And, is potential safety 5+ years in the future (that's an absurdly optimistic estimate of a rewrite for an OSS project the size and scope of PostgreSQL) worth effectively standing still for all that time? Is the security/stability history of PostgreSQL poor? I'm not under that impression.
Rust isn't inherently faster than C, but it can be easier in some cases for the optimizer to optimize Rust code better than C code. In particular, I have in mind Rust's reference types and the fact that they all "follow LLVM’s scoped noalias model"[1]. You can, of course, get this same benefit in C by using restrict, but most of the C code I've seen makes little use of restrict (and it's quite easy to accidentally alias a restricted pointer, so it definitely imposes a mental burden, even if it's very slight).
Rust's safety model allows you to get the optimization of C's restrict without the footgun. That can be a big win.
But of course, just because something is written in Rust doesn't mean it'll be faster than the equivalent C code. Rust isn't magic, after all.
This has been touted, but has there been a non-trivial project that shows this? Something like a media manipulation library where there are lots of places for optimization. It's been stable for a few years now, so I imagine someone's seen performance benefits if it's happened.
Furthermore, given a team of experts working for half a decade on the rewrite, do we really believe it would yield safer code than if we spent the same amount of work on improving postgresql security?
I get the appeal of Rust for a new project though, especially if your team doesn't consist of seasoned C programmers.
Nobody is suggesting complete rewrite, but theoretically - yes, in terms of security rewriting in rust would be better investment than whack-a-mole game of chasing bugs in C.
That's why I said potential. One reason would be the potential for much more asynchronous code than is easy to achieve in C, another would be Dev time. But the point is, rust is competing for speed with C, JS never was.
> Well that's going to be a show-stopper right there. For a proper
> port, a deep understanding of the current source code is necessary.
> You'd need a team expert in both C and Rust to pull it off.
Also, they don't seem to understand that Corrode doesn't generate idiomatic Rust, nor does it remove the "over-complicated details of C". From the Corrode README: "This tool does not fully automate the job because its output is only as safe as the input was; you should clean up the output afterward to use Rust features and idioms where appropriate." So keeping the Rust rewrite in sync with the C codebase via automatic translation with Corrode is mutually exclusive with actually rewriting it in safe idiomatic Rust.
The weird thing is that they clearly have the sense to recognize that a rewrite would be a non-trivial project, but they seem to completely misunderstand why.
Add to that that you basically need to learn everything about C too when you learn Rust. C (without macros) is pretty much a subset of Rust, and there's a lot to learn on top of that subset. The advantage of Rust is not that it's easier, it is that you will more likely get a compiler error than a (possibly hidden) runtime bug if you don't have fully understood something.
> C (without macros) is pretty much a subset of Rust
Well, yes and no.
On the one hand unsafe Rust is roughly similar to C[1], and unsafe Rust is a subset of Rust.
But unsafe Rust is not the most widely used subset of Rust, stable Rust is ! And stable Rust is arguably way easier to understand and work with than C. And you can write fairly complicated software without writing a single line of unsafe code.
[1]: even though, the more expressive syntax and type system of Rust makes a lot of things less error-prone in Rust, like pattern matching or Result<> for error handling instead of switch and goto.
Unsafe Rust is a _superset_ of safe Rust: it's the exact same thing, with some extra abilities. For that reason, "roughly similar to C" is also not exactly true; unsafe Rust, for example, does not remove any safety checks, it gives you access to extra unchecked things. A reference inside of an unsafe block is still borrow checked. But you can also use a raw pointer, that isn't.
I think the author is making a good point but possibly couching it in the wrong terms: C shifts a lot of the inherent complexity of systems programming and manual memory management onto the programmer, with the language offering little to no assistance. If you squint hard enough around the reems of specification and piles of undefined/implementation-defined behaviour in innocuous places, the language itself might indeed be something you could call simple, but actually writing correct code in it is not.
There's a reason many, many person-years have been devoted to tooling: offloading as much of the "simplicity" as we can onto computers is the best way we know how to write correct C at scale.
(That said, PostgreSQL clearly works well enough and has a system for writing new code that works well enough, so proposing a wholesale rewrite into a different language seems... unproductive, even moreso than usual.)
