23 comments

[ 2.6 ms ] story [ 35.2 ms ] thread
> For each of our companies to donate $256,000 in monthly installments over the next two years, with Synadia matching TigerBeetle, for a total of $512,000

Why over 2 years?

Like VC investment, Id assume a lump sum up front allow them to move faster with that money (hiring the right people sooner, etc.)

I wonder if projects like this care more about predictability of income (e.g. not hiring people depending on future funding to sustain them)

Is nats not written in go? Or does this foreshadow a switch to zig?
Real programmers would have donated $524,288. But seriously good news nonetheless.
Joran from TigerBeetle here!

Zig has changed my life, and our team, by making TigerBeetle possible. It's been an incredible journey these past 5 years, and excited that we can now pay it back (and forward!) to the Zig Software Foundation, also matching with my friend Derek Collison and Synadia in doing so.

Thanks to Andrew for creating something beautifully special for the world in Zig, and to all the Zig core team and communities.

If you don't yet donate to the foundation, please consider doing so: https://ziglang.org/zsf/

In performing an assessment of which ecosystem and PL to use to develop our high-integrity automation software for mission-critical applications, we assessed Rust, Zig, and Ada/SPARK. Rust had the support behind it from a big corp., a passionate developer community, and some adoption by significant entities, but none with cyber-physical systems. And it has been interesting to see some developers leaving Rust for Zig for the sheer enjoyment of using it instead. Our software will be controlling machinery overhead and other close coupling with machinery and people. Rust does not have the legacy in these areas or the ecosystem to cover formal verification. Zig was considered, but was even more new than Rust, and had similar disadvantages as listed for Rust. SPARK, a relatively newer PL, a subset of Ada, has legacy in high-integrity, mission-critical applications, and formal verification tooling that along with human review, makes it the strongest choice to meet the government's latest push for such critical software, and the language though verbose, is low friction to learn and apply. I found Zig to be a great second choice, and look forward to both Rust and Zig's future. Glad to see Zig moving along since Andrew started it. Congrats Andrew and the team currently pulling this off!
That's about 1 year's worth of salary of a full-time dev.
That's a pledge only! Let me know when Synadia & TiregBeetle actually send money to Zig Foundation.
> We run a fuzzing fleet of 1,000 dedicated CPU cores 24/7.

that a lot

The reason for not choosing Rust still doesn't make any sense to me. If you don’t want to OOM, need correctness, are following the power of ten (where you aren’t allocating anyways), I don’t see the conflict or harm of additional enforced correctness.

Also, Rust does support checked arithmetic and has stable toolchains.

Is Synadia related to Shazam? The logo is pretty much the same.
I'm absolutely struggling to understand what Synadia even does. it's been an infuriating experience navigating through their marketing site. It's been minutes and I still don't understand what it is. What is NATS?

Edit: I had to google what NATS.IO is. The marketing site is infuriatingly useless. Please, can we stop doing this?

Edit: At the bottom on the footer it says compare NATS to Kafka. It took me to a page that requires me to enter my email, name, and a message in order to download the white paper. I flipped over my desk in rage.

Yeah, that is a lot more insightful than Synadia's marketing spew, thanks.

The BDFL point is particularly interesting to me having followed C++ for almost two decades and having been disenfranchised by the inconsistency of the design. I am more of the belief now that a BDFL is the right model for programming language design, particularly one that isn't insular and listens to feedback, but upholds their vision for the language above all else.

640k ought to be enough for anyone.
This is great news! I do wish that they had push a little bit harder to get $524288 though
> In all these things, what impressed me most was Zig’s approach to safety when working with the metal. Not in terms of an on/off decision, but as a spectrum. Not aiming for 100% guarantees across 1 or 2 categories, but 90% and then across more categories. Not eliminating classes of bugs, but downgrading their probability. All while preserving the power-to-weight ratio of the language, to keep the language beautifully simple. - From TigerBeetles blog on this

Such an excellent summary. I've been trying to communicate this regarding the difference in Rust and Zigs approach to memory safety, and Joran does it so much better than I ever could.

(comment deleted)
I'd probably agree with most in the comment section. Comparing Rust & Zig is not productive. I spent the last month familiarizing myself with Zig after having done a 2 years stint with Rust and Zig is a much younger language with a far smaller ecosystem to work with. If I were to reach for C i'd recommend Zig. If I were reaching for C++ then it would be Rust.

Both are fantastic languages and I hope to see them both evolve in years to come. Zig has a longer road ahead but it really is elegant and simple to work with.

This reminds me that the Rust Foundation is a 501(c)(6) and not a 501(c)(3) like the Zig Software Foundation. To me, the Rust Foundation would do better for the community if they were a 501(c)(3) and more transparent about finances.
it seems Zig is gaining a lot of momentum, I've never coded in it but it seems like a very interesting language. I hope it succeeds.
jorangreef: Could you elaborate on what aspects of Zig made it the preferred choice for TigerBeetle compared to C++? I understand the C type system has limitations.

I’m particularly interested as I’ve encountered similar challenges with intrusive data structures in my own work.

This isn’t intended as flamebait. I’m trying to understand Zig’s long-term positioning and design philosophy. I have serious confusion about the type of problems Zig is aiming to solve. In my view, Zig is not solving the actual hard problems in systems programming and it doesn't have the foundation to either.

Memory safety? Still entirely manual. Race conditions? Nothing in the language prevents them. There’s no ownership model, no lifetime analysis, no way to tie resource management to the type system. Compare that to Rust’s borrow checker or modern C++’s RAII and concepts. Zig’s type system is shallow. comptime is nice for generating code, but it doesn’t give you formal guarantees or expressive power for invariants, safety, or correctness.

The type system itself has no serious formal grounding. It can’t encode complex invariants, can’t track aliasing, can’t enforce concurrency safety and can’t model safe resource lifetimes. These aren’t academic extras — they’re exactly what decades of research in programming languages, operating systems and concurrent computing tell us you need to scale safety and correctness. Zig ignores them. Performance? When the policy is in the type (allocator choice, borrowing/ownership, fusion shape), Rust/C++ compilers can specialize, inline, and eliminate overhead. In Zig, the same policies are usually runtime values or conventions, which means more indirect calls, more defensive copies and fewer whole-program optimizations.

Concurrency is another major gap and in a real systems language, it cannot be an afterthought. Even if Zig isn’t currently aiming to solve concurrency or safety, a “serious” systems language inevitably has to, because these are the problems that determine scalability, maintainability and security over decades. The async model in Zig is little more than manual coroutine lowering: the compiler rewrites your function into a state machine and leaves correctness entirely to the programmer. There’s no structured concurrency, no safe cancellation, no prevention of shared-state hazards. Without a concurrency model that integrates into the type system, you can’t make guarantees about thread safety or race freedom and you end up relying entirely on discipline (which doesn’t scale).

Even in its most-touted features, Zig seems to be solving syntactic sugar problems, not the important systems problems. defer and errdefer? They’re effectively cleaner syntax for patterns C has had for decades through GNU’s __attribute__((cleanup)) or macro-based scope guards. Error unions? A nice alternative to out-parameters but just syntactic polish over an old idea. comptime? A more integrated macro system but still aimed at reducing boilerplate rather than providing deeper correctness guarantees.

The allocator interface? Another missed opportunity. Zig could have made it type-aware, preventing allocator misuse and catching entire classes of errors at compile time. Instead, it’s basically malloc/free with slightly cleaner function signatures. No safety net, no policy enforcement.

Zig discards decades of research in type systems, concurrency models, safety guarantees, and memory management, then reimplements C with a few ergonomic wins and leaves the hard problems untouched. It’s a restart without the research and not systems language evolution.

I am not a Rust fanatic but by contrast if you’re moving away from C++ or C, Rust actually tackles the big issues. It enforces memory safety without a garbage collector, prevents data races in safe code through its ownership and type system, offers structured concurrency with async/await and has been battle-tested in production for everything from browser engines to operating systems to...