Mostly because we are an immensely ignorant industry jealously guarding what little scraps of knowledge we gleam.
Theoretical computer science results get ignored for decades, until people like Carmack randomly sit down and read a book. (The rest of the world then gets to read about it years later in a biography, and it's still revolutionary since nobosy else sat down to read a book in the meantime.)
A lot of institutions know how to write efficient, safe software, but at best will talk about it in a blog post, their experience will never filter down into classes to teach the next generation.
And because that's not bad enough, we try to suffocate every possible problem with "more headcount", since that's easier than actually figuring out what your core problem is.
I think most computer science is inaccessible to the average programmer, who can't read and understand a mathematical proof either.
That's not to say the average programmer is a dunce. The opposite. It's simply that science and theorems are part of scientific discourse. They are usually not complete proofs and come with nuanced caveats and limitations.
It takes someone with scientific training and discipline to take that, and turn it into a feature for some IT product.
Not your average programmer. I don't think it's realistic at all to expect the IT industry at large to do these things.
That's what industry- and field- standards bodies used to do. They provided guidance and examples in that can be applied by the average programmer. These used to be sponsored by companies in their respective fields. But these days the focus is more on open source. Which has its own advantages and disadvantages.
I think the metric used to be every five years. If that's gone up to every two years that would be interesting. Do you have some sources for this? Five years is bad enough btw.
But in the end you get what you pay for in this industry. Programming jobs pay pretty well of course, which is because there is both scarcity and a lot of demand for them. Experience is even more scarce and not all companies are willing to pay for it. But mostly the issue is really companies trying to do things on unrealistic budgets with people that aren't necessarily very good at what they do.
I'm actually turning 50 in a few months. I recently got to work with people that are actually older than me, which is very unusual for me. Usually I'm the oldest in the room and at this point old enough to be some people's daddy even. I worked with a few interns 30 years younger than me recently, for example.
Mostly I actually prefer working with young people over older people in my teams. More mental agility and less set in their ways. I actually hate that in myself when I catch myself. Mostly older doesn't necessarily mean wiser.
I disagree with the calls for regulation here btw. The issue is not with engineers but with their employers not willing to pay for them to do better. There are plenty of certifications, security reviews, etc. that you can pay for. The issue is companies not doing that, skipping it, or treating it as a box ticking exercise and generally not taking it seriously. This stuff doesn't necessarily lead to good engineering decisions. Most banks are a good example of lots of ass coverage in that form combined with lots of technical debt. They buy plausible deniability, not better engineering.
> I disagree with the calls for regulation here btw. The issue is not with engineers but with their employers not willing to pay for them to do better.
Wouldn't regulations compel the employers to pay for better quality? I thought that was the most common need for and benefit of regulations.
Nope. Unicode correctness is much more complicated than switching char to wchar_t. Many glyphs take multiple codepoints or multiple character units in either utf-16 or utf-8. You need something like the break iterator "character" separator in ICU.
i guess that's what spikes interest. although strlcpy was first introduced in openbsd 2.4, 26 years ago! back then as a drop in replacement for strcpy.
so yeah, good things need time to adopt, no wonder it's not up-to-date tech, lol.
and because of NIH-syndrome we now got lot's of strXcpy functions to choose from.
There was just some patch that added '/' protection, because that's the only character that's not allowed in filenames.
https://github.com/openbsd/src/commit/46f7109a9e03df89b66ada...