Rob Ede - Actix Web, Life as an Open Source Maintainer, Supply-chain Security

Summary

The episode explores Rob‘s views on open source maintenance, along with many interesting side quests relating to modern software development.

We start the discussion by talking about Rob’s journey to becoming a maintainer of Actix Web, a web framework written in Rust. This moves into a discussion about the project’s adoption by companies like Mozilla and the added responsibility that adoption brings.

Rob is also the host of a new project to support crate maintainers called x52dev. This spurs an exchange that touches on Rust principles, challenges in crate maintenance, and the interplay between innovation and stability in dependency management.

Additionally, it touches on trust within software supply chain trust, compilation concerns, and how the Rust community respondes.

The episode finishes with a deep dive into the Actix Web routing system in Rust. Rob explaining how it takes provides more flexibility than Axum at the expense of being slower.

Discussion

Here are some places where you can discuss the episode:

Transcript

Intro

Tim: Welcome Rob to Compose, i t’s wonderful to have you on the show.

Rob: Yeah. Great. It’s always good to chat with you as well, Tim.

Actix Web and Becoming A maintainer

Tim: I am fascinated by Actix Web and how it has grown over the last three to five years, and how you’ve been able to kind of shepherd this project along to become one of the most prominent web frameworks that Rust has.

Rob: Um, yeah, I mean, don’t get me wrong,it was already pretty prominent when I took it over. Maybe, uh, too prominent at the time.

Tim: Let’s think about…do you feel like the weight of responsibility for something that is kind of big and important?

Rob: Oh yeah, like all the time. I think certainly when I took it over in, well, January, July of 2020, there were a huge number of crate downloads, more than any other framework at the time. And, you know, I discover over the following months, Mozilla is using this and, you know, and all these other like, big companies and I’m like, oay, this is a serious, serious business actually.

Tim: What happened before then? Like, how did you get involved in the project?

Rob: Yeah, no, how do you get involved in any open source projects really? It all started with a pull request. This isn’t, you know, I’m not the original author of Actix Web, as you know, and, um, I needed something to do with cookies, you know, for something I was doing at work, and, um, I’d been given the responsibility of, creating something at work, and I chose Actix Web at the time, version 0.7, um, back when it was using Actors. And it was this really remarkable kind of free license to go forth and produce the thing, right? Um, but part of that involved, yeah, I need to make a contribution to this open source project to get it done, so, there it was. And then I kept needing things and, uh, before I knew it, I was, you know, yeah, just sort of, you keep contributing and it keeps working.

Tim: Like a core maintainer! Nice, so, Rust at work in 2020? It seems- so whose decision was that?

Rob: Yeah, so, um, I mean, it was, uh, it was my proposal. I think I’d messed with Rust a little bit in university and I’d joined the company, uh, that I’m still with, post acquisition. So effectively, I work for Kraken Exchange and back then, yeah, um, I was part of a small team and we kind of, I think we all young developers, we knew Rust existed, but, uh, we needed a use case, right.

Tim: Right, so you needed like the problem for the solution? Rust is the solution to every technology problem I’ve hit.

Rob: Yeah, exactly. All we knew really was that we didn’t like JavaSpring. So, um, I proposed this and the people were just like, yeah, go ahead, see what it ends up like.

Tim: That’s hilarious. I love how you describe that as, oh yeah, you know, we were, we were young. Dude, we’re talking about like, what, 2019? That was five years ago. It’s not like multiple generations ago. But hey, so there will be plenty of people who are just starting out now, Who probably might even feel like, they’re late.

Rob: No, no way, no way. Um, I think Rust isn’t going anywhere, right, and it’s certainly got this huge love on every Stack Overflow survey, but it hasn’t got the adoption. So it’s not going anywhere. And even if you don’t learn it to use it at work, you can learn it and apply the principles to other things. I mean, when I got hired, actually, I was in a front end role. And when I started on this work project in Actix Web Rust, I was a front end dev, which was a preposterous kind of proposal from, that’s probably why they let me do it. They were like, oh, it’s whatever. Um, but then I found myself writing these crazy front end, uh, pieces of code as if they were kind of Rust and I got really kind of a bit deeper into monadic stuff, because it felt a little bit, you know, um, I was missing option and result already, basically.

Tim: So, to make that slightly more concrete, ,you were essentially creating your own types, in presumably TypeScript or JavaScript, that emulated a lot of like what Result/Option provide for Rust programmers.

Rob: Yeah, um, in a lot of ways, I think there’s a good NPM library for kind of pure monadic stuff called Monet, but, uh, yeah, a lot of the types were kind of built around that, um, as well.

Rob’s Early Career

Tim: Do you want to explain your early career? So you said that you were front end, and you’ve kind of touched on the fact that you went to university and has, and if I look into your bio, you said University of Sheffield, uh, I’m curious as to whether or not computing has always been your thing?

