man, I'm so glad you cleared that up for us...

He explained why 0 isn't the goal, you continue to act as if he didn't. I don't know where else this conversation can go without you going back and better understanding his actual point.

It's easy to say "safety is about tradeoffs" but then when you follow it up with an insistent that no tradeoffs should be made it kind of makes it seem like you're just saying that to appear reasonable rather than actually being reasonable.

This is most definitely the paragon that should be helping us decide which large swathe of people to fuck over.

In fact, one of the red flags for decision makers is the inability to understand the above tenet.

the guy is a whistleblower, went to court day 1, missed court day 2, and was found dead in his vehicle of unnatural causes.

attaching the adjective vacuous doesn't actually strengthen your point.

> That is bad. But not as bad a FBW system bug.

The event in question is better than the plane plummeting out of the sky and killing everyone. That doesn't make it ok for the event to have happened.

There is no world in which two institutions with plenty of money, knowledge, and a lack of coercion are going to come to an agreement for a loan with 50% interest.

Theory vs practice. In theory what you're saying could happen, in practice it's only going to happen when one party has a severe imbalance against the other party (and you know this or you wouldn't have tried to head off that argument). Since contract law deals with practice, contract law disagrees with your assessment that it should be allowed.

Which goes back to the whole ownership thing.

Just because someone _can_ draw up a contract to muddy ownership to the point that the seller of a $30k+ USD vehicle can retain control and absolutely limit what the purchaser can do does not mean contract law should allow it.

And there's too much precedence for this sort of thing for you to have a leg to stand on (although I'm sure you'll try). Just because someone _can_ sign a non-compete with no expiration does not mean the law should allow it.

ad nauseum.

Arguing that because contracts today muddy ownership so you can't act as if the purchaser has certain rights is missing the point.

but humor aside, the point stands. safety/security is about tradeoffs.

The point Herb was making is that "rigorous memory safety" isn't the only bar, nor should it be. Saying there is no way to make C++ have rigorous memory safety is not the same as saying C++ can never be made safe.

> Old code that can't be understood needs to be rewritten anyway.

I don't think it's that old code can't be understood, you can always understand what code is doing mechanically.

it's a question of can you predict the consequences. For example, if I rename this database column, what in our systems that have been built over the last 30+ years will explode? That's data rather than code, but the underlying idea is the same.

What happens is the very act of rewriting it puts you at risk of adverse effects.

I dislike this argument because rust unsafe code is typically placed into a module with safe code around it protecting it.

Guess how good C++ code is written?

exactly. The unsafe keyword certainly helps but is not a panacea nor a guarantee given that a bug in the safe code that's protecting the unsafe code could be the root cause for security issues, even if it manifests itself in the unsafe code.

That's a serious question, if I open a file for reading and another process writes to it, exactly how is the C++ standards supposed to protect against that?

2nd and 3rd order thinking is a thing.

Does the cost of doing so justify being 100% secure?

most people would say no.

He addressed that, the cost of making it to 0 would be too great (C++ would have to break backwards compatibility) so we should try and be inline with other languages instead.

I don't understand why you're acting as if he didn't make the point he made.

under what circumstances is it acceptable for your instrumentation to go away? none is the answer.

If the event was caused by the instrumentation going away it's bad. If the instrumentation went away because of the event, that's also bad.