 1
return
end
c
integer*4 function allocr(siz)
integer*4 siz
integer*4 stat, p
integer*4 id
common /vmz/id
integer*4 basi(2)
real*8 basr(1)
equivalence (basi,basr)
common /bas/basi
integer*4 lib$get_vm
stat = lib$get_vm(8 * siz, p, id)
if(iand(stat,1).ne.1) write(*,*) stat
allocr = (p - %loc(basr)) / 8 + 1
return
end
c
subroutine test1(n, ia)
integer*4 n
integer*4 ia(n)
integer*4 i
do 100 i = 1, 10
ia(i) = i
100 continue
do 200 i = 1, 10
write(*,*) ia(i)
200 continue
end
c
subroutine test2(n, xa)
integer*4 n
real*8 xa(n)
integer*4 i
do 100 i = 1, 10
xa(i) = i
100 continue
do 200 i = 1, 10
write(*,*) xa(i)
200 continue
end

:-)

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/3/2026 11:39 PM, Arne Vajh|+j wrote:

And buffer overflow doesn't happen because PHP extend
as necessary. You can say that a PHP array is really
the equivalent of a Python dict. Strings also get extended
as necessary.

$s = 'ABC';
$s[3] = 'X';
echo $s;

just outputs:

ABCX

we may not like that behavior and prefer an exception.

But no buffer overflow.

And in case someone wonder. Any gaps get space filled.

$s = 'ABC';
$s[4] = 'X';
echo $s;

outputs:

ABC X

Arne


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 2026-05-03, Lawrence D Oliveiro <ldo@nz.invalid> wrote:

On Sun, 3 May 2026 11:25:00 +1000, Subcommandante XDelta wrote:

With $1 Cyberattacks on the Rise, Durable Defenses Pay Off Writing
memory-safe code beats patching your way to safety

Rust seems to be the language du jour for tackling this problem.

Google reported a significant decrease in memory-related bugs after
adopting Rust into the Android code base in a major way. Though,
oddly, not a decrease in bugs overall ...

Writing secure code is a frame of mind, not merely just using a tool
and then expecting security magic to "just happen".

Excellent example from the Rust installation web page:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

This is from: https://rust-lang.org/tools/install/

This is an entire community that gets on its collective high horses about
how its new language is so superior from a security point of view to
everything else out there and starts forcing it down our throats.

It then tells us that we can install this new language by just directly downloading a shell script from some random website and then directly
execute it on our own computer without bothering to first check that
it hasn't been tampered with by someone compromising the website.

Signature checking! Such an old fashioned concept! Can't let reality get
in the way of a little temporary convenience!

The grown up response would have been to insist on the user downloading
the shell script as a file, verifying the signature before execution,
and then saying that this is the kind of mindset required in this world.

Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 2026-05-03, Scott Dorsey <kludge@panix.com> wrote:

People in general aren't really interested at fixing security problems
at the source. Memory safe languages and safe computer architectures
have never met much popularity outside academia unfortunately.

Ada. At least before the mandate got cancelled and then you got all the overruns on the following projects that had stopped using it.

Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-03, Scott Dorsey <kludge@panix.com> wrote:

People in general aren't really interested at fixing security problems
at the source. Memory safe languages and safe computer architectures
have never met much popularity outside academia unfortunately.

Ada. At least before the mandate got cancelled and then you got all the >overruns on the following projects that had stopped using it.

Until they started adding everything and the kitchen sink to it, until it became the PL/1 of the 1990s.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/5/2026 4:10 PM, Scott Dorsey wrote:

Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-03, Scott Dorsey <kludge@panix.com> wrote:

People in general aren't really interested at fixing security problems
at the source. Memory safe languages and safe computer architectures
have never met much popularity outside academia unfortunately.

Ada. At least before the mandate got cancelled and then you got all the
overruns on the following projects that had stopped using it.

Until they started adding everything and the kitchen sink to it, until it became the PL/1 of the 1990s.

One of the paradoxes of programming languages:

* simple programming languages only trying to do a few things well
often thrive and live longer than complex languages trying to
do everything - Cobol and C did better than PL/I and Ada

* programming language teams often reason like "our language
has to be the best and since language X has feature A, then
our language must also have feature A"

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10tcpk2$e86o$1@dont-email.me>,
Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-03, Lawrence D Oliveiro <ldo@nz.invalid> wrote:

On Sun, 3 May 2026 11:25:00 +1000, Subcommandante XDelta wrote:

With $1 Cyberattacks on the Rise, Durable Defenses Pay Off Writing
memory-safe code beats patching your way to safety

Rust seems to be the language du jour for tackling this problem.

Google reported a significant decrease in memory-related bugs after
adopting Rust into the Android code base in a major way. Though,
oddly, not a decrease in bugs overall ...