Rob: Absolutely. I think if you talk to any of my high school friends, they would say, yeah, he was going to be a programmer at some point. Uh, I’d be in physics class solving problems by writing JavaScript. Um, and yeah, that, I think JavaScript really was my introduction to all of this. Um, quite early in high school and I got quite good at JavaScript before anybody else was being taught programming. I don’t think, um, at my high school, in particular, anybody had been particularly taught programming, there was no Python classes. It’s not unheard of in the UK, but, uh, not at my high school. I think we got Excel functions as the most programming-like thing.

Tim: Nice, I had VB basic, I think, uh, and, and I think it was Visual Basic 6. Um, probably people are going to start doxing me pretty soon if they find out my age, but the um, that’s kind of fascinating. So you’ve always kind of wanted to tinker, and I love the idea that essentially you were missing Rust in the front- end. So at some stage you must have, you know, basically, been caught up in the hype train or hype wave, whatever metaphor, and you started dabbling with this weird systems language.

Rob: Yeah, absolutely. Um, I mean, this certainly wasn’t first year of Uni by any means, it was probably last year. I’d done Advent of Code or something and so I’d gone into university with this experience in JavaScript and doing some like freelance web dev for friends mums or whatever. And I’d been uh, did a little bit of Python in the summer before going to university and then this like explosion of like, “Oh, there’s so many languages to actually learn”, you know, in university we had Ruby, we had Python a bit more and dove into more like ML bits and then web server-y bits. Java was the primary one that was taught as like the traditional CompSci language, uh, at Sheffield. Um, but I wasted no time in my spare time as well, like figuring out more stuff because this was just, this always had been super interesting.

Tim: All of my friends that did computer science, uh, at undergrad, essentially spent all their time doing assignments. And I was just like, this seems like the most ridiculous thing, and yet it sounds like you did more on top of that.

Rob: Uh, yeah.

Tim: That’s hilarious. I think the follow up from me is, I’m curious about what it feels like to be a maintainer. And, in particular, I’d like you to touch on deps.rs and some of the other initiatives that you have fostered for giving people an option, if they’re feeling burnt out or, essentially overwhelmed by that process.

Rob: Yeah, sure. Um, yeah, it’s a similar story, I guess, to Actix Web. And picking up maintainership of that was a really big challenge because it was such a big project, and then everything else Since then has, I guess, felt like less of a challenge, because it’s not as popular or not as big of a code base to maintain.

About deps.rs

Tim: Shall we chat about what deps.rs is?

Rob: Sure, yeah, um, so deps.rs effectively gives you, uh, a badge that you can put on your GitHub readme that says whether your dependencies are up to date, uh, originally. And when, um, the original maintainer of that came to, I think Reddit and said, Hey, I want to give this to the community, there was a group of us that sort of said, yep, let’s, um, let’s get this, Um, forked over to the community- not forked in the traditional sense. It’s still the original project. Um, but like also distribute responsibilities. I think this is a little bit different, um, kind of challenge because it’s a service as well as a, an open source repo, right? And so, for example, like the, somebody who, the person who pays for the domain doesn’t necessarily, uh, run the servers that host deps.rs, right? So we have this little bit of distributed nature. Um, So that was cool, and then we added some more stuff, uh, like security scanning on top of the original projects. And it’s kind of just ticking away and costs maybe 50 a year to run, which is, uh, covered, like, my costs as domain host is, uh, covered by my GitHub sponsors. And, um, I’m sure that the GitHub sponsorship on the, the server host side is also covered by GitHub, so it’s effectively community run.

Tim: Ah, okay, right, but that’s interesting. So the funding model is essentially, someone is being generous and the people that are being generous are Rob’s Github sponsors. So, thank you Rob’s Github sponsors.

Rob: Yeah, thank you to my GitHub sponsors. I call it out on the sponsorship page that, yeah, the, the entire cost of the domain goes, uh, from, from my side of the sponsorships

Tim: What I want to say is that there are other bits and pieces of the Rust ecosystem that are funded. Like, for example, the newsletter This Week in Rust, the mailing list is actually funded by the Rust Foundation. And I think that something like security scanning or, uh, checking dependencies with semantic versioning, and sort of keeping dependencies up to date, that feels like something that’s kind of important.

Tim: And, uh, I, I just, I think that there’s a good shot that you could get this paid for and then your sponsorship wouldn’t be paying for hosting somewhere, instead it could actually be for you to enjoy, which presumably is why people would like to sponsor you.

Rob: Maybe, yeah, maybe. I think if it costs any more than it did, um, I might be motivated to, you know, talk to the other members and say, let’s try and get a letter of recommendation together, but it really, it’s not a significant cost burden for us.

Tim: Well it’s a tremendous service, so thank you very much.

Rob: It’s quite all right. It’s a highly cacheable service.

