Best practice when using .unwrap() in production code is to put a line of documentation immediately above the use of .unwrap() that describes the safety invariants which allow the unwrap to be safe.

Since code churn could eventually cause those safety invariants to be violated, I think it’s not a bad thing for a blunt audit of .unwrap() to bring your attention to those cases and prompt to reevaluate if the invariants are still satisfied.

But only if pattern matching were included, otherwise they would be as unpleasant as C++'s std::variant.

This makes a lot of sense, but the functions were Rust bindings for plain C functions, they weren’t function pointers. Granted I could have put pointers to the function bindings into fields in a struct and stored that struct in the mutex, but the ability to anyhow call the bindings would still exist.

It’s a massive win, and I would question the credibility of any systems programmer that doesn’t recognize that as soon as they understand the wrapper arrangement. I would have to assume that such people are going around making egregious errors in how they’re using mutexes in their C-like code, and are the reason Rust is such an important language to roll out everywhere.

The only time I’ve ever needed a Mutex<()> so far with Rust is when I had to interop with a C library which itself was not thread safe (unprotected use of global variables), so I needed to lock the placeholder mutex each time I called one of the C functions.

Which is exactly the position that the Rust for Linux devs have understood and accepted for themselves, and yet they still get yelled at (literally, in public, on recordings) by C Linux devs for existing.

Oh and they get snidely told that introducing the Rust language must be a mistake because suggestions to introduce other languages to the kernel turned out to be mistakes and obviously Rust is the same as all those other languages according to C developers who, by their own admission, have never used or learned anything about Rust beyond a superficial glance at some of its syntax (again this was recorded from a public event).

I do think that specific point is catering too much to sloppy get-it-done-fast-and-don’t-think developers. It’s true that they are Rust’s most untapped demographic, and the language won’t reach the pinnacle of mainstream usage without getting buy-in from that group, but I really think they’ll be won over eventually by everything else the language and ecosystem offers, and .unwrap() won’t be such an unreasonable price for them to pay in the long run.

The ideas in the article are great, I’m just a little confused by some aspects of the author’s tone where it sounds like there’s an assumption that the Rust community isn’t interested in expanding the scope of the language to every conceivable use case domain and height.

For the 4 years that I’ve been paying attention the Rust language is advancing faster than I ever thought a language is able to, but more importantly that advancement has been sound and sensible. So far I haven’t seen a language feature make it into Rust stable and thought “Oh no that was a mistake”, even as features roll in at an incredible rate.

Compare that to the C++ ecosystem where I feel like almost every new language feature is arriving very slowly while also being poorly executed (not that I think the ISO committee is doing their job badly; I just think it’s effectively impossible to make new language features in C++ without gross problems so long as you demand backwards compatibility).

I fully expect everything in this very sensible list to make it into the language at a reasonable pace. I don’t object to the “bikeshedding” as much as the author here seems to because I’d appreciate if Rust can avoid painting itself into a corner with bad language design choices the way C++ has. If we’re talking about language ergonomics, I’d rather suffer some tedium now while waiting for a feature to be polished than be stuck in a corner forever in the future because a bad decision was made.

One example I can think of is I’m not convinced that his proposal around kwargs for function arguments is a good thing, at least not without some serious thinking. For example should it support the ability to reduce foo(a, b, x: x) to just foo(a, b, x) like what’s done for struct construction? If so then the optional arguments start to look too much like positional arguments and the syntax starts to get questionable to me. On the other hand if that simplification isn’t supported then that becomes inconsistent with other parts of the language. So this is something that I believe requires a lot of serious thought, and maybe the better answer is to have built-in macros for generating builder structs

That being said, the edition system of Rust could afford us some leeway on not being forever trapped with a bad language design choice, but I don’t think we want to rely too much on that.

Considering most JIT compilers for JavaScript are written in C++, I can’t conceive of a reason you couldn’t implement one in Rust.

Is part of your requirement that unsafe doesn’t get used anywhere in the dependency tree? If so you’d have to take away most of the Rust std library since many implementations in there have small strategic uses of unsafe under the hood.

In my entire software engineering career, which spans embedded systems to CAD applications, I’ve never encountered a case where GOTO is actually needed (but maybe some places where it can be used as a dirty shortcut to save you some lines of code).

As for arbitrary function pointers, if those function pointers are written in Rust then they’ll come with all the safety assurances afforded to Rust code. I suppose if you’re worried about the danger of running ussr-code with unsafe in it, you could probably have your JIT refuse to compile the unsafe keyword specifically.

Disclaimer that I have no experience with writing compilers myself, but conceptually I don’t see any obvious reason that someone couldn’t create a JIT compiler for Rust so that it can be treated like a scripting language and do rapid iteration…

I’m not familiar enough with what you’re trying to do to offer any specific advice. I’ve spent very little time with writing dockerfiles, and have never needed to set up a Rust toolchain in a dockerfile.

I think the first step is figuring out if nightly is really needed. If there aren’t any nightly features needed then the latest stable toolchain should work fine, and worrying about what version of the toolchain to use is a red herring.

Nightly is for language features of Rust that are still being tested or experimented with. It should only be used by developers who are eager for the latest bleeding edge capabilities and are willing to adapt if those capabilities change or get dropped entirely. Or you might use nightly if you’re a good citizen and testing out the experimental capabilities so that you can give feedback on them.

A later version of nightly could potentially change or drop the features of an earlier version of nightly in ways that are not backwards compatible. That’s why you might have to specify which version of nightly you need (potentially an older version), if you’re building something that depended on nightly features.

There are two big problems with the point that you’re trying to make:

1. There are many open source projects being run by organizations with as much (often stronger) governance over commit access as a private corporation would have over its closed source code base. The most widely used projects tend to fall under this category, like Linux, React, Angular, Go, JavaScript, and innumerable others. Governance models for a project are a very reasonable thing to consider when deciding whether to use a dependency for your application or library. There’s a fair argument to be made that the governance model of this xz project should have been flagged sooner, and hopefully this incident will help stir broader awareness for that. But unlike a closed source code base, you can actually know the governance model and commit access model of open source software. When it comes to closed source software you don’t know anything about the company’s hiring practices, background checks, what access they might provide to outsourced agents from other countries who may be compromised, etc.

2. You’re assuming that 100% of the source code used in a closed source project was developed by that company and according to the company’s governance model, which you assume is a good one. In reality BSD/MIT licensed (and illegally GPL licensed) open source software is being shoved into closed source code bases all the time. The difference with closed source software is that you have no way of knowing that this is the case. For all you know some intern already shoved a compromised xz into some closed source software that you’re using, and since that intern is gone now it will be years before anyone in the company notices that their software has a well known backdoor sitting in it.

This is exactly the use case that slotmap is meant for. I highly recommend using the library rather than reinventing the concept.