Yes. I'll leave it at I have serious concerns about the safety of Zig and refuse to use the language or anything written with it until its creator changes his approach when responding to critical security vulnerability reports.
Andrew, you've taken this road for years now and have only been rude and dismissive to me on Discord, IRC and GitHub for a while, despite my many attempts to reach common ground and discuss what happened with the DOS vulnerability I found in the standard library, one you acknowledged was unfortunate. You dismissed it saying that Zig should not be used in production until v1, but I (correctly) pointed out that won't stop people from using it in production. Now, for example, we have Bun.sh, which worries me that the standard library has other "unfortunate" vulnerabilities you have also chosen to ignore that are making their way into production.
There's clearly nothing more I can say to you; I'm tired of the emotional and childish responses to my attempts to reach out. I've expressly avoided using your name and have tried to keep my critiques civil when discussing Zig the few times I have. However, you seem to find the comments every time despite this.
I wish you and Zig the best of luck.
---
andrewrk — 04/02/2020
there's no such thing as security vulnerabilities until post-1.0, which is why nobody should be using zig in production yet
I would love some context from either parent commenter here. This is the first I've heard of security concerns with zig, though admittedly I don't use it much.
Yes, I asked Dang to remove them after a conversation with Andy, as I wanted to reconcile this with him privately. Dang said he wouldn't remove the comments but would anonymize them, which I guess results in that username.
It's not really something I want to bring up again. I was asked my opinions on Zig, I gave them. The PR might not have been the 'best' solution but the vulnerability was left unaddressed - Andrew seems to insist I misunderstood something, but has failed several times to explain why.
I hope it's since been fixed, but panicking on UTF-8 decoding errors had the potential for massive damage in my opinion.