Tim: Right, yeah, because once, I suppose you just need to run it for every new version, and then as long as the version stays still..

Rob: It’s run lazily for whoever requests version, right? So, um, that’s the benefit of it, um, we, we don’t, we’re not actively sending reports out. We know we let Dependabot on GitHub do that, and that’s one of the common things people ask is like, what’s the point? Is this Dependabot? It isn’t, it’s, um, it’s a badge uh, service. It doesn’t alert you to anything.

Tim: Well, and I mean, there is, I think, a wider discussion around, um, what it means to take a dependency in Rust. And as the maintainer of Actix Web, that’s probably a big decision because I essentially have heard, I asked around on Twitter a while ago, uh, and everyone wants fewer dependencies. Um, And if you, so, but we’ll postpone that discussion about like, as a maintainer, what external dependencies should I pull in? Because I think there’s one other project to pump, and that is what you are doing. And I call it, I mentally, this is the mental model that I’ve got, like a kind of an orphanage for lost crates or something. Is that accurate?

What is x52dev?

Rob: Um, it’s something that’s part of the idea. Yeah, I suppose you’re talking about x52dev

Tim: Yeah, that’s right. It’s, uh, I didn’t remember its name. It wasn’t exactly, um, semantic naming.

Rob: No, it’s not terribly memorable, I agree, but, um, uh, it has meaning to me, and that’s, that’s enough.

Tim: It is, yeah, I think the story is important. So, the description reads, “Just a collection of repositories managed by Rob with help from others. If you need to hand off a crate to a group that will take care of it going forwards, please reach out to me on Discord”. Yeah, so tell me more about x52dev.

Rob: Yeah, uh, It’s kind of, it’s an organization without a specific purpose, which means that every repo that gets imported there, the idea is that it has a different team assigned to it and that we can manage things in roughly the same way, but they can be different people, right? As long as you’re happy with, uh, the template in which I set up the repos with, um, organizationally, then we can be, you know, we can be friends.

You can have, um,

Tim: Oh so it’s not just, like, an abandoned crate.

No, no,

Tim: It’s like if I wanted to join a group of people that know about releasing, and about some of these things you mentioned, like Semantic versioning and so forth, I can go to the group and say “I would like some advice here…” or like “How do I format my release notes?” or a bunch of other stuff.

Hmm. Yeah.

Tim: Well, that’s really cool. Okay, so that’s much much better than what I originally thought.

Rob: It’s not a graveyard, um, in this, in the sort of the same way that, uh, I think the Rust bus initiative originally was. And I was kind of inspired by the Rust bus initiative, um, discussing with one of themaintainers there, it seems to be pretty dormant, uh, according to them. So, uh, I was sort of, I think that’s, at the time I added the, if you want your crate adopted kind of thing. But like adoption in the sense of you don’t adopt a child and then abandon it, right? You adopt it and then give it love. And if you’re in a position of, um, having understood crate maintainership for such a long time now, you can just apply the patterns to everything. Like there isn’t a special, I haven’t come across a special crate yet with respect to organization. So, I have scripts, I have stuff that makes this so simple, I can just take on maintenance of a crate, no problem. It will stay updated. Um,

Tim: Do you mind giving me the secret sauce?

Rob: The secret sauce.

Tim: Like, you just, you’re very good. Like I was, I was, it’s like surprised by your confidence. Like, Oh, what’s with, once you’ve figured out maintainership once, you are absolutely fine, at least on the organizational side.

Rob: Yeah. Uh, okay. There’s, um, releasing tends to be a burden to people, and I think they put off releasing uh, changes and like accumulating them into batches because it’s a pain to release. Um, it really isn’t if you have, uh, nice scripts to do this. Um, although in, in recent times, you know, the, the advent of, uh, release plus, um, Marco Ioni’s tool makes it so much simpler. And I think people should use that. Um, if that’s genuinely their only problem with crate maintainership. But things like keeping change-logs and just these things that I think are very important, even though my coworkers would call me uh, nitpicking, uh, but

Tim: I have worked with people that are nitpicky, let’s say. In fact, one of them is a very prominent Rustacean. Uh, and I always was extremely appreciative, of the fact that there was someone ridiculously pedantic. I don’t want to call them out because I think that would be slightly unfair, but I don’t think that you should, I think if you are in this kind of release manager role, you are the like final check. Uh, so I think it’s totally appropriate to be, I suppose, seen as someone that checks things like have they literally dotted the i’s and crossed the t’s although, not figuratively. Anyway, the um, so that’s really cool. But what about two other aspects of maintaining a crate? One of them is uh, the fact that there are lots of users issuing, like, it’s like a many to one relationship and you have people like, once your crate is adopted, you have this problem suddenly that you might get lots of issues. You might get pull requests and suddenly you have people to deal with.

Rob: Um, yeah.

Tim: And the, the other one is what do you do with- How do you deal with poisonous people?

