> From my understanding that means that now Rust can be used for the development of security critical software in automotive.
It has always been possible to do whatever you wanted in this respect, Ferrocene means that you don't have to go to more trouble than a competitor who does their software development in a similarly qualified C++ software suite.
Rather than pay some number of people to explain why it's OK that you didn't do the boring normal thing, you can pay Ferrocene for their paperwork which says actually Rust is just one of the boring normal things.
Is "Boring normal thing" good enough? Well, on its own I'd argue it's not even close, but pragmatism rules the day, people writing firmware which is in pretty old cars were knocking it together in C with no rules, and most people didn't die, so, that's our baseline, that was apparently OK, logically a bit of that won't be a disaster... right?
It reminds me of GRAS rules. On the one hand, there's no particular reason to just assume parsnips are OK food while this random thing my chemists just invented is not - after all parsnips may be "natural" but so are all nightshades and some of them are straight up poison (and indeed the rest of Apiaceae, the family parsnips are in, are sometimes poisonous) - however on the other hand a lot of people have eaten parsnips already and they seemed fine, so, maybe that's enough reason to require tests for my chemical but not parsnips ? Or at least, lets not require the tests before continuing to eat parsnips.
"It has always been possible to do whatever you wanted [..]"
That is not quite what I meant. You can always do what you want if you are prepared to accept the consequences.
German law requires the manufacturer of a technical product to take all measures objectively necessary and reasonable in order to avoid danger and harm. In automotive safety critical systems ISO26262 is a legally well established, necessary (but not necessarily sufficient) prerequisite for that.
Car manufacturers spend a ton of money on certified compilers and toolchains for good reasons. One of them is legal compliance.
"From my understanding that means that now Rust can be used for the development of security critical software in automotive."
What I meant here is that I'm not sure if what exists today (including Ferrocene's certified toolchain) is enough to make Rust happen in safety critical automotive applications. I simply do not know enough to make that claim.
> In automotive safety critical systems ISO 26262 is a legally well established, necessary (but not necessarily sufficient) prerequisite for that.
That is true, but an ISO 26262 qualified toolchain is neither sufficient nor required to achieve certification. It certainly helps when the auditor looks at your project, but you can also opt for other measures. So you could build ISO 26262 certified software in rust even before the Ferrocene qualification, and you still can build it using stock rustc, but it's more work. Few people will do that and rather opt for a qualified toolchain.
> What I meant here is that I'm not sure if what exists today (including Ferrocene's certified toolchain) is enough to make Rust happen in safety critical automotive applications.
It's one of the foundational pieces, but others are qualified libraries and the entire ecosystem. So the adoption will by necessity still take time. We do have a few exciting things in the pipeline there, but that's news for another day (it's christmas soon, not all presents at once)
Very true. I'm coming from the supplier side and in the world I know the required ASIL level is a box we have to tick, no realistic way around it. That includes using a certified compiler. Probably that is not universally true but in my bubble for all intents and purposes a certified compiler was a hard requirement. This is in no way a contradiction to what you wrote but underlines why I think a Rust compiler that is not in the way for me ticking the ASIL D box is a big thing.
It has always been possible to do whatever you wanted in this respect, Ferrocene means that you don't have to go to more trouble than a competitor who does their software development in a similarly qualified C++ software suite.
Rather than pay some number of people to explain why it's OK that you didn't do the boring normal thing, you can pay Ferrocene for their paperwork which says actually Rust is just one of the boring normal things.
Is "Boring normal thing" good enough? Well, on its own I'd argue it's not even close, but pragmatism rules the day, people writing firmware which is in pretty old cars were knocking it together in C with no rules, and most people didn't die, so, that's our baseline, that was apparently OK, logically a bit of that won't be a disaster... right?
It reminds me of GRAS rules. On the one hand, there's no particular reason to just assume parsnips are OK food while this random thing my chemists just invented is not - after all parsnips may be "natural" but so are all nightshades and some of them are straight up poison (and indeed the rest of Apiaceae, the family parsnips are in, are sometimes poisonous) - however on the other hand a lot of people have eaten parsnips already and they seemed fine, so, maybe that's enough reason to require tests for my chemical but not parsnips ? Or at least, lets not require the tests before continuing to eat parsnips.