I have been thinking about using rust in web development for the past 2 months but in light of the recent events surrounding actix, I am wondering if is it worth it to commit a whole project to a single library.
Since the standard library is focus on low level programming and all the library available on cargo seems to rely on a huge amount of other external library. How do you assess the potential threat to the security or longevity of your project ?
For me, node modules or python libraries were already a pain to check against security and company policies. But in my perspective the problem is even worse for rust.
I’m a huge fan of the language, and follow very changes, but I keep coming back to go when it comes to write a simple service, without over head.
Top comments (2)
I believe sentry is using actix-web for some things. Rust seems to be a language you have to be willing to give back to as it seems to be a bit rough around the edges. Recently in light of the issues surrounding actix-web the project has changed hands. If you check the tech empowered benchmarks it shows no reason to not use it in terms of performance.
This is not about Rust, if anything, so far the Rust ecosystem is very stable. You have to consider how new is the language and the fact that web frameworks weren't the kind of usage for what Rust was made. This is not an excuse but having that in mind.
Most Rust web frameworks are very new so their future is uncertain, that's not about Rust, is about new software, I wouldn't bet in Vue survival when it just started, it was made by just 1 guy and without any big sponsor or Flask or Django. Even tech like Docker was a very risky bet at first.
So far the development of more "base" Rust libraries seems to be very stable and consistent: Tokio and hyper seems to be here for the long run; and the same with serde, db drivers, etc. Is the top layer that is still a bit "turbulent" and even that is not that bad, and that seems to be common, Django wasn't the safe choice a few years ago, there was a bunch of frameworks that disappear while others got stuck and the same with JS, will Svelte go for the long run? will Stencil?, we don't know, that's the nature of the beast.
Actix recent situation was crappy and to me, very, very poorly managed. The owner of the project did, in my view, the worst thing he could do, but lets not overblown the situation, Actix still here and probably for the best, the new maintainers probably will have a more receptive attitude with suggestions and contributions and the development may get more distributed. And this was 1 project managed by 1 guy in a much bigger ecosystem. It wasn't a "Rust thing" it was a "1 specific project thing", and not even that "1 guy thing", the Rust community as far as I've seen it is very friendly and supportive in general, that was what shocked many of us about this whole Actix situation. Even in Reddit, Rust community is nice. This was an exception not the norm.
Sadly longevity of a library can only be presumed by how long has been here and who is using it. And those take time, so we'll have to wait. Is always a bet, in time, the bet just get safer.
About security is similar, more people use it, more eyes should be looking (not always tho, ask OpenSSL folks) and you can always take a look and audit yourself :) . What is a plus for Rust, is that you are pretty safe with the bunch of safety guaranties that the language gives you, that makes harder to write unsafe code. You can always make logical errors, and write bad code, Rust is not a silver bullet nor can guaranties perfect code, not because is written in Rust is perfectly safe, but the language do a great job getting rid of a lot of potential bugs.