Writing secure code is a frame of mind, not merely just using a tool
and then expecting security magic to "just happen".

Excellent example from the Rust installation web page:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

This is from: https://rust-lang.org/tools/install/

I've heard this criticism before, but it's a bad argument.

First, nothing at all is preventing you from downloading
whatever is at that URL and inspecting it yourself, verifying
that its checksum matches a known hash, etc, before running it.

Second, nothing prevents a user from running that command line
in a sandbox, even if they didn't do the first things.

And furthermore, it elides any discussion of threat models; why
would I worry about the rustup.rs side being compromised any
more than I would worry about the compiler binaries themselves
being compromised? Is this substantially different than
downloading a tarball from somewhere, unpacking it, and running
a contained "./configure" script?

This is an entire community that gets on its collective high horses about
how its new language is so superior from a security point of view to >everything else out there and starts forcing it down our throats.

I don't know that anyone is telling you its more secure; from
what I've seen, people say (correctly) that the design of the
language prevents certain types of errors that are common in
other languages and that often lead to security vulnerabilities.

No one is "forcing it down" your, or anyone else's, throats.

It then tells us that we can install this new language by just directly >downloading a shell script from some random website and then directly
execute it on our own computer without bothering to first check that
it hasn't been tampered with by someone compromising the website.

I wouldn't call that, "some random website". It's the official
way to do that.

Signature checking! Such an old fashioned concept! Can't let reality get
in the way of a little temporary convenience!

See above.

The grown up response would have been to insist on the user downloading
the shell script as a file, verifying the signature before execution,
and then saying that this is the kind of mindset required in this world.

But also, where do I get the signature in the first place, and
how do I verify that it is correct? Supposing the checksum is
signed with something like PGP or an equivalent, where do I get
the public key to verify the signature, and how can I be sure
that THAT hasn't been tampered with? What if I don't have
anyone in _my_ web of trust that verified the key the script was
signed with? And even if I did, how do I know the key wasn't
compromised? Some poor release engineer might be a basement
somewhere, RIGHT NOW, getting worked over by goons with a rubber
hose. Oh my!

On the other hand, I can tell you what the Android Security team
did when they first started exploring Rust: the used `mrustc`,
which is a Rust compiler written in C++, to compile a bootstrap
compiler, using a trusted C++ compiler.

Then they started rolling forward over point versions of the
compiler (mrustc lacked some features to compile the newest),
using the previous to compile the next, until they got to the
then-newest release compiler. Then they verified that it was
bitwise identical to what they saw coming from the Rust
project.

THAT is what the grownups do.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On Tue, 5 May 2026 16:29:49 -0400, Arne Vajh|+j wrote:

* simple programming languages only trying to do a few things well
often thrive and live longer than complex languages trying to
do everything - Cobol and C did better than PL/I and Ada

Cobol is rCLsimplerCY?? Yeah, right ...

Ada is still with us, and spawning projects like Spark to point out to
the Rust folks that some people were worrying about memory safety
before they were even born ...

<https://devclass.com/2022/11/08/spark-as-good-as-rust-for-safer-coding-adacore-cites-nvidia-case-study/>
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/5/2026 5:59 PM, Lawrence DrCOOliveiro wrote:

On Tue, 5 May 2026 16:29:49 -0400, Arne Vajh|+j wrote:

* simple programming languages only trying to do a few things well
often thrive and live longer than complex languages trying to
do everything - Cobol and C did better than PL/I and Ada

Cobol is rCLsimplerCY?? Yeah, right ...

Yes.

The Cobol language is relative simple.

When it was created there was actually people that believed
programmers would no longer be needed and the business people
could write their own Cobol.

That did not happen.

People that already know some of the modern programming
languages need to do a mental reset when learning Cobol,
because Cobol is do different. But different is not the
same as complex.

Ada is still with us, and spawning projects like Spark to point out to
the Rust folks that some people were worrying about memory safety
before they were even born ...

I am sure there are also places where PL/I are still used.
Likely in the financial sector.

But while PL/I and Ada were main languages many years ago,
then they are very niche today.

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On Tue, 5 May 2026 18:43:59 -0400, Arne Vajh|+j wrote:

The Cobol language is relative simple.

It forced you to spell out low-level details that were really only
relevant on mainframes from over half a century ago. It was supposed
to be focused on rCLbusinessrCY use, but just a decade or two after it
came out, rCLbusinessrCY customers started to make more and more use of
SQL databases, and Cobol was never a good fit for that.

I am sure there are also places where PL/I are still used.
Likely in the financial sector.

Not likely.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/5/2026 5:30 PM, Dan Cross wrote:

In article <10tcpk2$e86o$1@dont-email.me>,
Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-03, Lawrence D|+Oliveiro <ldo@nz.invalid> wrote:

On Sun, 3 May 2026 11:25:00 +1000, Subcommandante XDelta wrote:

With $1 Cyberattacks on the Rise, Durable Defenses Pay Off Writing
memory-safe code beats patching your way to safety

Rust seems to be the language du jour for tackling this problem.

