ideas and the number of programming languages you can throw at someone in a class before
their brain shuts off, and many computer science classes are already at capacity.
There’s also a perception that memory-safe languages, namely Rust, are harder to learn and
will be difficult to use with hardware, which may dissuade people from learning it in the first
place. (However, most other memory-safe languages, like Python, Go, and JavaScript, achieve
temporal memory safety through garbage collection, which substantially simplifies many aspects
of programming, making the languages famously easier to learn.)
Professors also want to do their best to make sure their students graduate with the skills that will
help them find the type of job they want, which becomes a chicken and egg problem—students
often learn to program in C assuming it is the universal language that will allow them to be
easily employable in the future, which results in companies wanting to hire students who can
code in memory-safe languages such as Rust to have a smaller hiring pool.
To change this pattern, the industry itself must shift. We also need more data on which
companies are hiring people who know memory-safe languages, and which require C/C++
(which will also change with time). It might also be useful to get information on companies
providing training in memory-safe languages to their engineers or writing specific projects in
them. Some of this information can be gleaned through an SBOM (software bill of materials),
which could be useful in ascertaining which of the constituent parts of a final good are
memory-safe, which old, unsupported libraries are being used, and so forth. However, hardware
vendors self-assessing and making a legal attestation of the parts in a final good may have
more information.
Distrust or Dislike of Memory-Safe Languages
The lowest-hanging fruit for memory safety is brand new code, but to be successful, we must
recognize that some programmers may find memory-safe languages more difficult or be
resistant to shifting to them. This can be mitigated by explaining that memory-safe languages
force programmers to think through important concepts that ultimately improve the safety and
performance of their code.
In some cases, the concerns exist at executive levels of an organization. Management may
distrust new languages, as well as have concerns that tools may not work properly. Perhaps the
tools are workable but there is the sense that C/C++ equivalents are more reliable or easier to
use. People realizing they need new toolchains on platforms they support—and need to be able
to debug them—leads to significant ecosystem drag. It requires significant activation energy to
bootstrap an ecosystem into something government, organizations, and individuals can buy into
without having to build expertise in the tool chain.
In some cases, memory safety isn’t yet possible. For example, IoT/embedded devices continue
to be built using C/C++ for platform compatibility.
And some resistance to moving off C/C++ is due to the sunk cost fallacy. Through joint
partnerships, it may be helpful to explain that changing languages now, rather than avoiding