I am not sure what to make of this: the author is a cto of a 100~ person company, but he is thinking that a project like pg can be realistically rewritten in rust. I just don't get it. Even if you could somehow make the 'complicated' and 'scary' parts of the code base magically transform into rust (much less handle performance and other issues due to memory management being different between c and rust), how would you maintain that project? Ai driven code translation from c to rust is a singularity too soon.
This is worrisome for the company, to have someone as clueless about technical work scope and estimate to be in charge of the technical department. Or is that more of a political post?
Do you mean that it would be impossible for a team of experts in C and rust to rewrite pg in 5 years? That is essentially what he is proposing. (Which probably isn't a great idea, but I think the work scope estimate is in the right ball park.)
The way he proposes it, and the reasoning behind it all scream "clueless".
Reminds me of first year CS students who after learning that assembly is lower level and can be faster than C, wanted OSes and applications to be written in assembly for speed.
What's the argument against possible Rust porting of Postgres?
Because of the interop ease, it's not hard to imagine a multi-year peicemeal rewrite. Postgres' code has some pretty good idioms that could be nicely encoded in Rust, and a good separation of concerns
This reminds me of an episode that happened roughly ten years ago. I am a cosmologist and I have worked to the ESA Planck mission [1], a spacecraft launched in 2009 to study the Cosmic Microwave Background. Planck was the successor of another spacecraft, WMAP [2], which was launched by NASA in 2001.
One of the bosses working for one of our industrial partners was completely clueless about the details of the mission and the context. One day, he entered the office of one of his employees:
- Hi Bob [fake name], do you know anything about this Planck stuff?
- Sure, I'm working full time on Planck.
- Good! And do you know what WMAP is?
- Of course I do!
- Great! Now listen, if WMAP run on Windows, you should definitely install it on my computer, so I can play with it.
I would suggest that the author creates a clone of a "simpler" DB like SQLite or Redis. Those have, as far as I understand, good C codebases, so understanding the system should be much easier.
This way you could also say: hey! I have successfully ported a DB written in C in the past, and it has been an extremely positive experience, how about trying the same with Postgres?
If you wanted to write a drop-in SQLite replacement in Rust, using the original project's (incredible) test suite would be on the mandatory side, wouldn't it?
To a degree. Certainly the end-to-end tests should be something you can expect to reuse. Other tests may be hit or miss. In the case of SQLite, where there's >100x as much test code as application code, there's a large range between "can use some of it" and "can use most of it" - as mathw gets at I think we should be able to expect the latter here.
A guy randomly asks a question on a mailing list, and then his mail goes in the front page, and then people start insulting him: «blah blah, stupid politic CTO … understand nothing, blah blah blah».
Because this reminds us of the damage done by technical decisions made by ignorant people in charge. The resonance draws out the overwhelming reaction.
It's perfectly feasible to write something like Postgres in Rust, and it's a good idea, too! But Postgres is not going to be that database, for a huge number of reasons. Even Mozilla isn't replacing Gecko wholesale with Servo.
For people coming from managed languages (and in 2017, the huge majority of us is), contributing to a C project is way more complicated than contributing to a database project.
For open-source projects, being written in a scary[1] language is a liability in the long run.
For many tasks, we used to have no good alternative than using C (or C++ which is even scarier), but this is no longer the case now thanks to Rust.
I'm obviously not saying we should rewrite PostgreSQL in Rust, but the ability to grow/maintain the contributor base is an argument that should not be underestimated.
[1]: no matter how difficult or not it is in practice, the C is scary for many people and most of them will never feel confident enough to suggest changes in a C code base.
> For people coming from managed languages[...] contributing to a C project is way more complicated than contributing to a database project.
I think people do have this feeling, but likely it's because they don't actually know much about writing databases, so they see one issue but not the other.
OTOH it might be possible to contribute small things (e.g. improving the database client program, adding a test) if one can write some code in $LANG_MORE_ACCESSIBLE_THAN_C, even without knowing what a btree is or what "cache locality" means.
Out of curiosity, if you find C and C++ to be scary and unapproachable, how on earth can you feel confident in your assessment that Rust is a good replacement for it?
> For people coming from managed languages (and in 2017, the huge majority of us is), contributing to a C project is way more complicated than contributing to a database project.
By my reading for most of the submitted patches language issues aren't in the top three of problems preventing the patches from being merged; although such issues certainly exist. That said, that obviously doesn't say anything about patches never getting submitted.