Google reported a significant decrease in memory-related bugs after
adopting Rust into the Android code base in a major way. Though,
oddly, not a decrease in bugs overall ...

Writing secure code is a frame of mind, not merely just using a tool
and then expecting security magic to "just happen".

Excellent example from the Rust installation web page:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

This is from: https://rust-lang.org/tools/install/

I've heard this criticism before, but it's a bad argument.

First, nothing at all is preventing you from downloading
whatever is at that URL and inspecting it yourself, verifying
that its checksum matches a known hash, etc, before running it.

Second, nothing prevents a user from running that command line
in a sandbox, even if they didn't do the first things.

That applies to almost everything security related.

The users *could* do something by themselves to mitigate risks.

Experience show that a significant part of users *will* not.

That is bad security.

Good security is forcing or at least encouraging the users to
do the right thing.

And furthermore, it elides any discussion of threat models; why
would I worry about the rustup.rs side being compromised any
more than I would worry about the compiler binaries themselves
being compromised?

The fact that there are other security issues does make
a security issue go away.

Is this substantially different than
downloading a tarball from somewhere, unpacking it, and running
a contained "./configure" script?

If there is no .sig file and no recommendation of checking,
then there is no difference.

But having both foobar-n.n.n.tar.gz and foobar-n.n.n.tar.gz.sig
are rather common today.

It then tells us that we can install this new language by just directly
downloading a shell script from some random website and then directly
execute it on our own computer without bothering to first check that
it hasn't been tampered with by someone compromising the website.

I wouldn't call that, "some random website". It's the official
way to do that.

Assuming that because the address looks correct, then
it is fine is very bad security.

The grown up response would have been to insist on the user downloading
the shell script as a file, verifying the signature before execution,
and then saying that this is the kind of mindset required in this world.

But also, where do I get the signature in the first place, and
how do I verify that it is correct? Supposing the checksum is
signed with something like PGP or an equivalent, where do I get
the public key to verify the signature, and how can I be sure
that THAT hasn't been tampered with? What if I don't have
anyone in _my_ web of trust that verified the key the script was
signed with? And even if I did, how do I know the key wasn't
compromised? Some poor release engineer might be a basement
somewhere, RIGHT NOW, getting worked over by goons with a rubber
hose. Oh my!

That is how certificates work.

Will you accept using HTTP (non S) to your banks web site,
because the banks certificate could be compromised due to
similar reasons?

Of course not.

Nothing is 100% secure. But one add multiple layers of security
to make it as secure as possible.

On the other hand, I can tell you what the Android Security team
did when they first started exploring Rust: the used `mrustc`,
which is a Rust compiler written in C++, to compile a bootstrap
compiler, using a trusted C++ compiler.

Then they started rolling forward over point versions of the
compiler (mrustc lacked some features to compile the newest),
using the previous to compile the next, until they got to the
then-newest release compiler. Then they verified that it was
bitwise identical to what they saw coming from the Rust
project.

THAT is what the grownups do.

I will assume that is a joke.

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/5/2026 7:04 PM, Lawrence DrCOOliveiro wrote:

On Tue, 5 May 2026 18:43:59 -0400, Arne Vajh|+j wrote:

I am sure there are also places where PL/I are still used.
Likely in the financial sector.

Not likely.

https://www.dice.com/job-detail/79f1ca91-ac4f-444c-a838-c8492af8f5e5

https://www.dice.com/job-detail/21070f27-2d9a-4620-a68e-e6225540d7f2

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/5/2026 7:04 PM, Lawrence DrCOOliveiro wrote:

On Tue, 5 May 2026 18:43:59 -0400, Arne Vajh|+j wrote:

The Cobol language is relative simple.

It forced you to spell out low-level details that were really only
relevant on mainframes from over half a century ago.

Cobol is reasonable standardized. Most code would not
be tied to the platform.

Migrating Cobol systems from mainframe to Linux/Windows
are often tricky. But the problem is not that the Cobol
code need many changes - most likely it does not. The
problem is all the stuff around the Cobol. Replacing JCL
with something else. Replacing CICS with another transaction
monitor. Replacing DB2 with another RDBMS (they could run
DB2 on Linux/Windows but I suspect most chose not to).
Replacing IMS with another hierarchical database. Replacing
VSAM with another ISAM. Replacing RACF with another IAM
solution. And so on. And on top of that test it all.

The information in a Cobol program is not that different
from the information in other similar languages (similar
as in static typed). It is just organized very
differently and described very differently.

01 v pic s9(8) comp.

looks very different from:

signed int v;

But they do about the same.

