←back to thread

The Tor Project is switching to Rust

(itsfoss.com)
348 points giuliomagnifico | 10 comments | 12 Dec 25 12:35 UTC | HN request time: 0.019s | source | bottom
Show context
epolanski ◴[12 Dec 25 12:55 UTC] No.46243675[source]
If Rust helps with their pains and they like Rust this seems very sensible.

That's exactly why we have different languages and tools, because they adapt differently to different projects, teams and problems.

But as soon as you get into the silly "tool X is better period" arguments, then all the nuance of choosing the right tool for the job is lost.

replies(8): >>46243722 #>>46244465 #>>46244778 #>>46245023 #>>46245269 #>>46245325 #>>46246309 #>>46250138 #
1. GuB-42 ◴[12 Dec 25 15:28 UTC] No.46245023[source]
I hate the "rewrite it in Rust" mentality, however, I think that in this particular case, Rust is the right tool for the job.

The Rust specialty is memory safety and performance in an relatively unconstrained environment (usually a PC), with multithreading. Unsurprisingly, because that's how it started, that's what a web browser is.

But Tor is also this. Security is extremely important as Tor will be under attack by the most resourceful hackers (state actors, ...), and the typical platform for Tor is a linux multicore PC, not some tiny embedded system or some weird platform, and because it may involve a lot of data and it is latency-sensitive, performance matters.

I don't know enough of these projects but I think it could also take another approach and use Zig in the same way Tigerbeetle uses it. But Zig may lack maturity, and it would be a big change. I think it is relevant because Tigerbeetle is all about determinism: do the same thing twice and the memory image should be exactly the same. I think it has value when it comes to security but also fingerprinting resistance, plus, it could open the way for dedicated Tor machines, maybe running some RTOS for even more determinism.

replies(1): >>46245428 #
2. hgomersall ◴[12 Dec 25 16:06 UTC] No.46245428[source]
FWIW, rust is great on a tiny embedded system.
replies(2): >>46245494 #>>46245897 #
3. udhghhe ◴[12 Dec 25 16:12 UTC] No.46245494[source]
But with no_std, Rust is not memory safe, even when not using unsafe. It does have pattern matching and modules, however.
replies(1): >>46245932 #
4. GuB-42 ◴[12 Dec 25 16:48 UTC] No.46245897[source]
From the looks of it, Rust is usable un a tiny embedded system but it is not "great". I think that out of the recent, trendy languages, Zig is the best suited for this task, but in practice C is still king.

The big thing is memory allocation, sometimes, on tiny systems, you can't malloc() at all, you also have to be careful about your stack, which is often no more than a few kB. Rust, like modern C++ tend to abstract away these things, which is perfectly fine on Linux and a good thing when you have a lot of dynamic structures, but one a tiny system, you usually want full control. Rust can do that, I think, like C++, it is just not what it does best. C works well because it does nothing unless you explicitly ask for it, and Zig took that philosophy and ran away with it, making memory allocation even more explicit.

replies(3): >>46246502 #>>46246730 #>>46248958 #
5. estebank ◴[12 Dec 25 16:53 UTC] No.46245932{3}[source]
> But with no_std, Rust is not memory safe, even when not using unsafe.

What makes you say that?

replies(1): >>46246986 #
6. tialaramex ◴[12 Dec 25 17:42 UTC] No.46246502{3}[source]
It probably depends how tiny you mean. If the reason you can't allocate memory is because the only 1024 bytes of static RAM is all stack, then, yeah, Rust won't be very comfortable on that hardware. On the other hand C isn't exactly a barrel of laughs either. In my mind if I can sensibly chart what each byte of RAM is used for on a whiteboard then we should write machine code by hand and skip "high level" languages entirely.
7. steveklabnik ◴[12 Dec 25 18:02 UTC] No.46246730{3}[source]
Rust has no malloc in the language whatsoever. In embedded, you don't even include the libraries for dynamic allocation in the first place, unless you want to. And it's very normal not to.
8. estebank ◴[12 Dec 25 18:34 UTC] No.46247150{5}[source]
> For an example, if a function in no_std overflows, it can result in undefined behavior, no unsafe required. And stack overflows are easy in Rust, like they are easy in most other systems languages.

This is true, no_std has no Rust runtime so it doesn't provide stack protection. I am aware of efforts to address this for embedded, but they're not available at the moment.

> Steve Klabnik has lied about that in the past, as he is wont to do.

1) I don't know what Steve has to do with anything I asked so it is bizarre to bring up and 2) I find this is to be a ridiculous statement.

9. steveklabnik ◴[12 Dec 25 18:57 UTC] No.46247403{5}[source]
I don't know where I've lied about this, supposedly. Unless you say that, because of this implementation exception (which is based on target, not std vs no_std by the way) as meaning that "there's no UB in safe Rust" to be a lie.

I would still stand by that statement generally. Implementation issues on specific platforms are generally not considered to be what's being discussed when talking about things like this. It's similar to how cvs-rs doesn't make this a lie; a bug isn't in scope to what we're talking about 99% of the time.

In context, I'd have no reason to deny that this is something you'd want to watch out for.

10. hgomersall ◴[12 Dec 25 21:07 UTC] No.46248958{3}[source]
Tools like embassy really are great: https://embassy.dev/