Personally the biggest issue with growing the contributor base in postgres isn't language related, it's that a) the easy thing have been done long ago, making the learning curve steep b) lack of time from the experienced people/committers. Most of us have other stuff and our own projects to deal with :(
My motivation is primarily I don't want to learn all the over-complicated details of C
I don't understand this statement. Is he saying he want to contribute to postgres, but he doesn't know C well enough, so he kindly asks the team to consider the idea of a rewrite in Rust to make it easy for him?
Postgres's extension APIs are pretty good and Rust's interoperability with C makes it quite feasible to extend the database without rewriting it. Some months ago we wrote a logical decoder -- to capture and forward the write-ahead log as JSON -- in Rust and later were able to pull out some helpful bindings for logical decoders, foreign data wrappers and so forth.
The extensibility of Postgres is really profound -- there are so many things you can do, and so much internal functionality you can access, without having to recompile the database. The way extensions are loaded also mitigates the risk of what can be admittedly tricky issues relating to safety. Extensions run in backend processes, not the postmaster.
If rewriting Postgres happens, I hope it would be gradual. You can replace a lot of the core with extensions, and the scope for extension is ever increasing. So say you wrote a storage engine in Rust. Writing a foreign data wrapper for it would give you a way to use it from Postgres for all your tables; but you wouldn't have to write a SQL parser, client manager, permissions system, or any of the rest of that stuff.
Although the C stuff is a little gritty, a lot of what goes on in a database is gritty "because it is" and that low-level control is needed to deliver on tail latency, fault tolerance or simple storage efficiency. For example, Postgres has code to recover from malloc failing.
I'm not sure there's much reason to rewrite Postgres as a whole. If there are specific subsystems which are common sources of CVE they might be targets, but looking at the list[0] no specific system really seems to jump out.
Extensions could be neat, there doesn't seem to be a high-level Rust API for it (in the style of ruru or rust-cpython) yet though, only incomplete-looking bindgen: https://github.com/posix4e/rpgffi
I'm not advocating for a complete rewrite of Postgres in C, but I'd like to emphasize the fact that security is not the only good reason to justify the transition of a project from C to Rust:
Nowadays most developers comes from memory-managed languages
=> for us, C is a scary land where it's really hard to get things right when you don't have all the prerequisite knowledge (what's the stack ?)
=> the language is really old, you don't have all the fancy and useful tools and syntactic sugar (package manager, proper error handling, generics)
=> then we don't want to invest a lot of time to learn a difficult language that is so unproductive.
=> and even if we do out of curiosity, we'll most likely never feel confident enough to dig into an open-source project and contribute.
Rust on the other hand, is like C but with a personal IA assistant (the compiler) and all the syntactic sugar you're used to (and even more if you're not familiar with the ML family). That's what's attracting so many web developers to Rust !
In my opinion it means that, in a somewhat near future, the amount of potential contributors for projects written in Rust could be higher than for projects written in C. And those contributor are also likely to be more productive, thanks to the language features and tooling.
You're describing qualities that are meaningless to a database user. A Rust implementation of PostgreSQL, with its runtime checks, would almost certainly be slower than the existing implementation. So a Rust port is a non-starter. Database users don't care about your syntactic sugar, that you find manual memory management a "scary land" due to background in managed languages, or how many contributors you have. Speaking of which, the PostgreSQL project is healthy and has many, many contributors. And while we're discussing developer productivity, I can't even imagine the build time of a Rust port.
What's annoying about OP's email is that they clearly did no research on the matter. You can find many discussions on the list about "upgrading" to C++, and there has been much wringing of hands. The last I heard, it sounded like a faction was considering having the project build with a C++ compiler rather than a C compiler for better type checks and as a step on that path.
> A Rust implementation of PostgreSQL, with its runtime checks, would almost certainly be slower than the existing implementation. So a Rust port is a non-starter.
Wait, which runtime checks are you talking about ? This is a recurring FUD we often see on HN about Rust and I'd like to clarify this point.
IIRC, there is no mandatory runtime check in idiomatic Rust except UTF8 validation for strings[0]. There is no overflow checks on numbers, and no bounds checking when using iterators[1]. Another known overhead is the default use of siphash in hashmaps for DoS prevention[2], but this is not really a «runtime check».
Do you have anything else in mind ?
> Speaking of which, the PostgreSQL project is healthy and has many, many contributors.