You can say that the Cobol declaration is a little better
than the C declaration since it says "give me an integer
able to hold 8 or more decimal digits" instead of "give
me an integer at the size you prefer just minimum 16 bits".

It was supposed
to be focused on rCLbusinessrCY use, but just a decade or two after it
came out, rCLbusinessrCY customers started to make more and more use of
SQL databases, and Cobol was never a good fit for that.

You keep claiming that, but it is ridiculous.

For the first 10-20 years of RDBMS then Cobol was the
most widely used language for RDBMS access.

Cobol with embedded SQL was a huge thing. Sort of still is.

Note that when there are talk about what Rdb customers
will do, then two of the solutions Mimer and SQLRelay
both come with an embedded SQL pre-compiler for Cobol.
Because that is what is needed. People use Cobol
with embedded SQL to access Rdb (and also Oracle DB
for that matter).

Arne



--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

=?UTF-8?Q?Arne_Vajh=C3=B8j?= <arne@vajhoej.dk> wrote:

For the first 10-20 years of RDBMS then Cobol was the
most widely used language for RDBMS access.

Cobol with embedded SQL was a huge thing. Sort of still is.

It's true that COBOL never implemented embedded relational database access
as well as it implemented heirarchical database access.

But I think that it's also true that no language has ever implemented
embedded relational database access as well as COBOL implemented
heirarchical database access.

The COBOL syntax is ghastly but it's the price you pay.
--scott
--
"C'est un Nagra. C'est suisse, et tres, tres precis."
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/5/2026 9:47 PM, Scott Dorsey wrote:

=?UTF-8?Q?Arne_Vajh=C3=B8j?= <arne@vajhoej.dk> wrote:

For the first 10-20 years of RDBMS then Cobol was the
most widely used language for RDBMS access.

Cobol with embedded SQL was a huge thing. Sort of still is.

It's true that COBOL never implemented embedded relational database access
as well as it implemented heirarchical database access.

But I think that it's also true that no language has ever implemented embedded relational database access as well as COBOL implemented
heirarchical database access.

A good ORM that generates all the SQL and does dirty tracking
can almost make database access invisible.

Only works if one need an object model of course.

The COBOL syntax is ghastly but it's the price you pay.

I think most consider Cobol syntax horrible to use.

But it was one of the first languages and they did not
have much to learn from.

And it is natural that things evolve over time.

Try compare a 1960 car with a 2026 car or compare
a 1960 TV with a 2026 TV.

It would be weird if 1960 programming language
was just as good as a 2026 programming language
(I am not aware of any languages actually created
in 2026, but ...).

Arne

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On Tue, 5 May 2026 19:41:58 -0400, Arne Vajh|+j wrote:

On 5/5/2026 7:04 PM, Lawrence DrCOOliveiro wrote:

It was supposed to be focused on rCLbusinessrCY use, but just a decade
or two after it came out, rCLbusinessrCY customers started to make more
and more use of SQL databases, and Cobol was never a good fit for
that.

You keep claiming that, but it is ridiculous.

Note that when there are talk about what Rdb customers will do, then
two of the solutions Mimer and SQLRelay both come with an embedded
SQL pre-compiler for Cobol. Because that is what is needed. People
use Cobol with embedded SQL to access Rdb (and also Oracle DB for
that matter).

See, thatrCOs what I mean. You say IrCOm being rCLridiculousrCY, then in the next breath you admit that some complicated patchwork of additional proprietary, nonportable tools is necessary to get it to work.

Cobol itself is supposed to be portable. But all this additional
fiddling necessary to implement SQL access is not.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 2026-05-05, Lawrence D Oliveiro <ldo@nz.invalid> wrote:

On Tue, 5 May 2026 16:29:49 -0400, Arne Vajhoj wrote:

* simple programming languages only trying to do a few things well
often thrive and live longer than complex languages trying to
do everything - Cobol and C did better than PL/I and Ada

Cobol is ?simple??? Yeah, right ...

Ada is still with us, and spawning projects like Spark to point out to
the Rust folks that some people were worrying about memory safety
before they were even born ...

<https://devclass.com/2022/11/08/spark-as-good-as-rust-for-safer-coding-adacore-cites-nvidia-case-study/>

Also, type safety is one hell of a lot more than merely memory safety.

Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10tdrrf$muss$1@dont-email.me>,
Arne Vajh|+j <arne@vajhoej.dk> wrote:

On 5/5/2026 5:59 PM, Lawrence DrCOOliveiro wrote:

On Tue, 5 May 2026 16:29:49 -0400, Arne Vajh|+j wrote:

* simple programming languages only trying to do a few things well
often thrive and live longer than complex languages trying to
do everything - Cobol and C did better than PL/I and Ada

Cobol is rCLsimplerCY?? Yeah, right ...

Yes.

The Cobol language is relative simple.

