Yeah Ruby sucks but that was an interesting read, and the way they used Serde to decode Ruby values is a very clever trick!

Oh so… there actually aren’t “so many other good tools out there that don’t pull this kind of shit [have bugs]”…

Do you know of an alternative to VSCode that has no bugs? That would be amazing!

Tbh while DST (or just “testing” as hardware people would call it) is very obviously a great idea, I’m not sure it would have helped here - in order to detect these TOCTOU bugs you would need stimulus that triggers it and some kind of checker/model that has the correct behaviour.

That’s totally possible but it’s pretty hardcore testing for a software project and it’s difficult to imagine doing that without realising that you have a TOCTOU issue just by inspection.

Sooo evil, making a great editor available completely for free that you don’t have to use at all. How dare they? Practically Hitler!

The entitlement is off the scale…

the researchers guided mythos to the vulnerabilities, not the other way around

I don’t think that’s true, based on what I read.

I haven’t used Java for decades and never used .net so I’ll take your word for those. Absolutely not for C++ though.

Go’s standard library has:

• JSON, XML, etc.
• A web client and server
• Bigints
• Logging
• JPEG, PNG and GIF
• SQL client
• SSH client
• All the crypto algorithms
• Gzip, zlib, deflate, etc.

C++ has none of that. Hell C++ only got a function to check if a string starts with a prefix a few years ago.

I think the only mainstream language with a standard library that is both good and comprehensive is Go. All of the others either have smaller standard libraries (e.g. Rust) or poorly designed ones (Python).