The syntax is of course very Rusty, which is cool. However, a sort of obvious question comes to mind - what is the benefit of this over just writing rust, then? Just because the compile times are shorter?
EDIT: should mention I understand why embedded scripting languages exist, having embedded Lua many times. And I love a lot of these features, but to me having an embedded scripting language should simplify the language/API surface area instead of mirroring it almost 1:1. That's what I'm a bit undersold on.
I'm author of a rust based task manager (not (yet) FLOSS, unfortunately), where we needed "pluggable task sources" (jira, github, trello, etc).
In our setup, the "sources" are more like configuration. Whereas the core, the business logic, is more like code.
Typically, one would configure with e.g. YAML. As we can see in many projects, that have a DSL, in yaml (k9s, GitHub actions, ansible, etc).
But, rather than inventing another DSL in yaml, we realized we do need some logic, something very poorly expressed in yaml. And we went for Lua.
Long story to say: if your config typically has some logic in it, it makes sense to go for an embedded scripting language to provide it, rather than building it into the core domain, or to invent yet-another-yaml-amalgation (yayamla?)
Hot-reloading. You can edit your logic without rebuilding and restarting the host application; this cuts your iteration time from minutes to seconds, especially if the application is in a state that would need to be recreated.
Other commenters have given most of the reasons already, but since you asked specifically for the author, I'll chime in as well.
The fact that Roto gets compiled at the runtime of the Rust application is very important. That means we can ship a binary and still allow scripting.
We also believe that Rust is too complicated for our use case in some respects, we're trying to make something simpler. Our target audience for Rotonda is not people who necessarily know Rust. We can never be as simple as Lua because of the static typing, but we're trying our best.
And finally, we don't have to ship the entire Rust toolchain with our application. Roto is fully embedded into the binary with no external libraries needed and that's quite nice in practice.
Well something needs to be done urgently, before hospitals and critical infrastructure start getting ransomware infected on a daily basis. This isn't an unlikely scenario either, all it will take is one well resourced attacker to spin up thousands of decensored agents and have them pumping out attacks 24/7. I'm actually kind of surprised it hasn't already happened. TeamPCP is just the beginning. We're lucky they're not using ransomware, otherwise the carnage would be 100-fold.
Then the corporations, medical system, etc needs to help support the people who make OSS software if they want the immediate, urgent change you're suggesting.
Those are individual revenue streams, distributed at a very granular level across the world.
LLMs are currently relegated to individual for-profit companies. They collect that money. There's no other choice to use them and to provide them that money.
When I'm sitting in the plane that has CAS firmware, I'd like to think it wasn't written by an LLM and that my death in the case of a CAS failure isn't chalked up to "some engineer somewhere gets in trouble".
There probably already is generated code in there, only it was generated from UML. I don’t think that LLM generated code will be treated differently from the point of view of the relevant regulations.
That doesn’t matter. Once the code is generated it doesn’t change. The reviewed artifact in a safety critical codebase is the last abstraction layer before a fully certified compilation pipeline. So usually it’s not the UML but the generated code.
As the victim of the one from last year, it wasn't particularly fun to read.
The implication that I don't know what I'm looking at, or that I don't know what security is (despite having a clean track record for about 15 years now) was a bit aggravating.
In fact, even months later, the lasting effects have been panicking over anything that is remotely suspicious. The most recent example was just a few days ago. Had just gotten on the plane to go on vacation when someone Liked the original "I've been pwned" post on Bluesky. I misread the notification as being a new message to me saying "You've been pwned" and started to panick. I'd have had no way to address it and it would have ruined the small chance per year I get to have a break.
The attack last year wasn't me misunderstanding security. It was the sum of many, many small things (my history with and perception of npm especially w.r.t. their security posture and poor outreach over the years, being stressed out overall, and being in a rush at that particular moment, and a few other personal things) coming together in a perfect storm that resulted in the attack.
> The implication that I don't know what I'm looking at, or that I don't know what security is (despite having a clean track record for about 15 years now) was a bit aggravating.
I'm a security geek, a clean track record means much less to me than anyone would expect. The comment from the article mentioning that there was no evidence of exploitation explains why. I would never have noticed that implication, because I don't think it exists. (And it's completely unreasonable if it does), so that's your own deal... it's not a good conclusion to take from the article.
The only thing that matters is how much any given owner cares. Are they willing to go the extra mile to make sure things get done correctly. That's the best signal about if you can trust a project. Seems like you give a shit, so I wouldn't be too hard on yourself. The people that matter can tell, (everyone who can't tell is already willing to lie so they can be safely ignored!)
> In fact, even months later, the lasting effects have been panicking over anything that is remotely suspicious. The most recent example was just a few days ago. Had just gotten on the plane to go on vacation when someone Liked the original "I've been pwned" post on Bluesky. I misread the notification as being a new message to me saying "You've been pwned" and started to panick.
You haven't dealt with it yet, if you want to get your attention back so you can spend it on more important things than worrying about something from the past, you gotta talk to somebody. A therapist would help the fastest, but friends and family are often just as good.
> I'd have had no way to address it and it would have ruined the small chance per year I get to have a break.
Seriously, having been there myself it's not worth it... you're just allowing them to DoS your brain by allowing them to live rent free in your head. The only thing that matters is how seriously you take the remediation. Attention to detail, and the willingness to go the extra mile for security defects to tie up all loose ends is what matters. It's not your job to fix everybody's issue yourself, even if they don't or can't. You still have to enjoy life, or you burn out, and some idiot that doesn't care will take your place. Then they really win.
You're not responsible for the security or stability of anybody using nightly packages. (Only maintainer signed and tagged releases)
> The attack last year wasn't me misunderstanding security. It was the sum of many, many small things
so, a misunderstanding of how the little things actually impact security?
> (my history with and perception of npm especially w.r.t. their security posture and poor outreach over the years, being stressed out overall, and being in a rush at that particular moment, and a few other personal things) coming together in a perfect storm that resulted in the attack.
Those other personal things are the kinda thin that being able to enjoy a vacation make much easier. You can't help anybody if you don't put on your own mask first... Well... You definitely can, you're obviously trying to do now, but it's needless harder.
Npm, and the JavaScript ecosystem is a fucking joke. It's a mistake to blame yourself (or any maintainer) for how difficult it is to meet the bar for both security and accessibility. Worrying about the difficulty in consistentenly demonstrating the perfection required for security is a fool's errand, and your allowing the bad guys to get what they want by letting it live rent free in your head, it won't go away for as long as you worry about it more than you talk about it.
And I say all of that as the person who has multiple times, made the argument that it's perfectly fine to name an engineer and their decisions or incompetence as the root cause analysis in an official incident report. (Pilot Error is a thing): If I thought you were responsible, or had done anything wrong, I'd gladly blame you. Smart people don't care about mistakes, because they are always noise in the signal. I care about effort. People who give a shit are much more important and valuable.
You don't really, but the entire ecosystem is quite ergonomic for people who don't want to fiddle with software, connections, config, permissions, etc. and Just Print something.
Not defending Bambu. The UX is quite straightforward and easy, however.
The syntax is of course very Rusty, which is cool. However, a sort of obvious question comes to mind - what is the benefit of this over just writing rust, then? Just because the compile times are shorter?
EDIT: should mention I understand why embedded scripting languages exist, having embedded Lua many times. And I love a lot of these features, but to me having an embedded scripting language should simplify the language/API surface area instead of mirroring it almost 1:1. That's what I'm a bit undersold on.
reply