I don't know about that, but I suspect that the definition of
what is "simple" varies. Is the syntax simple? It's meant to
be. Are the semantics simple? Eh...I don't know. I think
some of them can be surprisingly subtle.

When it was created there was actually people that believed
programmers would no longer be needed and the business people
could write their own Cobol.

That did not happen.

People that already know some of the modern programming
languages need to do a mental reset when learning Cobol,
because Cobol is do different. But different is not the
same as complex.

It's best to think of COBOL as a DSL for business data
processing.

Ada is still with us, and spawning projects like Spark to point out to
the Rust folks that some people were worrying about memory safety
before they were even born ...

[Not Arne's comment, but since I plonked Troll]

This is a dumb take. Of course the Rust developers know about
efforts at memory safe languages prior to Rust; Ada, Cyclone,
and OCaml were were among the set that influenced the design.

Ironically, Rust is now influencing the development of Ada
(which wants something similar to the borrow checker) and
OCaml (the "modes" stuff was directly inspired by Rust).

I am sure there are also places where PL/I are still used.
Likely in the financial sector.

For applications? Probably. It found a fair bit of use for
systems programming inside IBM and other places. Multics was
famously implemented in PL/1.

But while PL/I and Ada were main languages many years ago,
then they are very niche today.

I wouldn't say that either was ever a "main" language, but I'm
not sure what you mean by that. But with respect to PL/I,
COBOL and Fortran always eclipsed it for its original purpose as
a language suitable for both business and science; Ada found
favor in the embedded and safety-critical communities (aerospace
and automotive; defense, etc) but was never a particularly
successful language outside of that; certainly not in comparison
to its contemporaries.

Both were highly influential for languages that came afterwards,
though (fun fact: C's `/* ... */`` come from PL/1, through B.
BCPL, B's immediate predecessor, used the `//` convention and
only adopted the PL/I style delimiters later, after C had become
popular).

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 5/6/2026 12:17 AM, Lawrence DrCOOliveiro wrote:

On Tue, 5 May 2026 19:41:58 -0400, Arne Vajh|+j wrote:

On 5/5/2026 7:04 PM, Lawrence DrCOOliveiro wrote:

It was supposed to be focused on rCLbusinessrCY use, but just a decade
or two after it came out, rCLbusinessrCY customers started to make more
and more use of SQL databases, and Cobol was never a good fit for
that.

You keep claiming that, but it is ridiculous.

# For the first 10-20 years of RDBMS then Cobol was the
# most widely used language for RDBMS access.
#
# Cobol with embedded SQL was a huge thing. Sort of still is.

Note that when there are talk about what Rdb customers will do, then
two of the solutions Mimer and SQLRelay both come with an embedded
SQL pre-compiler for Cobol. Because that is what is needed. People
use Cobol with embedded SQL to access Rdb (and also Oracle DB for
that matter).

See, thatrCOs what I mean. You say IrCOm being rCLridiculousrCY, then in the next breath you admit that some complicated patchwork of additional proprietary, nonportable tools is necessary to get it to work.

Cobol itself is supposed to be portable. But all this additional
fiddling necessary to implement SQL access is not.

I cannot make any sense of what you write.

Any combination of language and RDBMS needs something
to connect them.

ODBC driver, JDBC driver, ADO.NET provider, Python DB 2.0 module,
PHP PDO extension, C library or an embedded SQL pre-compiler.

No language ship with builtin support for all RDBMS. Often you
need to get it from somewhere. From the database vendor or open source.
From an original web site or from a package manager repo
(Maven, NuGet, PyPi, composer etc.).

Usually not complicated.

Some embedded SQL pre-compilers are proprietary some are
open source. On VMS then Rdb and Mimer are proprietary and
PostgreSQL is open source.

Embedded SQL is reasonable portable. The majority of the code
will work everywhere (assuming that the SQL itself is portable,
but that is a constraint for all SQL based API's). Typical
non-portable pieces is connection establishing and getting
extended error information.

The problem you talk about don't exist.

Arne


--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10tdt4k$must$2@dont-email.me>,
Arne Vajh|+j <arne@vajhoej.dk> wrote:

On 5/5/2026 5:30 PM, Dan Cross wrote:

In article <10tcpk2$e86o$1@dont-email.me>,
Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-03, Lawrence D|+Oliveiro <ldo@nz.invalid> wrote:

On Sun, 3 May 2026 11:25:00 +1000, Subcommandante XDelta wrote:

With $1 Cyberattacks on the Rise, Durable Defenses Pay Off Writing
memory-safe code beats patching your way to safety

Rust seems to be the language du jour for tackling this problem.

Google reported a significant decrease in memory-related bugs after
adopting Rust into the Android code base in a major way. Though,
oddly, not a decrease in bugs overall ...

Writing secure code is a frame of mind, not merely just using a tool
and then expecting security magic to "just happen".