Indeed, and as I said, I'm not advocating for a port of PostgreSQL in Rust. But for other projects that suffer from a lack of attention[3], it could be a good move.
> And while we're discussing developer productivity, I can't even imagine the build time of a Rust port.
touché, but compile time is one of the biggest focus of the Rust core team atm, so I'm confident things will improve in 2017 :)
[1]: there are bounds checking when you access array elements through indexes, but most of the time you don't do that since iterators are great. If you really need to, and this have a performance impact, you can opt-out the bound checking in unsafe block.
[2]: But this is opt-out by using a different hash function, if you use your hashmap in a non adversarial environment.
[3]: like librsvg which was chronically under-maintained.
[1] is great. Rephrased, "there isn't runtime bounds checking, unless you use the language. But you can opt out in an `unsafe` block." OK? So we're back to the usual Rust argument: At least your unsafe code is greppable. And I don't think any competent C or C++ developer considers that a worthy tradeoff when it comes with a more complex, constantly evolving language, far less mindshare, slow builds without solutions (unlike C++), and so on.
Regarding [2], I think it's safe to consider any software that takes input as operating in a hostile environment.
That is an extreme mis-characterization of stymaar's excellent summary. in short, there are no runtime checks for iterating through an array, and since the general case of random access to an array can't be safe (without dependent typing), that is the one place the runtime checks are automatically added, and even there you can opt out of them. It is easy to get C equivalent speed with far more safety.
You are spreading FUD, indeed.
Which runtime checks are you concerned about, exactly?
Just array indexing? It would be interesting to see your criticism fleshed out.
I am not sure your criticism will amount to anything if array access is it, though. Posrgres is full of custom data structures and macros as it is. StringInfo and stuff like that -- they are not just "using the language", writing nice simple C code. Probably because databases really push you to use advanced techniques in places.
>there are bounds checking when you access array elements through indexes
I wish we didn't need bounds checking; the problem could be solved with dependently typed languages. Unfortunately Rust just panics when you access out of bounds, and doesn't warn you at compile time. Rust isn't really all that impressive.
By your own admission, what you are asking for would require dependent typing. I am hugely in favor of rust eventually acquiring such capability, but it would be a huge change, and there are reasons why dependent typing hasn't hit mainstream languages yet.
If that is what I think it is, see https://docs.rs/indexing for something similar, crafted from invariance over higher-ranked lifetimes, instead of types.
I don't think Rust can ever replicate the Haskell implementation identically (if we had HRTB over types), as type parametrism is gone (see: specialization RFC).
However, lifetime parametrism serves a similar role in Rust, and lifetimes are closer to a concept of "instance" than types.
> You're describing qualities that are meaningless to a database user.
This is an old strawman. No one is asking the users to write Rust and a change in developer tooling doesn't by itself change things for users. The question is whether tools help developers help users.
I really hope that this doesn't mean we've already hit peak Rust.
The recent hype of the language is great, but I think it's really important to start seeing substantial large projects receiving productivity gains otherwise it'll attract derision and then loose its momentum.
Firefox should be the poster child for this, with the Oxidation project now in full swing. I'm hoping to see similar work appearing elsewhere though. There's no reason why any large C or C++ project couldn't decide to write some new component in Rust, if they felt it would benefit them.
But they would need to have a contributor and maintainer base sufficiently motivated to learn Rust and stick with it. Which will happen more and more if Firefox can be visibly shown to benefit from including Rust in their toolkit.
(TLDR: CTO comes in and says "Angular and TypeScript is old. Python is new, and Google is writing everything with it. Python is the best practices for development." Tells IT department to rewrite everything in Python. “If our team still needs to use Angular, just use the Python version.” After failing to convince CTO this is absurd, IT realizes they can do nothing and tell the CTO they totally rewrote everything in Python, since he won't know the difference anyway.)
This case isn't quite that bad, obviously. The request is more reasonable, but still seems to betray a pretty fundamental misunderstanding of the situation.
A CTO of a payment company, so the inquiry to see if it would be possible to replace a large C project in their stack with a drop-in replacement written in a more safe language makes sense from where he's standing.
Ok, I really like the approach Rust is taking and appreciate their effort to make low-level system programming safer, but it really is getting ridiculous. Not that implementing a DB system in Rust would be infeasible, but advocating to just rewrite some large projects in Rust is probably not the step forward.
Waiting for a flamewar on the LKML on this.