Rob: Oh boy.

Tim: This is the good stuff. Sorry, I, so I don’t need like, I don’t think anyone has like a magic wand for any of these issues, uh, but it would be interesting to see your take on any of that, because presumably you have some degree of experience with it.

Rob: Yeah. Um, So dealing with people, you know, people have problems. I certainly had a problem when I started working with the framework, which is why I filed the pull request. And I would always, um, say if you have a problem with the framework and you think it’s easily fixable, file a pull request instead of an issue. If you think it’s something bigger, file an issue, ask for the maintainer’s opinion first, because the maintainer at the end of the day has like a vision of going forward, what the framework is going to look like, and they have guiding principles that aren’t necessarily written down. Lord knows mine aren’t written down in the Actix Web anywhere. It’s kind of just on gut feeling a lot of the time, and those gut feelings change also. So that’s the first piece of advice.

Tim: Right, because essentially, the feel of the code base. Matures as you mature, essentially. And, uh, are there styles, I don’t, with, that you’ve noticed that Rust programs have changed in the last five years or so as you’ve been playing with the language?

Rob: I mean, I think the style changes have largely been driven by language improvements. Um, certainly 2019, you know, the whole shift from futures 0.1 to async/await, huge. Obviously in my arena, that was a huge deal. U m, and so that changes the style of the library code as well as the application code that you’re writing.

Tim: What about error handling,and kind of moving away from either concrete errors? Or just, uh, trait objects over, you know, Dyn Error versus using libraries that provide, um, similar but sort of enhanced functionality over that.

Rob: Right, yeah. Error handling is a really interesting piece of Rust history because I think many people who’ve been around as long as I have will remember the failure crate, um, as being kind of a de facto better error handling methodology than the standard error, uh, object or trait, whatever. Over the years, that again, the piece of standard library has improved and we’ve gotten the kind of tools that we need slowly put into the standard library stabilized, you know, backtraces and we’re still missing one or two pieces to really make this great, I think just coming from like a regular programs kind of point of view. Um, but there’s been some really interesting experiments. Uh, anyhow, eyre, error_stack, there are sort of the top three at the minute of interesting experiments in how to make the error experience in Rust really good. Hmm.

Choosing dependencies

Tim: And that’s kind of life, going back to this, how do we choose dependencies? I find it really difficult to recommend any specific crate because I feel like in two years, or like, yeah, maybe two years time, I am going to be changing my recommendations. Uh, it’s weird that the language, the, the idea of, you know, stability without stagnation in Rust kind of doesn’t work. Doesn’t work because, the language is backwards compatible, but the dependence on third party crates means that there’s no real stability for programs. I don’t know if that makes any sense, let’s try again.

Tim: Error handling in Rust is a really fascinating topic and one of the things that strikes me is that it’s very difficult to choose a specific dependency or make a concrete recommendation. And it seems like there’s a lot of churn in the crate ecosystem. Like, is rust going to settle down? Like is the, is is the, yeah. Is it gonna be easy to make, is concrete choices about which crate to use for specific tasks?

Rob: Yes, uh, certainly from a difference from back in the failure crate days is that we aren’t particularly bound to, um, that type anymore, right? That was an explicit kind of, um, implementation of a trait for a type in a crate, which was like kind of bad and people didn’t particularly like that. The current choices are a lot better because they’re effectively just helpers to let you implement the standard error trait in a nicer way, or interact with it in a nicer way. Um, and so the story from that point of view has like, gotten a lot better. Um, what we’re missing is the parts that these crates add, which is like context. Like, um, and understanding of, you know, particular types of errors without just straight up boxing it into a dyn error, um, which loses you a lot of this valuable context, which you might need down the line in say a web framework, right?

Tim: Yeah, there was a really interesting, sort of slightly tangential, but sort of on the theme of recovering from errors, Nico Matsakis, I think last week or the week before, maybe, just posted a thing saying, oh, we should actually maybe consider deprecating unwinding, um, on panic. And one of the arguments there is that web frameworks don’t actually seem to use unwinding to recover from errors.

Rob: Yeah, I have that open in a tab and I haven’t read it yet. Uh, I mean, that is his main point, yeah, possibly. Uh, it’s true that, you know, web frameworks, which utilize tokio, uh, don’t do this largely because, um, we are trying to remain slightly fault tolerant and so yeah having a panic somewhere and a handler doesn’t crash your entire application for other people connected to it. Which is kind of a special case here. It’s arguable whether there should be opt in behavior for Tokyo spawns.

Tim: Yeah, the next question, or at least one that I’ve been wanting to ask, is that you’re writing a back end framework, but I thought that you were sort of a front end person, and is there like an impedance mismatch between those two domains?

Can you elaborate on an impedance mismatch there?

Tim: I think a better question is, are front end frameworks and back end frameworks so different that people need like a different methodology on both of them?