Excellent example from the Rust installation web page:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

This is from: https://rust-lang.org/tools/install/

I've heard this criticism before, but it's a bad argument.

First, nothing at all is preventing you from downloading
whatever is at that URL and inspecting it yourself, verifying
that its checksum matches a known hash, etc, before running it.

Second, nothing prevents a user from running that command line
in a sandbox, even if they didn't do the first things.

That applies to almost everything security related.

The users *could* do something by themselves to mitigate risks.

Experience show that a significant part of users *will* not.

That is bad security.

Absent a threat model, relative statements about "bad" or "good"
are just opinions.

Good security is forcing or at least encouraging the users to
do the right thing.

Again, what "the right thing" is varies.

You may not like the decisions they made, but the people who put
together rustup have actually thought about these issues and
that this is not a likely scenario among their active threat
models, and thus not an attack vector that they need to defend
against.

And furthermore, it elides any discussion of threat models; why
would I worry about the rustup.rs side being compromised any
more than I would worry about the compiler binaries themselves
being compromised?

The fact that there are other security issues does make
a security issue go away.

I don't think you understand the point. It is being claimed,
without evidence, that the directions for installing `rustup`
are a "security issue."

What I'm saying is that, under the threat model the people who
built that infrastructure are using, this is not a "security
issue."

You may disagree, but it sounds more like you are cargo-culting
what you've been told, rather than actually trying to identify a
real threat.

Anyhow, if you don't want to use rustup, there are other ways to
install Rust:
https://forge.rust-lang.org/infra/other-installation-methods.html

Note that the third bullet point under the list of reasons, "why
one might _not_ want to install using..." [rustup] is
"preference against `curl | sh`".

Or did you think the Rust people are so naive that they are not
aware that some people find `rustup`'s suggested installation
method troublesome, and wouldn't provide an alterative?

Is this substantially different than
downloading a tarball from somewhere, unpacking it, and running
a contained "./configure" script?

If there is no .sig file and no recommendation of checking,
then there is no difference.

Correct.

But having both foobar-n.n.n.tar.gz and foobar-n.n.n.tar.gz.sig
are rather common today.

Yes. But where does the .sig file come from? And how do you
know that it was not tampered with? How do you know that the
person in charge of signing the binary wasn't actively
threatened, or bribed? Is there a well-maintained, audited,
chain of custody for the signing key? What if it was stolen?
Is any of that in your threat model? Do you _have_ a threat
model? Do you even know what one is?

Maybe, before declaring that someone is "wrong", you should seek
to understand what criteria they are defining correctness.

It then tells us that we can install this new language by just directly
downloading a shell script from some random website and then directly
execute it on our own computer without bothering to first check that
it hasn't been tampered with by someone compromising the website.

I wouldn't call that, "some random website". It's the official
way to do that.

Assuming that because the address looks correct, then
it is fine is very bad security.

But that's not what is happening. The site itself is
authenticated using certificate based security (notice the
"https" in the URL: this means to use TLS).

It's not just that the "address looks correct", it's that the
underlying transport layer security protocol authenticates the
server's identity by validating the certificate it presents in
the TLS exchange.

The grown up response would have been to insist on the user downloading
the shell script as a file, verifying the signature before execution,
and then saying that this is the kind of mindset required in this world.

But also, where do I get the signature in the first place, and
how do I verify that it is correct? Supposing the checksum is
signed with something like PGP or an equivalent, where do I get
the public key to verify the signature, and how can I be sure
that THAT hasn't been tampered with? What if I don't have
anyone in _my_ web of trust that verified the key the script was
signed with? And even if I did, how do I know the key wasn't
compromised? Some poor release engineer might be a basement
somewhere, RIGHT NOW, getting worked over by goons with a rubber
hose. Oh my!

That is how certificates work.

I wasn't talking about certificates. I was talking about public
key cryptography. The latter is used for the former, but the
two are distinct.

A known problem with public-key cryptography schemes in general
is secure distribution of the public key.

Certificate-based authentication is hierarchical, with
certificate authorities authorized to sign public keys
descending from a root of trust at the top of the hierarchy;
presumably the root signing keys are physically secured and
well protected. It is assumed that a trusted set of CAs are
securely shipped with systems externally, and may be
subsequently relied upon. To guard against compromise, there
are provisions for revocation. Collectively, this is generally
referred to as PKI, or "public-key infrastructure."

SSH-based authentication, on the other hand, relies on two
layers of authentication: the host is authenticated using a
Diffie-Hellman (by default) key exchange, and an ephemeral
secret key is generated for a symmetric cipher that is to
establish a covered channel between client and server, and then
the user is authenticated over that encrypted channel. But this
is susceptible to a TOFU ("time of first use") attack. Wide
distribution of host public keys has traditionally been the
mechanism used to address this, providing a means for end-users
to verify that they match what is expected from a given host.
OpenSSH can use a CA to sign the host public key, but that is
not widely used.

