Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No, they are interested, learning is fun for them too. But not everyone is interested in learning the same things you are. For me, for example, there is absolutely nothing more boring, than some new fancy framework, API or a language. I am, however, very excited to try things that might reduce amount of bugs and potential security issues in my code, make it cheaper to run, cheaper to support.


So long as you don't have to learn a language, API, or framework to do it... I'm not sure what things are left you could do differently? Your list excludes all technology-related changes, so the rest becomes meta-activities: pair programming, documentation, planning, a good nights sleep, etc. Those are excellent, but I'm curious why are you willing to change those other areas but are resistant to technological ones?

That irrational fear of technological change is exactly what I'm talking about. There's a joke around some of my friends, "What's the best way to get a mediocre .NET programmer to stop talking about safety and reducing bugs? Bring up the safest most secure .NET language that exists: F#."

As the joke goes, most of these developers are confronted with the reality that they don't really care about bugs enough to even bother learning a different fully supported .NET language that will find entire classes of bugs automatically and is orders of magnitude safer than C# and is faster to write.

Most people when they have told me they "care about bugs, not languages" have been just saying something nebulous to kill the discussion and defend their life choices.

I'm not trying to be snarky to you, I'm actually very interested to know what changes you've made that are not technological to reduce bugs, fix security holes, etc. I'm always on the prowl for such stuff, and this sounds intriguing.


Let's see, I'm learning about unscented Kalman filters, moving object tracking in computer vision, PCA, and more. I'm learning about the problem domain that I'm working in. I have no interest in learning yet another API unless I absolutely have to, because it isn't really interesting knowledge that I have to call the fibble() function before calling xacxtyor() in this poorly documented API. That's not learning, it's the accumulation of facts.

Of course, sometimes learning new API/languages enables meaningful learning, and I'm all for it. Want to quickly get a handle on Kalman Filters? Probably a lot faster to put something together with numpy (say) and experiment on the REPL than to program it in a performant language like C or C++, even if that is where it will eventually end up running in your project. So, yes, there's a great reason to learn those languages (or Julia, or whatever).

But the endless march of APIs is pretty tiring to me, and I do everything I can to isolate myself from that. I'm pretty happy writing my C++, and Python (2.7, btw), while trying to solve rather hard problems.

Another way to put it - what I value is intellectual work, not memorization/puzzling things out. Learn a new math technique? Awesome! Learn a byzantine set of calls I need to make to make a widget widge on the screen? Not so much.


Well it sounds like you have no qualm learning the right tool for the job. I would consider numpy to be an API, but the difference here is it's one that helps you with your domain. If widging widges was your domain I'd expect the professional thing to do would be for you to learn that API. I'm talking about people who in your job wouldn't bother with Julia or numpy and would just trundle along with C.


This is great, but it's not addressing the point, which is "I am, however, very excited to try things that might reduce amount of bugs and potential security issues in my code, make it cheaper to run, cheaper to support."

Also, if you like math go learn some functional programming. The ideas of abstract algebra, which you will encounter in FP, are increasingly relevant to machine learning as well. E.g. http://jmlr.org/proceedings/papers/v28/izbicki13.pdf


> But the endless march of APIs is pretty tiring to me

i hear you on that one

> and I do everything I can to isolate myself from that.

but still, you can't stop thinking about design entirely. when a new ideally-pure-C-but-C++-if-you-really-need-stl library is ready to actually be put to use you'll have to put an api of some sort on it. hopefully that api will be informed by your use of other people's apis, both good and bad.

don't forget that the whole point of computers is that they're immediately useful. you can still do most of the math you want with a pencil, paper, and stack of books.


  > I'm not sure what things are left you 
  > could do differently?
There are so many thing that are left - one cannot do them in a lifetime! Analyze as much bugs as you can, invent your own language that prevents them from happening, write your own compiler for this language, make it fast, with better memory management, not some stop-the-world GC, but with something, that honors low-latency and so on.

