July 2, 2024

Sylvain Kerkour writes:

Rust adoption is stagnating not because it’s missing some feature pushed by programming language theory enthusiasts, but because of a lack of focus on solving the practical problems that developers are facing every day.

… no company outside of AWS is making SDKs for Rust … it has no official HTTP library.

As a result of Rust’s lack of official packages, even its core infrastructure components need to import hundreds of third-party crates.

  • cargo imports over 400 crates.

  • crates.io has over 500 transitive dependencies.

…the offical libsignal (from the Signal messaging app) uses 500 third-party packages.

… what is really inside these packages. It has been found last month that among the 999 most popular packages on crates.io, the content of around 20% of these doesn’t even match the content of their Git repository.

…how I would do it (there may be better ways):

A stdx (for std eXtended) under the rust-lang organization containing the most-needed packages. … to make it secure: all packages in stdx can only import packages from std or stdx. No third-party imports. No supply-chain risks.

[stdx packages to include, among others]:

gzip, hex, http, json, net, rand

Read Rust has a HUGE supply chain security problem


Submitter’s note:

I find the author’s writing style immature, sensationalist, and tiresome, but they raise a number of what appear to be solid points, some of which are highlighted above.

You are viewing a single thread.
View all comments
13 points

Well… it is true that it doen’t have all these crates like Url included in the rust standard library, and hence it is not official. On the other hand Url was created by Mozilla to be used in Firefox, hence it is a quite competent crate that is very well maintained. And my guess is that the http crate may have the same kind of origins… but I’m not entirely sure about that.

And even Java that includes quite a lot, still didn’t get a good Http library until very recent, until then you had to rely on some obscure library created by the unknown organization Apache… so…

As a developer you always have to think about what libraries you use, and if you trust them… that goes for pretty much any language.

permalink
report
reply
5 points
*

Developers should think about what libraries they trust, but it seems that most of the time they’ll choose whatever is most convenient for handling the immediate problems they’re working to solve.

permalink
report
parent
reply
1 point

Funnily enough the same is true for languages that have huge standard libraries. They put anything that is convenient to solve their immediate problem in there. That is how languages like Python end up with multiple of just about everything complicated in there.

permalink
report
parent
reply
5 points

Anytime anyone mentions integrating an HTTP client into Rust’s std, all it takes is one good Python anecdote to shut that discussion right down.

Having the standard library be stable and not try to add a bunch of support for changing standards is a long-term benefit to the language. Having “de-facto standard libs” with crates like url, http, etc ends up being better because they can evolve independently from the standard library, at the pace their respective domains evolve.

Although, I suppose an argument could be made that url is unlikely to really evolve anymore.

permalink
report
parent
reply

Rust

!rust@programming.dev

Create post

Welcome to the Rust community! This is a place to discuss about the Rust programming language.

Wormhole

!performance@programming.dev

Credits
  • The icon is a modified version of the official rust logo (changing the colors to a gradient and black background)

Community stats

  • 572

    Monthly active users

  • 812

    Posts

  • 3.7K

    Comments