There's this bit from the article which might provide a hint:
> Drivers in Rust, [Greg KH] said, are indeed proving to be far safer than those written in C.
And since CVEs haven't been getting assigned to Rust code until recently, I think he's more well-positioned to opine on the safety of Rust code vs. C code in Linux than those who are only indexing off the singular Rust CVE so far.
There is relatively little Rust in the kernel, but there are even less Rust CVEs. In this cycle alone there were 160 CVEs, one in Rust. The first one! The amount of rust is way less than 1/160 and even that statistic is off, because one should count all CVEs.
That is debatable, and I think untrue. It sometimes takes years to find CVEs in C code, and I don’t know of an argument why that would be different for Rust.
The fairest comparison, I think, would be with other new code of similar complexity in the kernel, and track #of CVEs per equivalent functionality (per line of code might be sufficient, but if one language is verbose than the other, you should correct for that)
What good does that do though? They still have the bug, whether it's marked "unsafe" or not. You could mark every C source file as "unsafe" and that wouldn't magically make C a better language or have fewer bugs.
This talking point needs to stop. Rust could be a better language but that would be because it causes fewer bugs, not because the bugs are labeled "unsafe"