EDIT: As RogerL is saying, useful to me intellectual knowledge is what I want to learn. It's pretty much never the same thing as anyone else in the room wants to learn.


So clearly you are not the class of person I have ever dealt with in the past. It would be an incredible breath of fresh air to work with someone who cares enough about their work to write their own compiler for it.

Right now I'm working through SICP, having just finished PLAI, do you have any suggestions for a book on compilers I could do next? I was recently steered away from the dragon book as it's "missing a lot of recent compiler research", but that person had no good alternative.

I think there is definitely three main groups of software people: those that wire together languages and frameworks, those that write languages and frameworks, and those that use a tiny subset of languages to do research. My problem is I think I've been heading down the path of learning that leads more to the second, and you sound like someone who manages to do a job similar to mine, but by being good at that second far more interesting path. I'd be really interested to hear any advice you have. Do you basically have to just work alone?


I found this book on compilers to be rather up-to-date, clear and useful when you start going into the topic: http://www.amazon.com/Engineering-Compiler-Second-Edition-Co...


There are a lot more interesting things in CS than 100 different mvc frameworks and 20 upstart languages that do exactly what LISP did in 1960.


Oh sure, right now I've been deep into Scheme as I just finished PLAI and am halfway through SICP. I'm not chasing every new Perl derivative every six months, but I'm mostly stuck in the day job using C#. It feels constraining to be learning all this awesome about languages and not get to use most of it, hence the desire to sometimes try other languages at work.

What sort of things have you been learning that you would recommend that are off the beaten path of just another mvc framework? I'm thinking of learning about compilers next, but I'd like a book to work through rather than just "the internet". Also I'm trying to catch the type safety bug by working through Real World Haskell, I'm open to other suggestions for that too.


there is absolutely nothing more boring, than some new fancy framework, API or a language

Hear, hear. There must be 100+ "frameworks" out there, all for the task of rendering a web page. If you learnt them all, you would be stupider than when you started. Pick a handful of technologies - ones that will last - and get deep into them. Step off the crazy treadmill and go for quality, not quantity.

If you had gotten into a "full stack" (lol) of Unix, Oracle, C++ in 1994, you would still be very, very employable today as long as you remained more or less current with them, and you'll still be in 2024. Whereas if you learn "frameworks", you'll be starting again from scratch every year or two.


What's the best way to determine quality over quantity?

Is it best to wait languages out for a while and see how much they are adopted by others first?


If your main concern is reducing bugs and security issues, then you really should look into modern typed languages like Rust.


I did, doesn't seem to be particularly focused on neither bugs nor security.


Wow, we have a very different reading of Rust.

Safe concurrency and memory management doesn't lead to reduced bugs? Eliminating unsafe memory access doesn't lead to increased security?


You are assuming that most of the languages people use don't have safe automatic memory management, right? This is of course incorrect. Now, lets compare Rust and Go, what makes Rust programs have fewer bugs, than Go programs? Is there any supporting research that shows how Rust eliminates any particular class of high level bugs? No, there isn't. So, no, Rust doesn't focus on eliminating bugs.


I'll make one effort in good faith to answer your questions, though I expect you're not interested in hearing the answer.

There is a class of programs where manual control over memory layout is important. For example, if you're writing an OS, as Mozilla is, you need this control to talk to hardware. It is also important in some domains where performance is important (e.g. games and big data.) Rust is the only language (outside of research) that offers control over memory layout while also providing memory safety. That is, no access to uninitialized memory, etc. This clearly eliminates a huge class of bugs relative to C/C++, the only language with substantial usage in this space.

Race conditions (data races) are considered important enough by the Go developers that they have a tool to detect them: http://blog.golang.org/race-detector In Rust these error cannot happen as programs containing data races cannot compile.

Then there is the usual modern type system stuff of eliminating nulls and so on.