PGP, in turn, has traditionally relied on an informal "web of
trust", with users manually validating each other and signing
each other's keys; more recent work has introduced integration
with PKI.

All of these mechanisms make use of best-known cryptographic
techniques for public key, digital signature, and hash
algorithms.

The point with respect to Rustup is that Simon suggested that
they should use digital signatures. But that's vague; and in
particular, which of the many variants of signature verification
does one use? And how does one address the public key
distribution issue?

Will you accept using HTTP (non S) to your banks web site,
because the banks certificate could be compromised due to
similar reasons?

Huh? That is not at all the same thing.

Of course not.

Nothing is 100% secure. But one add multiple layers of security
to make it as secure as possible.

Again, absent any details of a threat model, all of this is just
speculation and opinion.

On the other hand, I can tell you what the Android Security team
did when they first started exploring Rust: the used `mrustc`,
which is a Rust compiler written in C++, to compile a bootstrap
compiler, using a trusted C++ compiler.

Then they started rolling forward over point versions of the
compiler (mrustc lacked some features to compile the newest),
using the previous to compile the next, until they got to the
then-newest release compiler. Then they verified that it was
bitwise identical to what they saw coming from the Rust
project.

THAT is what the grownups do.

I will assume that is a joke.

No, that is exactly what they did.

And moreover, why would you assume that is a joke? If you
really want to avoid "trusting trust" issues and verify the
provenance of your toolchain, that is one technique to do so.
If your organization is actually concerned with build integrity,
because (say) your threat model includes nation state actors,
then that's the kind of thing you do. Google cares about that.

If your threat model does NOT include that kind of thing, then
you do not. You probably do not have to worry about it.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10tfd69$15vpr$2@dont-email.me>,
Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-05, Lawrence D Oliveiro <ldo@nz.invalid> wrote:

On Tue, 5 May 2026 16:29:49 -0400, Arne Vajhoj wrote:

* simple programming languages only trying to do a few things well
often thrive and live longer than complex languages trying to
do everything - Cobol and C did better than PL/I and Ada

Cobol is ?simple??? Yeah, right ...

Ada is still with us, and spawning projects like Spark to point out to
the Rust folks that some people were worrying about memory safety
before they were even born ...

<https://devclass.com/2022/11/08/spark-as-good-as-rust-for-safer-coding-adacore-cites-nvidia-case-study/>

I wonder if the troll read the article he linked to. It talks
about replacing C with SPARK for firmware in NVIDIA GPUs, and
only mentions Rust as another type- and memory-safe language.
The last paragraph is telling: "All that said, the SPARK
advocates look unlikely to disrupt the momentum behind Rust, not
least because of Rust s emerging support in the Linux kernel."

The case study the article links to on the adacore.com web site
doesn't mention Rust at all, but elsewhere adacore.com does: https://www.adacore.com/languages/rust

Not terribly surprising, since they're heavily involved with
Ferrocene.

Also, type safety is one hell of a lot more than merely memory safety.

Rust is type safe.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On Wed, 6 May 2026 09:29:23 -0400, Arne Vajh|+j wrote:

Any combination of language and RDBMS needs something
to connect them.

Languages like Python and PHP manage this just through addon
libraries, without the need for special language extensions or
preprocessors.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

I don't think you understand the point. It is being claimed,
without evidence, that the directions for installing `rustup`
are a "security issue."

The problem here isn't really rustup. A better objection to "curl|bash"
is that it normalizes a habit of failing to think critically and act
carefully.

De
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

On 2026-05-06, Dennis Boone <drb@ihatespam.msu.edu> wrote:

I don't think you understand the point. It is being claimed,
without evidence, that the directions for installing `rustup`
are a "security issue."

The problem here isn't really rustup. A better objection to "curl|bash"
is that it normalizes a habit of failing to think critically and act carefully.

And that is _exactly_ the point I am making. This is what I see on that installation page:

|Using rustup (Recommended)
|
|It looks like you're running macOS, Linux, or another Unix-like OS. To |download Rustup and install Rust, run the following in your terminal,
|then follow the on-screen instructions. See "Other Installation
|Methods" if you are on Windows.
|
|curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

I never even read that other page because they said it was for Windows
but I now see they have actually been forced to say the exact same thing
as I have just done (but they have buried it on something they described
as a Windows-only page).

I stand by my original comments, especially after reading that "Windows"-only page.

I also stand by my approach that security is a frame of mind, and which
cannot be replaced by some claimed "magic" tool. Tools can help (and are required), but that's all they can do (and they are not magic).

