Rust issues
Library Management
You cannot install rust libraries (be it source code like with Go and NodeJS, or binaries like with C) in your system, meaning vendored dependencies for applications.
- Need to apply modifications on a system/popular library? Or upgrade it? Prepare for per-application patching. (good luck with security)
- Need to audit your system? You're going to have to review multiple versions of the same libraries multiple times.
- A library is broken or upstream gave up, fork it and replace it in your system? Nope.
This is why I think Rust is completely a net-negative for holistic security and software freedom. You can get a better security track record for your own little code in your application than in C++, but not for the actual entire application and even less the whole OS. See log4shell if you want a recent example of a massive failure in a safety-oriented language (Java), that we're absolutely going to get in other languages unless people think about systems as a whole (like a separated logging daemon).
Bootstrapping Rustc / Cargo
See Bootstrapping § Rust.
Would also add that Cargo having a whole bunch of dependencies that rely on fetching code directly from the internet is really scary. For example it depends on libgit2, which had repeated Remote Code Executions vulnerabilities (CVE-2019-1352, CVE-2019-1353, CVE-2020-12278, CVE-2020-12279, …) and I think is likely to get more in the future unless it changed it's design.
serde-rs
fiasco
Ended up bundling binaries due to how slow Rust compilation can be. And of course without ability to rebuild from source. Got fixed later with Phase out precompiled #2590.
This is what intentionally throwing distros away gets you into.
ring
crypto library
- No release, stable or alpha, since 2021
- Used by virtually everything in Rust, it's a dependency of
rustls
among other things - Grabs some C and Assembly code from BoringSSL, which no one except Google should be using as it doesn't have versions nor security notices
x86_{32,64}
andarm{32,64}
only due to it using assembly and released versions not supporting a fallback to portable code. So for other architectures like ppc64, riscv, … you need to mangle the dependency tree to use patches / forks or the latest git.
Extra: Crates.io outage due to bad URL mangling
crates.io Postmortem: Broken Crate Downloads
The real bug is formatting URLs in the code of your application with string formatting. URLs are a structure, therefore they should be properly encoded and decoded as such regardless of them being somewhat text-based. There's prior art for this in Elixir and Hare.