Rob: No, it’s not something I’ve thought about in great detail in the past. Um, I think maybe with, uh, there were similarities, certainly when you talk about, front end frameworks that have like routing built in, you know, it’s one of the key components of a web framework is a router, and most of the time like going from page to page is handled by a router on the front end in the same kind of way with pattern matching on on paths and stuff like that. But perhaps the the needs of the two systems are kind of fundamentally different in other ways, like security, for example. Um, the, the front end needs a much more strict kind of security boundary in order to remain, um, secure against all sorts of kind of attacks, right, which is what browsers, uh, defend you against with the help of various security headers from the back end. Um, that’s one example I can think of.

Tim: I was wondering, maybe this is a suspicious question to ask, but let’s go there, like could Actix web grow into like a quasi front end framework, given that you have a lot of domain knowledge, could you sort of bolt in Leptos into it so that, or pick your other winner whereby essentially you would have something that’s much more, lets say full stack, in Actix web by default, let’s say.

Rob: Um, I don’t think that’s worth anyone’s time at this point. Uh, it seems pretty clear that frontend has, has winners. Um, but it also has 10,000, 10 more each week, right? Um, and the winners still keep winning. So there’s like an established pattern of, especially when you grow, like I understand, that, yeah, maybe, previous attempts, I haven’t played with leptos, but like previous attempts at these huge full stack, um, frameworks that try to do both sides and wire things together, right? Um, they don’t work for mid sized corporations and up. They just don’t, um, because there’s some fundamental asynchrony between the releases of back end parts, releases of front end parts, releases of mobile parts, which you can’t control, by the way. You have no control. You have like a one hour control over when your mobile app gets put on the App Store, on Google and Apple. Um, and so if you’re trying to have a simultaneous release of everything that has like a breaking change, oh, but it’s fine. We release everything together, you actually don’t. So, so you need to think about this, um, a bit more holistically, and to do that, you need independent pieces. And that’s one of my guiding principles and why I don’t think it’s worth anyone’s time right now, anyone’s time regarding Actix web.

Tim: Yeah, so Rust, the Rust way, or at least what has been, uh, when people write web frameworks, they’ve typically written micro frameworks. Uh, and they ask users, or users in this case are developers writing for end users, the users of the framework say, Oh, bring your own templating library, or bring your own everything else.
And, but that puts a lot of pressure on users to know a lot about the domain and all of the crates before they actually build a thing. Is that a, uh, is that a concern for you as a web framework developer?

Rob: Um, it’s a concern because it’s the concern of the community at large, I think. And, um, I’m quite happy to explain to people why we don’t include templating or don’t include database drivers. And, um, there’s kind of two parts to this.

Tim: Oh really? I’m quite curious, tell me about templating and database drivers.

Rob: Yeah, I mean, I think everyone keeps saying “Oh- “, no, let me re-phrase that. There’s a push for a rails like framework as the end game, right? The end game of maturity of Rust web is we have something that’s like Rails or like Django, and that’s important actually because it helps migration for those people for the for that community

Tim: Yeah, I have a similar goal, in fact I have a prototype, I don’t know if you’ve seen my stub of one.

Rob: I don’t think I have seen this.

Tim: No, it’s um, it’s in, it’s called InterCity, like, because the trains network in Europe is, uh, and but I shouldn’t talk about my stuff. I really should focus on. So, yeah, I agree with this goal. I think that an, an, an end point, although it feels very weird to be talking about endpoints for Rust. when Rails was released, what, 2004? 2005?

Rob: yeah, it’s old.

Tim: Uh, like, are we….? Why are we a decade, l ike, why are we so late to getting, like, a full stack thing? It’s kind of another side question, but yeah, you know, I’m very curious about templating and database drivers because I just hate making choices, uh, when I, you know, Or at least, I don’t know.

Rob: Um, I don’t like picking winners generally with this framework, I think, well, you have to be careful when you’re picking winners, I think is a more appropriate statement to make about that, right? Cause, Actix web has picked Tokyo as the winner of the async runtime. Okay. Um, it’s picked a couple of other crates as the winner of that kind of, uh, area of expertise.

Tim: Is that, for example, serde? Is, are you with JSON

yeah, sure.

Rob: yeah sure, good point. Um, Serde, of course, is well loved in the community as a whole. No one’s really questioned that part. I’ve never had someone say, why Serde and not, um, eserde or whatever. But you do get people occasionally saying, will you expand this to make it frame, er, runtime agnostic? And the answer is no, that’s definitely a winner picked. Um, but like when it comes to templating, the, the reason that I don’t want to pick a winner that is that it’s so easy to integrate your own, that why would I limit the flexibility when I could just give an example of all of them? You can go into the examples repo, see which one looks best in the Rust context, and then copy the, copy the folder if you, if you want to with all the dependencies set up and up to date. Um, that to me seems just as easy as providing a framework with a templating library built in.

