Comment by johnisgood
3 days ago
You're going in circles. You've made the same point three times now without adding anything new.
Yes, memory-safe languages eliminate vulnerability classes. I said that in my first reply. Yes, people make mistakes in C. Obvious. None of this tells us anything about this specific web framework.
You dismissed it as "a terrible idea" based on the language alone. That's lazy analysis. Either review the actual code and find the bugs, or admit you're just cargo-culting the "C bad" narrative without looking at the implementation.
Have you actually examined this codebase or not?
The project is a framework for building applications on top of. The issue isn't the framework code. It's the application layer code that gets written and maintained for years to come on top of what may well be a brilliantly written framework layer.
Given that you don't disagree that C is an inherently riskier language to write in than memory managed languages, I can only conclude that what you're opposed to is the fact that I'm saying the quiet parts out loud. I'm not saying the quiet parts for you, you know them, I'm saying them for the junior devs who stumble across this page of senior devs waxing poetic about how wonderful C is. Every dev should know how to write C, but it's equally important to know its generally the wrong language to choose for a web server, which is what's being discussed here.