"Hey, Linux devs. I heard there is this nice language called Rust. Do you mind rewriting your OS in this? Ok, might not be possible over the weekend, but maybe over a year? Maybe use some Deep Learning to automagically transform the code?"
> Ok, I really like the approach Rust is taking and appreciate their effort to make low-level system programming safer, but it really is getting ridiculous. Not that implementing a DB system in Rust would be infeasible, but advocating to just rewrite some large projects in Rust is probably not the step forward.
Note that the OP has, afaik, no involvement in the rust project. Nor has he done much hacking on postgres. Don't think the rust people can be blamed for that one.
A port to a way more strict type and memory safe language would be great, but as Craig Ringer from 2ndquadrant replies: the postgres project is pretty conservative & this could only happen in an incremental way.
FWIW if somebody were to port a DBMS like PostgreSQL to Rust, or any other programming language, it would only be feasibly to do it component by component. Much like Mozilla now plans to use Servo for CSS rendering first, and maybe for more tasks later.
> Let's rewrite & test a 20 year old already working & popular project with ~1,000,000 lines of code just because I don't fucking know what I am saying. Please engineers try to figure that out and come up with solution before Monday.
96 comments
[ 3.0 ms ] story [ 162 ms ] threadI did find a basic one:
https://github.com/nukep/llamadb/blob/master/Usage.md
If the author finds C overcomplicated I look forward to finding out what they think of a complete database system.
And, is potential safety 5+ years in the future (that's an absurdly optimistic estimate of a rewrite for an OSS project the size and scope of PostgreSQL) worth effectively standing still for all that time? Is the security/stability history of PostgreSQL poor? I'm not under that impression.
Rust's safety model allows you to get the optimization of C's restrict without the footgun. That can be a big win.
But of course, just because something is written in Rust doesn't mean it'll be faster than the equivalent C code. Rust isn't magic, after all.
[1]: https://doc.rust-lang.org/reference.html#behavior-considered...
I get the appeal of Rust for a new project though, especially if your team doesn't consist of seasoned C programmers.
The weird thing is that they clearly have the sense to recognize that a rewrite would be a non-trivial project, but they seem to completely misunderstand why.
Well, yes and no.
On the one hand unsafe Rust is roughly similar to C[1], and unsafe Rust is a subset of Rust. But unsafe Rust is not the most widely used subset of Rust, stable Rust is ! And stable Rust is arguably way easier to understand and work with than C. And you can write fairly complicated software without writing a single line of unsafe code.
[1]: even though, the more expressive syntax and type system of Rust makes a lot of things less error-prone in Rust, like pattern matching or Result<> for error handling instead of switch and goto.
Your dedication to provide answer and explanations to absolutely everybody everywhere on the internet is incredible.
How many people do you keep enslaved in your basement to do all that work ? :p
There's a reason many, many person-years have been devoted to tooling: offloading as much of the "simplicity" as we can onto computers is the best way we know how to write correct C at scale.
(That said, PostgreSQL clearly works well enough and has a system for writing new code that works well enough, so proposing a wholesale rewrite into a different language seems... unproductive, even moreso than usual.)
https://github.com/michaelsproul/postgres-alloc-rs
That's... underselling it somewhat a little.
Do you mean that it would be impossible for a team of experts in C and rust to rewrite pg in 5 years? That is essentially what he is proposing. (Which probably isn't a great idea, but I think the work scope estimate is in the right ball park.)
Reminds me of first year CS students who after learning that assembly is lower level and can be faster than C, wanted OSes and applications to be written in assembly for speed.
company in reference https://en.wikipedia.org/wiki/Trustly
Because of the interop ease, it's not hard to imagine a multi-year peicemeal rewrite. Postgres' code has some pretty good idioms that could be nicely encoded in Rust, and a good separation of concerns
Postgres has a great focus on solving real problems for real people. Losing that focus would be a disaster.
That's putting the cart before the horse. The right question is:
a) What's the argument in favor of porting Postgres to Rust?
and
b) What's the opportunity cost?
One of the bosses working for one of our industrial partners was completely clueless about the details of the mission and the context. One day, he entered the office of one of his employees:
- Hi Bob [fake name], do you know anything about this Planck stuff?
- Sure, I'm working full time on Planck.
- Good! And do you know what WMAP is?
- Of course I do!
- Great! Now listen, if WMAP run on Windows, you should definitely install it on my computer, so I can play with it.
[1] http://www.esa.int/Our_Activities/Space_Science/Planck
[2] https://map.gsfc.nasa.gov/
This way you could also say: hey! I have successfully ported a DB written in C in the past, and it has been an extremely positive experience, how about trying the same with Postgres?
it seems many people re-implement redis (I recall at least also Go and Scala).
It looks like it's the new "backend language todo list project".
A guy randomly asks a question on a mailing list, and then his mail goes in the front page, and then people start insulting him: «blah blah, stupid politic CTO … understand nothing, blah blah blah».
github.com/posaix4e/rpgffi (logical decoders and foreign data wrappers in wrust) github.com/posix4e/jsoncdc ( an example logical decoder in rust)
We are going to be adding bigtable and s3 fdw soon.
For open-source projects, being written in a scary[1] language is a liability in the long run.
For many tasks, we used to have no good alternative than using C (or C++ which is even scarier), but this is no longer the case now thanks to Rust.
I'm obviously not saying we should rewrite PostgreSQL in Rust, but the ability to grow/maintain the contributor base is an argument that should not be underestimated.
[1]: no matter how difficult or not it is in practice, the C is scary for many people and most of them will never feel confident enough to suggest changes in a C code base.
Scary is having to run from a lion to save our life.
I think people do have this feeling, but likely it's because they don't actually know much about writing databases, so they see one issue but not the other.
OTOH it might be possible to contribute small things (e.g. improving the database client program, adding a test) if one can write some code in $LANG_MORE_ACCESSIBLE_THAN_C, even without knowing what a btree is or what "cache locality" means.
By my reading for most of the submitted patches language issues aren't in the top three of problems preventing the patches from being merged; although such issues certainly exist. That said, that obviously doesn't say anything about patches never getting submitted.
Personally the biggest issue with growing the contributor base in postgres isn't language related, it's that a) the easy thing have been done long ago, making the learning curve steep b) lack of time from the experienced people/committers. Most of us have other stuff and our own projects to deal with :(
I don't understand this statement. Is he saying he want to contribute to postgres, but he doesn't know C well enough, so he kindly asks the team to consider the idea of a rewrite in Rust to make it easy for him?
The logical decoder: http://pgxn.org/dist/jsoncdc
The bindings: https://github.com/posix4e/rpgffi
The extensibility of Postgres is really profound -- there are so many things you can do, and so much internal functionality you can access, without having to recompile the database. The way extensions are loaded also mitigates the risk of what can be admittedly tricky issues relating to safety. Extensions run in backend processes, not the postmaster.
If rewriting Postgres happens, I hope it would be gradual. You can replace a lot of the core with extensions, and the scope for extension is ever increasing. So say you wrote a storage engine in Rust. Writing a foreign data wrapper for it would give you a way to use it from Postgres for all your tables; but you wouldn't have to write a SQL parser, client manager, permissions system, or any of the rest of that stuff.
Although the C stuff is a little gritty, a lot of what goes on in a database is gritty "because it is" and that low-level control is needed to deliver on tail latency, fault tolerance or simple storage efficiency. For example, Postgres has code to recover from malloc failing.
Extensions could be neat, there doesn't seem to be a high-level Rust API for it (in the style of ruru or rust-cpython) yet though, only incomplete-looking bindgen: https://github.com/posix4e/rpgffi
[0] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=postgresql
Nowadays most developers comes from memory-managed languages => for us, C is a scary land where it's really hard to get things right when you don't have all the prerequisite knowledge (what's the stack ?) => the language is really old, you don't have all the fancy and useful tools and syntactic sugar (package manager, proper error handling, generics) => then we don't want to invest a lot of time to learn a difficult language that is so unproductive. => and even if we do out of curiosity, we'll most likely never feel confident enough to dig into an open-source project and contribute.
Rust on the other hand, is like C but with a personal IA assistant (the compiler) and all the syntactic sugar you're used to (and even more if you're not familiar with the ML family). That's what's attracting so many web developers to Rust !
In my opinion it means that, in a somewhat near future, the amount of potential contributors for projects written in Rust could be higher than for projects written in C. And those contributor are also likely to be more productive, thanks to the language features and tooling.
What's annoying about OP's email is that they clearly did no research on the matter. You can find many discussions on the list about "upgrading" to C++, and there has been much wringing of hands. The last I heard, it sounded like a faction was considering having the project build with a C++ compiler rather than a C compiler for better type checks and as a step on that path.
Wait, which runtime checks are you talking about ? This is a recurring FUD we often see on HN about Rust and I'd like to clarify this point.
IIRC, there is no mandatory runtime check in idiomatic Rust except UTF8 validation for strings[0]. There is no overflow checks on numbers, and no bounds checking when using iterators[1]. Another known overhead is the default use of siphash in hashmaps for DoS prevention[2], but this is not really a «runtime check».
Do you have anything else in mind ?
> Speaking of which, the PostgreSQL project is healthy and has many, many contributors.
Indeed, and as I said, I'm not advocating for a port of PostgreSQL in Rust. But for other projects that suffer from a lack of attention[3], it could be a good move.
> And while we're discussing developer productivity, I can't even imagine the build time of a Rust port.
touché, but compile time is one of the biggest focus of the Rust core team atm, so I'm confident things will improve in 2017 :)
[0]: which can be worked around if need be by using &[u8] instead of &str (see: https://news.ycombinator.com/item?id=13268051 from /u/burntsushi)
[1]: there are bounds checking when you access array elements through indexes, but most of the time you don't do that since iterators are great. If you really need to, and this have a performance impact, you can opt-out the bound checking in unsafe block.
[2]: But this is opt-out by using a different hash function, if you use your hashmap in a non adversarial environment.
[3]: like librsvg which was chronically under-maintained.
Regarding [2], I think it's safe to consider any software that takes input as operating in a hostile environment.
Just array indexing? It would be interesting to see your criticism fleshed out.
I am not sure your criticism will amount to anything if array access is it, though. Posrgres is full of custom data structures and macros as it is. StringInfo and stuff like that -- they are not just "using the language", writing nice simple C code. Probably because databases really push you to use advanced techniques in places.
I wish we didn't need bounds checking; the problem could be solved with dependently typed languages. Unfortunately Rust just panics when you access out of bounds, and doesn't warn you at compile time. Rust isn't really all that impressive.
I know nothing about Rust, but you might find Oleg Kiselyov's: "Eliminating Array Bound Checking through Non-Dependent Types" interesting.
http://okmij.org/ftp/Haskell/eliminating-array-bound-check.l...
You may also like:
http://okmij.org/ftp/Haskell/number-parameterized-types.pdf
http://okmij.org/ftp/Computation/resource-aware-prog/tfp.pdf
I don't think Rust can ever replicate the Haskell implementation identically (if we had HRTB over types), as type parametrism is gone (see: specialization RFC). However, lifetime parametrism serves a similar role in Rust, and lifetimes are closer to a concept of "instance" than types.
This is an old strawman. No one is asking the users to write Rust and a change in developer tooling doesn't by itself change things for users. The question is whether tools help developers help users.
The recent hype of the language is great, but I think it's really important to start seeing substantial large projects receiving productivity gains otherwise it'll attract derision and then loose its momentum.
But they would need to have a contributor and maintainer base sufficiently motivated to learn Rust and stick with it. Which will happen more and more if Firefox can be visibly shown to benefit from including Rust in their toolkit.
(TLDR: CTO comes in and says "Angular and TypeScript is old. Python is new, and Google is writing everything with it. Python is the best practices for development." Tells IT department to rewrite everything in Python. “If our team still needs to use Angular, just use the Python version.” After failing to convince CTO this is absurd, IT realizes they can do nothing and tell the CTO they totally rewrote everything in Python, since he won't know the difference anyway.)
This case isn't quite that bad, obviously. The request is more reasonable, but still seems to betray a pretty fundamental misunderstanding of the situation.
I just realised Python is roughly my age.
A CTO of a payment company, so the inquiry to see if it would be possible to replace a large C project in their stack with a drop-in replacement written in a more safe language makes sense from where he's standing.
Waiting for a flamewar on the LKML on this.
"Hey, Linux devs. I heard there is this nice language called Rust. Do you mind rewriting your OS in this? Ok, might not be possible over the weekend, but maybe over a year? Maybe use some Deep Learning to automagically transform the code?"
I smell an upcoming Linus Rust rant.
Note that the OP has, afaik, no involvement in the rust project. Nor has he done much hacking on postgres. Don't think the rust people can be blamed for that one.