Tim: Yeah, sure. And I mean, so, do you think that someone could use Actix Web to, as a way to build something that’s Rails like?

Rob: Yeah, for sure. Um, I’m familiar with a project that’s come up recently called Loco.

Tim: Yeah, I haven’t counted it, but I haven’t really read much, um, more than its readme.

Rob: No, I haven’t particularly played this at all, but it’s come up and people got sort of very excited about it. And, um, it seems like it’s made a lot of these choices. Um, yeah, emails, background tasks, it says everything included, so it must be some database somewhere. Um, And yeah, I’m, I’m a little bit suspicious about this in, in general because I think maybe in some domain like databases, there isn’t a good winner yet. That’s the other, uh, side of the coin here. We’re still figuring out the interfaces for a lot of these things and most of them aren’t perfect. Um,

Tim: I think that that’s, that’s a very fair point. Like we don’t have something like the jdbc. I think that’s the, or is it the, The, yeah, is that right? Yeah, for Java and, uh, Python has its own, um, you know, the standard library provides a custom, sorry, provides a, an interface that every, uh, everyone uses and it’s, it’s, it’s not, yeah, yeah, the, uh, there was a, a pip, like a, sort of like an RFC, um, which described an API that you should implement if you’re writing a database driver. And they did. So your, your import statement changed and like Rust, sorry, Python doesn’t really have interfaces like in the language, at least I don’t think so. Although I haven’t really been paying a huge attention to the recent changes in Python.

Rob: Yeah, I don’t know.

Tim: But, uh, the, the problem that sort of Rust faces is that that kind of thing doesn’t really exist, at least. It doesn’t strike me. And there’s a, there’s a weird problem where there’s very few database drivers. Like this, if you want to do Postgres, sure, SQLite, okay, but surely we- and I mean, actually that’s not quite fair, there’s uh, plenty, like there’s a, there’s a bunch, but I just, it’s surprising how poor the data, like, database interaction system kind of is.

Rob: Hmm…yeah, writing database drivers is hard, right? ,

Tim: But shouldn’t, shouldn’t Rust make that actually okay? Or at least less awful? Like, be easier than- I don’t know, I’m asking a lot of Rust.

Rob: I think we’ll start seeing really, really good database drivers when the database the databases themselves provide one, I guess. Uh, it’s sort of one of these first party problems that you see with other kind of databases like Kafka, um, I think about in particular in that they provide a server and a client and it’s always in sync and you’ve got some of these problems with compatibility if you don’t do that, um, with regards to new features and stuff, and the same is probably true of Postgres, the amount of, um, versions that they release a year is, well, three or more, so, you’re then tasking someone in every language community to keep up with that.

Tim: It’s tricky. I guess I suppose there Postgres’ answer would say libqpq, we’d probably keep that up to date, and then hopefully it would kind of bump things downstream. But I suppose the next kind of follow on about this is, do you have any advice for people when they are building an application about which dependencies to check?
Take on, or at least to say like, how would you evaluate things? I don’t, it’s a very broad question. I’m sorry for kind of throwing it at you

Rob: How do you evaluate things? Um, as an application developer? It’s largely just down to what you need, um, at the moment, because I think most things exist on crates.io now, um, and sometimes the most downloaded version is the one you want, and sometimes it has been abandoned and is still being used transitively by 10, 000 other things, and you should probably use something else, but that’s really hard to tell, and we, we need better tooling around that kind of choice making. Uh, I think there’s initiatives to do this at the moment, uh, that you hear about on the podcast, so just try and keep your finger on the pulse of this stuff, really.

Tim: Yeah, what you need to do to follow on Rust dependencies is to just basically spend 10 hours a week, uh, consuming content. No, I don’t mean to be too facetious. Are you- actually, it’s kind of, how do you keep up with everything in Rust? Like, I don’t.

Rob: You have to pick your battles really. I keep up with the things that interest me in my open source life and in my work life and I try and read changelogs where possible for relevant releases.

Tim: So if someone released like a binary blob of, I think, I was trying to make a weird like segue to a recent, um…

Rob: If you want to talk about that, I’m quite happy to.

Tim: Okay, sure, let’s go there.

Rob: Let’s bring the..

Tim: Let’s bring it.

Rob: Let’s bring the spicy takes.

Tim: Oh, look, I don’t think it’s such a spicy take as, I think that it is important to be able to have a, like, a more sophisticated discussion than just, oh, I don’t even know how to express it- than spicy takes, there needs to be some, forum to be able to have a, uh, a way to provoke thinking, that is a little bit beyond just kind of random anger tweet, or like rage tweeting or something.

Rob: Absolutely, yeah.

Tim: Uh, so do you want to provide the context of like my weird, uh, intro?

