logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Rust-move-fast-and-break-things.md (4981B)

    

  1. ---

  2. title: 'Rust: "Move fast and break things" as a moral imperative'

  3. date: 2021-02-09

  4. outputs: [html, gemtext]

  5. ---

  6. 

  7. Rust breaks a lot of stuff, and in ways that are difficult to fix. This can have

  8. a chilling effect on users, particularly those on older or slower hardware. Rust

  9. has only one implementation, with a very narrow set of supported platforms, tens

  10. of millions of lines of C++ code, and no specification. Rust [ostensibly

  11. supports][0] several dozen targets, but only the tier 1 platforms can be

  12. reasonably expected to work. As someone who has tried to bootstrap Rust (and

  13. failed) for even a tier-two platform, I can assure you that it's a nightmare.

  14. Bringing it up for an entirely new target would be a hellish experience. Ask any

  15. distribution packager who works with Rust to share their horror stories —

  16. they have many.

  17. 

  18. [0]: https://doc.rust-lang.org/nightly/rustc/platform-support.html

  19. 

  20. <strong>The Rust

  21. <abbr title="Used in software to refer to those who follow trends without understanding them, seeking their perceived benefits without understanding how they work or any of their trade-offs. Also, the Rust build tool is called Cargo, haha get it?">cargo cult</abbr>

  22. needs to pause and re-evaluate.</strong> Switching to Rust breaks things for

  23. anyone who steps even a toe out of the norm of Linux/macOS/Windows on x86_64 or

  24. aarch64. Even on the supported platforms it comes with a substantial burden on

  25. build requirements, calling for 10&times; to 100&times; or more RAM, CPU time,

  26. and power usage. Whatever its benefits, choosing Rust is ultimately choosing to

  27. lock a large group of people out of your project, and dooming many more to

  28. struggle and frustration. These are real trade-offs that you need to seriously

  29. consider.

  30. 

  31. Rewrite-it-in-Rust has become a moral imperative. Well, here's a moral argument:

  32. throwing away serviceable computers every couple of years to upgrade is a

  33. privilege that not all of your users have, contributes to climate change, and

  34. fills up landfills. As far as security is concerned, some matters *demand*

  35. leaving the norm: old hardware is the only kind that can avoid proprietary

  36. firmware blobs, Intel ME or AMD PSP, and UEFI. Novel hardware which addresses

  37. issues like microcode and open hardware, like POWER9 and RISC-V, are also

  38. suffering under Rust's mainstream-or-bust regime. Anyone left behind is forced

  39. to use the legacy C codebase you've abandoned, which is much worse for their

  40. security than the hypothetical bugs you're trying to save them from.

  41. 

  42. C is not memory safe. It suffers from undefined behavior. These are valid

  43. complaints. However, C code *can be secure*! Just look at [seL4][1], which I

  44. guarantee you has fewer bugs than, say, [RedoxOS][2]. There are plenty of C

  45. programs which aren't formally verified that work fine, too. Rewriting your code

  46. in Rust is *always* going to introduce new bugs, including security bugs, that

  47. wouldn't be there if you just maintained the C code. Maybe there are

  48. undiscovered bugs lurking in your C codebase, but as your codebase ages under

  49. continuous maintenance, that number will only shrink.

  50. 

  51. [1]: https://sel4.systems/

  52. [2]: https://www.redox-os.org/

  53. 

  54. A working C toolchain (say, [cproc][3] and [qbe][4]) can be written in a couple

  55. tens of thousands of lines of code. The only working Rust toolchain is tens of

  56. millions of lines of C++ and Rust code. How many undiscovered bugs do you think

  57. these two toolchains have when compared? How many of those are security issues?

  58. How much relative work would it be to debug them, or port them to new &mdash; or

  59. old &mdash; platforms? How often do these respective codebases churn, creating a

  60. larger maintenance burden and introducing new bugs/vulnerabilities? I can

  61. bootstrap a working C toolchain in about 10 minutes. I spent a week trying to do

  62. that for Rust, and failed. That matters.

  63. 

  64. [3]: https://sr.ht/~mcf/cproc/

  65. [4]: https://c9x.me/compile/

  66. 

  67. Rust is kind of cool, but it's not a panacea. There are legitimate reasons to

  68. prefer C, both technical and moral, and Rust still needs a lot of work before

  69. it's ready for the prime time in systems which prioritize stability,

  70. reliability, simplicity, and accessibility. Those of us who work with such

  71. systems, we feel like the Rust community has put its thumbs into its collective

  72. ears, sung "la la la" to our problems, and proceeded to stomp all over the

  73. software ecosystem like a toddler playing "Godzilla" with their Lego, all the

  74. while yelling at us old fogies for being old and fogey.

  75. 

  76. To the Rust team: it's time to calm down. Slow down the language, write a

  77. specification, focus on improving your tier 2 and tier 3 targets, expand to more

  78. platforms, and work on performance, stability, and accessibility. Invest more in

  79. third-party implementations like rust-gcc. I spent almost a week, full-time,

  80. trying to bring up Rust for riscv64-musl. The bootstrap process is absolutely

  81. miserable. Your ecosystem has real problems that affect real people. It's time

  82. to stop ignoring them.