I do not pretend to have more experience or understanding than the top level engineers I often see writing blogs here, but what I am is annoyed. I love rust. It's by far my favorite language, I enjoy the community and the language ergonomics. I've been able to incorporate it into projects in my day job where fit.
Rust's dependencies are starting to worry me. For those who don't code in Rust, Rust provides an ecosystem of crates through crates.io, allowing users to helpfully install them with the command cargo add, or by simply adding the requested crate and version to the Cargo.toml file. This paradigm is similar to NPM for nodejs.
Cargo is helpful and a huge productivity booster, ensuring I don't have to hunt around and link files myself with something like CMake. This also allows me to swap between architectures and operating systems pretty frequently, mainly my M1 macbook air and my x86 Debian desktop. In general I don't have to think much about package management and gets me right into writing code.
Not thinking about package management careful makes me sloppy. In a recent production project I pulled in dotenv a crate I've seen many other rust developers use. This worked fine for multiple weeks until recently when checking a rust security advisory mentioning that dotenv is unmaintained. Below is a suggested alternative dotenvy. This whole fiasco led me tho think .... do I even need this crate at all? 35 lines later I had the parts of dotenv I needed. Packages become un-mainted in every language and it was my choice to pull in an arguably trivial dependency. So what happens when I have dependencies I do need?
Tokio is one of rust's most well maintained packages of all time. This was added with axum a webserver by the same folks that sits on top of the tokio (the async runtime). Tokio is legitimately one of the coolest things I've ever gotten to work with, touting itself as a work stealing multithreaded runtime. Tokio has performed leaps and bounds better than I ever could have hoped.
So with that I chose to add a couple more dependencies that I belived were needed, bringing my total cargo file to these Axum, Reqwest , ripunzip, serde, serde_json, tokio, tower-http, tracing, and tracing-subscriber
In general I considered the project to be trivial, a webserver that handles requests, unzips files, and has logs
In an attempt to build resilient software I decided to vendor my packages, a cargo feature that downloads all my dependencies so I can host them locally.
Out of curiosity I ran toeki a tool for counting lines of code, and found a staggering 3.6 million lines of rust. Removing the vendored packages reduces this to 11136 lines of rust.
Now I understand that webservers are complex, and a full asyncronous runtime is even more complex. However the entire linux kernel is 27.8 million lines according to this register article
That's only 7 of my project....
How could I ever audit all of that code?
The code that I personally wrote is only around 1000 lines
I have no idea... Many call for adding more to the rust standard library much like Go, however this causes its own set of issues. Rust is positioned as a high performance, safe, and modular language meaning to compete with CPP and C. That means it targets things like embedded devices. Every new thing that gets added to the std library is one more thing for the rust team to have to manage and work on. Just Tokio itself has one of the most active Github and programming discords Ive seen.
I can't rewrite the world, an async runtime and web server are just too difficult and take to long for me to justify writing for a project like this (although I should eventually just for a better understanding).
With a question I've asked during an interview at cloudflare I was told that cloudflare just leverages tokio like everyone else and pulls from crates.io. How often do they audit that code?
Clickhouse has mentioned problems with binary sizes and I doubt they even have the same amount of crates.
With cargo there is no easy way (as far as I can tell) to see what lines ACTUALLY get compiled into the final binary, many crates include items for windows which I don't necessarily need (but there's no official way to tell cargo that).
So now I pose the question to you what do we do?
Hiring for a rust role? consider me :)