You will never have the data you're asking for. There are a number of papers about language impact on software quality and they all suffer from numerous issues - there are tons of confounding variables; Use two different devs and you can't account for experience, use the same dev and you taint the second project, use two different projects and you can't account for the differences, etc.
The reality is that whatever data you want is pointless. Anyone who knows what they're talking about should be able to very easily conclude that Rust will have fewer memory safety issues than C. Arguing about that would be silly. I think to nearly the same degree that one can draw the conclusion that Rust code will have fewer CVEs than C. Generally speaking, of course. Individual projects can always be outliers.
Obviously you can't compare 20 years of data with "a few papers"
It means you're comparing hard evidence with something that is theoretical.
Imagine this:
"Cancer has been one of the main causes of death for people around the World, but we have these few papers about this new drug that say that it can beat cancer, se we can say for sure that cancer will not be a main cause for death anymore, without even testing the new drug, because I've read it in these papers here, written by people who work at developing this new drug, so obviously we don't need no data!"
If anything, the liks at the studies posted here prove that memory safety issues went down over the years, even without Rust.
Because, obviously, when going fast to develop something, you cut many corners, then, when your software is stable enough, developers can focus on improving it.
95% of the bugs were memory safety issues doesn't really say anything.
If those 95% issues were all edge cases, does it really matters?
If 50% of that 95% was something like "in some cases the interface is rendered slightly incorrectly" does it really matter?
I am much more worried by the 0,1% of them that end up in an arbitrary code execution vulnerability or worse.
> The reality is that whatever data you want is pointless
Then why even bother?
If it's pointless, why are you even arguing with me?
You're right by design, I'm quite sure I am not.
> Anyone who knows what they're talking about should be able to very easily conclude that Rust will have fewer memory safety issues than C
Doesn't mean anything.
If you put people in bunkers alone you'll see a drop in homicide cases.
Doesn't mean it's better.
That's all I'm saying.
I'm not a zealot, not a fan, don't have a political agenda and not trying to convince anybody.
We don't have the data, that's all, if you have data then show it to me or you have to agree with me that we don't have any.
I guess you put Linus Torvalds in the group of people who don't know what they are talking about
Sorry if I trust him more than you.
---
And the *reality* is that there are no absolute guarantees. Ever. The "Rust is safe" is not some kind of absolute guarantee of code safety.
Never has been. Anybody who believes that should probably re-take their kindergarten year, and stop believing in the Easter bunny and Santa Claus.
I... just explained. You can't control for the variables.
> If it's pointless, why are you even arguing with me?
I'm not arguing with you. I made one comment to explain that the data you're asking for doesn't exist and if it can exist it is extremely expensive to generate. Generating expensive data like that to show something obvious is not something most companies care about.
> We don't have the data, that's all, if you have data then show it to me or you have to agree with me that we don't have any.
Yes, I'm saying that there is no good data.
> I guess you put Linus Torvalds in the group of people who don't know what they are talking about
Yes, I think Linus Torvalds is incompetent. That said, I think you're actually misunderstanding his statement there.
I guess the most critical part of a Linux Kernel is being able to compile it in the first place for the architecture you're using.
Virtually every platform/architecture out there provides a C compiler.
Can't answer on the CVE part, we have no data to discuss the matter in a meaningful way.
There's certainly hope, it doesn't mean data will prove us right.