I don't like arguments like that, as they don't have any supporting data. I happen to analyze significant amount of bugs in a large C codebase and things you are talking about don't seem to be as important, as you claim. But well, this is what's wrong with programming languages, nobody cares enough to do some research. That's ok though, we just think about languages differently.


I find it very strange to see an argument that memory safety is not an important property. Here are some arguments for it's importance:

"Memory error exploitations have been around for over 25 years and still rank among the top 3 most dangerous software errors."

http://www.isg.rhul.ac.uk/sullivan/pubs/raid-2012.pdf

Or see work on static analysis of kernels and device drivers like http://research.microsoft.com/pubs/74567/eurosys2006.pdf

I'm very interested to hear what you consider more important sources of errors.


I didn't say that memory safety is not important. I was talking about the need to control memory layout and other bells and whistles.

Anyway, you suggested Rust under false assumptions. Rust doesn't care about reliability and security any more, than most of the modern languages. Even Perl with its taint mode is more secure, than Rust.


Mozilla's Gecko team is incredibly interested in both uncompromising performance and strong security. Rust is the first language in industry to offer the zero-overhead abstractions of C++ while retaining memory safety (with the exception of perhaps Ada, which has never taken off outside the government sector).

You seem remarkably uninformed as to what Rust's goals are. Allow me to enlighten: reliability is a big, big deal to the Rust developers. Security is a big, big deal to the Rust developers. Speed is a big, big deal to the Rust developers. Memory efficiency is a big, big deal to the Rust developers.

As for your mistaken assertion that such efforts at memory safety are unnecessary in real-world code:

https://groups.google.com/forum/#!msg/mozilla.dev.servo/ufJM...

  >>> * Do we have data showing how many security bugs we could be avoiding in
  >>> Servo in comparison to Gecko? Is the security benefit truly as valuable
  >>> if expected performance benefits don't pan out?
  >>
  >> We've been talking to some members of the security team (Jesse, Brian). In
  >> general the main class of security vulnerabilities that Rust offers a layer
  >> of defense against is memory safety problems in layout, rendering, and
  >> compositing code. Use-after-free is the big one here, but there are others.
  >> I'm not in the sg so I can't run the numbers myself, but I am told this
  >> constitutes a large class of security vulnerabilities.
  >>
  >
  >A quick scan suggests that all 34 sec-critical bugs filed against Web Audio
  >so far are either buffer overflows (array-access-out-of-bounds, basically)
  >or use-after-free. In many cases the underlying bug is something quite
  >different, sometimes integer overflows.
  >
  There are 4 sec-high bugs --- DOS with a null-pointer-deref, and a few bugs
  reading uninitialized memory. The latter would be prevented by Rust, and
  the former would be mitigated to the extent Servo uses the fine-grained
  isolation Rust offers.
  
  There are no sec-low bugs.
  
  Web Audio is an example of a feature which has very little security impact
  of its own. Its security impact is entirely due to bugs where violation of
  language rules can trigger arbitrary behavior. Rust prevents such bugs. A
  lot of Web features are in this category. 
TL;DR: Firefox's Web Audio component, which in theory ought to have practically zero attack surface, contained at least 34 critical and exploitable security vulnerabilities. All of these were a result of the lack of safety afforded by C++. Rust would have made these vulnerabilities impossible.


This is pointless. Of course memory safety is necessary, I never said that it isn't. I was assuming that any sane person would understand that. And guess what? Most of the mainstream languages are safe in that regard. So you cannot claim, that Rust is particularly safe, it isn't. It's safer than C and C++, but that's about it. And that's ok, no need to be offended.


I'm out; this discussion is not productive to me. You have given no evidence to back your claims -- you have no data, to use your phrase, though you are so keen to see mine.

Specifically:

I gave examples of the need to control memory layout and memory allocation.

I gave examples of Rust's features leading to reliability and security -- memory safety and absence of data races.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: