July 2, 2024
Sylvain Kerkour writes:
Rust adoption is stagnating not because it’s missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.
… no company outside of AWS is making SDKs for Rust … it has no official HTTP library.
As a result of Rust’s lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.
cargo imports over 400 crates.
crates.io has over 500 transitive dependencies.
…the offical libsignal (from the Signal messaging app) uses 500 third-party packages.
… what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn’t even match the content of their Git repository.
…how I would do it (there may be better ways):
A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. … to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.
[stdx packages to include, among others]:
gzip, hex, http, json, net, rand
Read Rust has a HUGE supply chain security problem
Submitter’s note:
I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.
Rust adoption is stagnating
Is it? I would like to see some evidence for that.
because of [the small standard library and potentially supply chain security issues]
Yeah I can guarantee that is not a significant reason for people to avoid Rust. If it was people wouldn’t use NPM, where the problem is even worse.
I do think it would be good to putt some more stuff in the standard library makes sense, or even just add some kind of official sanction of de facto standard library crates like
regex… But this author is an idiot.Rust adoption is stagnating
Is it? I would like to see some evidence for that.
When comparing crates.io statistics
Year Crates Yearly Crates Increase Downloads Yearly Downloads Increase 2018 21,162 - 688,268,999 - 2019 29,757 8,595 1,457,578,834 769,309,835 2020 41,539 11,782 3,079,874,235 1,622,295,401 2021 64,658 23,119 8,235,327,111 5,155,452,876 2022 86,776 22,118 17,546,769,164 9,311,442,053 2023 119,145 32,369 35,556,469,191 18,009,700,027 2024 149,970 30,825 72,083,950,414 36,527,481,223 By downloads, 2023-2024 has been Rust’s best year so far.
I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.
I tried reading the article and gave up because life is too short for me to read a tiresome article making points that aren’t even particularly that new.
Part of this is because the article’s author pushes a lot of sensationalist content to drive traffic to their Rust book(s). I remember similar articles several times over the last year, at least one of which was a thinly disguised ad for the Black Hat Rust book. That doesn’t mean the author is wrong, necessarily, but it does get annoying after a bit.
making points that aren’t even particularly that new.
(putting my Rust historian hat on)
Even the name stdx[1][2] is not original.
It was one of multiple attempts to officially or semi-officially present a curated a list of crates. Thankfully, all these attempts failed, as the larger community pushed against them, and more relevantly, as the swarm refused to circle around any of them.
This reminds of a little-known and long-forgotten demo tool named
cargo-esr[1][2]. But it’s not the tool, but the events it was supposedly created as a response to that is worth a historical mention, namely these blog posts[1][2], and the commotion that followed them[1][2][3][4].For those who were not around back then, there was an obscure crate named
mio, created by an obscure developer named Carl Lerche, that was like the libevent/libuv equivalent for Rust.miowas so obscure I actually knew it existed before Rust even hit v1.0. Carl continued to do more obscure things liketokio, whatever that is.So, the argument was that there was absolutely no way whatsoever that one could figure out they needed to depend on
miofor a good event loop interface. It was totally an insurmountable task!That was the circus, and “no clown left behind” was the mindset, that gave birth to all these std-extending attempts.
So, let’s fast forward a bit. NTPsec didn’t actually get (re)written in go, and ended up being a trimming, hardening, and improving job on the original C impl. The security improvements were a huge success! Just the odd vulnerability here and there. You know, stuff like NULL dereferences, buffer over-reads, out-of-bounds writes, the kind of semantic errors Rust famously doesn’t protect from 🙂
To be fair, I’m not aware of any big NTP implementations written in Rust popping up around that time either. But we do finally have the now-funded
ntpd-rseffort progressing nicely.And on the crates objective metrics front, kornel of lib.rs fame, started and continues to collect A LOT of them for his service. Although, he and lib.rs are self-admittedly NOT opinion-free.
DISCLAIMER: I didn’t even visit OP’s link.
Well… it is true that it doen’t have all these crates like Url included in the rust standard library, and hence it is not official. On the other hand Url was created by Mozilla to be used in Firefox, hence it is a quite competent crate that is very well maintained. And my guess is that the http crate may have the same kind of origins… but I’m not entirely sure about that.
And even Java that includes quite a lot, still didn’t get a good Http library until very recent, until then you had to rely on some obscure library created by the unknown organization Apache… so…
As a developer you always have to think about what libraries you use, and if you trust them… that goes for pretty much any language.
Developers should think about what libraries they trust, but it seems that most of the time they’ll choose whatever is most convenient for handling the immediate problems they’re working to solve.
I keep reading about the “supply chain.” I will just leave this here. https://www.softwaremaxims.com/blog/not-a-supplier
I’ve read that. Defining a supplier as someone with whom you have a direct business relationship with seems intentionally narrow in an unhelpful way that just further muddies the waters around the issue at hand. Making something generally available to others means that you’re supplying others with that thing. While it’s true that you may have no further obligations to those that receive your software, the person receiving the thing needs to evaluate their risks around using and depending on the that software regardless of the existence of a business relationship with the supplier. Hence supply chain risk evaluation is always necessary. That risk evaluation, or lack thereof, can result in a security problem. These problems can propagate widely within a software ecosystem. This is true with and without the existence of direct business relationships between suppliers and recipients of software.
The whole article can be summarized by saying if you want support services related to the software written by others, negotiate a support agreement related to that software. That has nothing to do with taking a wide or narrow interpretation of the word supplier.
Of the suggested packages C++ has bytes by not needing it, rand and a horribly slow regex implentation, where its faster to start PHP to parse the regex than to use the build in one. Yeah, I’m going to pass.