Simon.
--
Simon Clubley, clubley@remove_me.eisner.decus.org-Earth.UFP
Walking destinations on a map are further away than they appear.
--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <zvadnQ3POdq2nGH0nZ2dnZfqnPednZ2d@giganews.com>,
Dennis Boone <drb@ihatespam.msu.edu> wrote:

I don't think you understand the point. It is being claimed,
without evidence, that the directions for installing `rustup`
are a "security issue."

The problem here isn't really rustup. A better objection to "curl|bash"
is that it normalizes a habit of failing to think critically and act >carefully.

*That* is valid criticism. Habituating a verification mindset
would be useful.

- Dan C.

--- Synchronet 3.21f-Linux NewsLink 1.2

From Newsgroup: comp.os.vms

In article <10ti0vj$21brr$1@dont-email.me>,
Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> wrote:

On 2026-05-06, Dennis Boone <drb@ihatespam.msu.edu> wrote:

I don't think you understand the point. It is being claimed,
without evidence, that the directions for installing `rustup`
are a "security issue."

The problem here isn't really rustup. A better objection to "curl|bash"
is that it normalizes a habit of failing to think critically and act
carefully.

And that is _exactly_ the point I am making.

Is it, though? It sounds like you're making a specious claim
about a group of people asserting something that they are not
actually saying, and then using their recommended method for
installing a toolchain as evidence for a conclusion you drew
from that strawman.

This is what I see on that installation page:

|Using rustup (Recommended)
|
|It looks like you're running macOS, Linux, or another Unix-like OS. To >|download Rustup and install Rust, run the following in your terminal,
|then follow the on-screen instructions. See "Other Installation
|Methods" if you are on Windows.
|
|curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh

I never even read that other page because they said it was for Windows
but I now see they have actually been forced to say the exact same thing
as I have just done (but they have buried it on something they described
as a Windows-only page).

The text at the bottom of that page says:

|Other installation methods
|
|The installation described above, via rustup, is the preferred
|way to install Rust for most developers. However, Rust can be
|installed via other methods as well.
|
|[LEARN MORE](https://forge.rust-lang.org/infra/other-installation-methods.html)

Nothing in that text says, "windows only."

I stand by my original comments, especially after reading that "Windows"-only >page.

Presumably you are referring to the part of the text that you
quoted above that reads, "See 'Other Installation Methods' if
you are on Windows."

First, that does not say "only if you are on windows." It
merely says that if you're using Windows, do this instead of
that. No one is forcing you to use rustup if you don't want to
or do not feel comfortable doing so.

Second, if you are serious about security, and want to approach
it with the mental mindset you are advocating, shouldn't you
read more than the first paragraph of the installation
instructions?

I also stand by my approach that security is a frame of mind, and which >cannot be replaced by some claimed "magic" tool. Tools can help (and are >required), but that's all they can do (and they are not magic).

So you have traced the the source-level provenance of all
software running on your computer and audited it for bugs,
right? :-D

Jokes aside, you seem to be implying that someone has suggested
that e.g. Rust is a "magic tool" for solving security problems
and that it can replace one's mental model of security. I don't
think anyone in a position of authority with respect to Rust has
ever said that.

The claims they do make are that the requirements imposed by
using the safe subset of Rust eliminate several categories of
common programming errors related to type and memory safety. To
the extent that intersects with "security" at all, those errors
are frequently associated with security vulnerabilities, and so
programs written in safe Rust are free from those kinds of
vulnerabilities as a side-effect. Furthermore, safe rust and
the standard library provide enough functionality for the vast
majority of programming needs; most Rust programmers will never
have to type `unsafe` into a program in their careers.

But it does not follow that Rust programs are free from _all_
security vulnerabilities, and no one claims that they are; at
least no one who understands these things at more than a cursory
level[*].

You can obviously write Rust programs with security
vulnerabilities. And rust is not perfect: I could go into some
of the problems that _I_ see in the language, if you like, but
I'm striving for brevity here.

I realize that the claims mentioned above are bold, and I truly
believe that one _should_ approach them with a healthy dose of
skepticism (I did and I'm glad for it). But to dismiss Rust, or
anything for that matter, out of hand because you don't like the
recommended toolchain installation process is not skepticism.

I encourage you to look at an alternative installation method
and explore it for yourself before drawing conclusions.

- Dan C.

[*] An admitted problem with the larger Rust ecosystem is that
it tends to attract rabid Lawrence-style fanboys who oversell it
and make specious claims about its capabilities; these do not
stand up to scrutiny. But that is not the fault of the language
any more than it is Linux's fault that Lawrence is so obnoxious
and uninformed in his advocacy for it. In any event, "there are
people who like this and behave like jerks about it on the
Internet, therefore it must suck" is poor logic.

Further, without making an effort to understand the presumed
threat model, asserting that the installation process is
evidence of "bad security" or a cavalier attitude towards
security from the larger project, is specious at best.
--- Synchronet 3.21f-Linux NewsLink 1.2