Rob: So, I mean, yeah, if a very popular library in among a great set of other very popular libraries on crates.io that you’ve definitely heard of suddenly has, um, well, actually I shouldn’t even say suddenly. It has a pull request filed against the wrapper that includes some description of a way to make it faster. And this way, um, includes a pre compiled binary, and It passes whatever review system is in place for this repo, it gets released, two months go by, and then people notice. And my question to the audience is, does it really matter then? If you really cared, If you really cared, it would have been spotted much sooner than two months ago. Um, you know, that’s my spicy take, and I think my colleagues disagree, because they’re, uh, they were up in arms, much like a lot of the community was.

Tim: I, you know, I, yeah. A lot of it was to do with like, this whoa shock. How could you do this? How could you abuse the trust of the community. Um, I want to say something annoying, which is like, I can sort of see both sides of this. One, I can actually see why pre compilation or like binary distribution of, uh, some parts of the thing is something that people want. Because if you ask Rust users, what do they complain about? They say your compile times.

Rob: Yeah.

Tim: It’s like, well, you’re a critical dependency inside the dependency path of most Rust projects. If I could speed that up, that would be kind of a good thing. Again, you’re literally, uh, making the world better for most Rust developers at that point. With the kind of the very, very significant proviso, or the asterisk, that, who knows what the hell’s in that binary?

Tim: It’s not reproducible. Nobody else could, nobody has been able to reproduce that thing.

Rob: They’ve been able to produce it within, within like, seven bytes, and the, those bytes were a date.

Tim: Ah, yeah, yeah, yeah, that’s, that’s what I heard. No, no, sorry. I, um, I’m trying to get my conspiracy theorist, uh, happening.

Rob: Yeah, yeah. It was a plant.

Tim: That’s right, that’s right. It’s like, but we didn’t reproduce the reproduce, the reproduction, like show me, um, show me the build system.

Rob: These would be, these would be an awesome set of tools to have. And if we have them, we should absolutely provide them to the community and have, uh, or, or encourage the top developers of, of, or top maintainers to use them. Um, because they are, they’re important and it’s not even, is this maintainer malicious even it’s, um, have they hacked?

Tim: No I think there was genuinely good intent there, right? But yeah, yeah, well someone has the root keys. And OpenSSL was the same, right? The, uh, it was actually, or it was this different, so the OpenSSL breach that was relatively recent now was a, oh, it was a parsing library, wasn’t it? Where someone uploaded some testing data like, as like, oh, it was a compression library that was, um,

Oh, yeah, it was, um, yeah, compression.

Tim” And so this was the example data, but in the, in automake and like some weird obfuscated Perl script could make use of that test data to kind of weirdly inject a backdoor into OpenSSL. So it’s kind of ingenious, but yeah, there, um,

Rob: I think that was more social engineering and like bad maintainership, of course. But, you know, someone’s got this key, they can get hacked. No one’s security is perfect. So we can’t just assume that these things are malicious all the time.

Tim: I had a tantrum. I had a tantrum that Alice, um, from the Tokio team, like, released, uh, version 1.3.7 live on stage.

Tim: I was like, I I have, like, concerns about that. Like, I would like very significant crates, et’s say if you were, um, yeah, let’s say that you were this era or something. Well, if you’ve got more than 10 million downloads or something, or some threshold, that we apply a gate at crates.io. that says for some embargo period someone has uploaded a new version you could opt into it if you want but it hasn’t been externally verified and there should be kind of some sort of process for being able to verify that the dependency that you are your users are downloading actually means, like actually is the download that was intended, because we have a large number of dependencies whereby the git tags version of the hashes, don’t match the downloads in crate.io. So, yeah. Anyway, now I’m going on a bit of a rant.

Rob: Of course, no, these verification steps are very important, uh, in the long run. I think as, as more and more people get involved, the, uh, potential threat, um, boundary gets bigger. Right. Um, so these are cool. It’s cool to think about a future where we have verifiability in the stuff we’re uploading. And also, um, was it the chain of, of sources back to the source code, right?
Um, I’m guilty of this because I happen to use, uh, dash dash allow dirty on publishing everything which somebody messaged me a couple months ago and said “Hey This means that you’re not including commit hashes” and stuff and I’m like news to me, like I didn’t know. Um, I’m using it for legit reasons as part of scripts.

Tim: Yeah, the, it’s actually super messy releasing and signing as well. I had a, an incident, oh, and just GitHub credentials, and just, just git is actually surprisingly difficult. And the thing that I didn’t really realize until it became a very large problem, was the fact that git is not immutable. It’s perfectly, git is perfectly happy if you rewrite the history. And that is, uh, yeah, it makes things like this provenance or like verification of all of the steps really, really difficult if you can’t really, you rely on the git history could just be faked.

Actix Web: Router Deep Dive

Tim: But I would like to wrap up pretty soon because I am keeping you awake. Uh, and I thank you very much, but once of the things that I really want to get out of your brain, is how the router works inside Actix Web. I’ve thought about ways to implement this myself with HashMap’s, but it kind of got a bit complicated once I started thinking about variables, and things like that, as well.

How does Actix Web implement routing?

Rob: Implementing routers is really an interesting problem, uh, because it’s all about pattern matching largely. And you’d think we have a, you know, a match, um, uh, a match expression within Rust, and that can do quite a lot actually with regards to static path matching. And if you’re using something really low level like Hyper or Actix HTTP, you can pretty much do that if you have one or two routes. Um, up until matching, uh, the rest of the path as well in some cases.

Rob:So when you want to start implementing a route that has segments as we called, so the parts between slashes in a URL, so it might be slash ID one or that can be then any number that’s then referenced in the handler. Then you start, yeah, thinking about we need to scan through the path that we’re given by HTTP and storing it somehow, or parsing it out, or somehow else. And, there’s a simplisti, there’s a more simple way of doing this, which requires you to, um, build the router up front. And this is what Axum, uh, Axum’s underlying router library does. It has to have knowledge, as far as I understand, um, it has to have knowledge of all the routes that could exist up front. And this makes it very, very fast, like much faster than ours in terms of, yeah, time from path to route. Um, you can effectively just take all of the paths that could exist, all the path patterns, and then scan through static parts as you know that they exist. Um, then following on from that, you see that you expecting some dynamic segment, and then you pass that up until the sort of delimiter, which is usually the forward slash again. And then you can start extracting those and they might have a name or they might just have an index you can extract those out put them in your little hash map and then provide them to the, uh, the handler that you’re calling. Ours is, uh, a bit more flexible, I would say, in that it’s slower and it does more at runtime. Um, what ours does is it allows you to set up the partial segments, so you can have, uh, scopes. If you’re familiar with Actix Web, you can have a scope, which sort of says, uh, API maybe. And

Tim: I could have slash API, and then that would be a scope.

Rob: Yes, and then everything under there is kind of grouped under this path scope. Um, so you have API, you might have then the name of the resource. So that needs to be a dynamic segment. Um, the router that’s stored in that scope is, uh, he router’s not, sorry, the router’s not stored in the scope, it references the, the outermost router for the, the paths and how much has been processed already. It then looks at its own router, his is, yeah, this is very hard to keep straight in your head. It looks at its own router and says, okay, so there might be some more static paths in here. There might also be some dynamic segments that we need to look for. And it builds up this tree of like, it might be static, might be dynamic. Depending on what it is, we go into this little sub router over here. Um, and as you’re going, you’re looking at dynamic segments, their name, building up a little hash map of, um, of name to offsets within the path to look at and to parse out. Very ineloquently, that’s how that works.

Tim: So, you have essentially place a lot of burden on the framework to provide features for users, right? Um, essentially, it sounds like it’s not quite virtual hosting, but it’s sort of similar. You’re kind of namespacing different sub-routers and creating a tree of them. Uh, and eventually a segment, eventually things are going to match. And, that is- so it’s a tree of hash maps. Is that essentially what it comes down to, or enums?

Rob: That’s fair to say, yeah, that’s fair. Um, and so each sub router is going to have some reference over to a handler that it needs to call. Um, or a different, or another router, or, or nothing, right? You need to process the entire path for it to do anything, apart from throw a, a 404, effectively. You need to have processed everything.

Wrapping up

Tim: And that was my attempt at getting some sort of deep dive at you at like 11:30 in the evening and I appreciate your perseverance of like, this mind bending thing about trying to recall code.

I really, yeah,

while, uh,

Rob: I really wish this part of it was documented as well as the actual path, like, pattern syntax is, cause, you know, I could have just read off docs. rs, but,

Tim: Hey, well, no, no, no. Um, I, I really appreciate that you spent, uh, some time here chatting about what it means to be a maintainer of one of the most prominent crates in the Rust ecosystem. Uh, also a wonderful community member, I’ve, I think, watched every public talk that I’ve seen of yours on YouTube. Um, and, uh, I, all two, yeah, sure, but, um, you say that like as if those aren’t significant. Like that’s a very big step. And also, uh, the work that you’re doing on Deps RS, and, uh, and at some point, once the podcast is established, I might bring you back to get out the backstory of the name for your not-orphanage orphanage for crates, which is remind me the name, xr52 or something?

Rob: x52dev.

Tim: Wonderful, hey, thanks so much, Rob.

Rob: Quite alright. It’s been great talking to you, Tim. And to all the people who, uh, message me on Discord, I know my website doesn’t work, okay?

Tim: Are there any, are there any other parting remarks?

Rob: If you asked that, I was gonna say it. I can go in the bloopers.

Tim: Okay, yeah, we can have a bloopers reel.

Credits

Producer: Lorenzo Evans

Rob Ede – Actix Web, Life as an Open Source Maintainer, Supply-chain Security