This channel has turned into the authoritative source on all rust drama. It is like TMZ but for nerd shaming....

David Tolnay. He's the hero Rust deserves, but not the one it needs right now. So we'll hunt him. Because he can take it. Because he's not our hero. He's a silent guardian, a watchful protector. A dark knight.

This seems like one developer was trying to fix a major flaw in the Rust ecosystem and due to another flaw, there was only one way of doing it.

I love how prime has a million shortcuts and custom key bindings, but clicks tabs in his browser when trying to find something :D

When I was younger and something at work upset me, I'd write up an absolutely scathing email. I'd spend a lot of time getting the absolutely perfect wording. I'd work to make it as terse as possible, while still including every detail of what made me upset. And then I'd delete the email without sending it. Writing that first email would drain me of so much energy, that I'd then write a second email which would be more like "Eh, I don't understand why this was done. Seems to me we could have done something better than this".

I mean this is something that needs a bit of drama to get things moving in a better direction.

i get the concern but calling this terroristic, as well as the point of dtolnay no longer being a FOSS maintainer, is just absolutely ridiculous. Accusing someone of terrorism because they shipped a bad change with security issues is absolutely overblown, and serde is still free and open source which makes it's maintainer a FOSS maintainer

The twitch comment, “TJ see you again tomorrow on 0 days since rust drama” has me dying 😂😂😂😂😂😂

I swear this is the 4th time I have seen this title.

12:13 actually it can run at runtime. Since the original purpose of these sort of libraries is to generate code, a malicious version of it could add a malware payload to every build as well.

I'm sure I'm missing something, but can someone explain to me how downloading and running a precompiled binary is so much of a risk factor but downloading source from the same place, compiling it in your machine and then running it isn't? It's not like you're going to check the download code every single time, someone could still push a malicious version

12:20 It could derive something different. For example it could send all your program data to some server, whenever it's serialized.

you guys are great together--technical synergy as well as comedic riffing

rust's inclusivity invites all the twitter users

you should get a vertical tabs extension

I don't use rust (sadly), so I think I am misunderstanding something here. I understand people's concerns that using cargo to build a project using serde-derive download a binary instead of building the binary themselves from the source. And that building your project with out having to also build the serde binary is faster... But when you compile a rust project, is it downloading each referenced crate's source(or locally reading the pre-dowloaded source code) and building the binary? Why can't you download the source code of the crates you want to use in a project, build their binaries from the source once, cache those resulting binaries until you update the crate version or rust compiler, and then whenever you compile your project, it just uses those binaries instead of building them on the fly? (This is how I assumed it would work and don't know why it wouldn't do it that way. But if it does work this way, I don't see how dowloading the binary from the crate would be any faster except on the very first project compilation?)

There's nothing better than collaboration videos between these two gentlemen.

As a potential compromise, couldn't you make the binary first build (sure first one is going to be slow), then cache it and reuse it in the future, and a way to have sections built in release mode, hell if we are running rust code, couldn't we spawn a second copy of the rustc to do that already? Why isn't that a potential solution to this issue here? In fact isn't this is the idea behind ccache for c compilation, maybe partial binary caching is something rust should have generally?

The thing I don't understand: why is the macro being compiled in debug mode in the first place? Like, it obviously just doesn't bindly copy all the build settings. Cause other wise cross-arch builds wouldn't even work. Like, Bazel has a similar paradigm: compilers/build tools can be compiled. It compiles the host tools in optimized mode (by default, that can be changed), regardless of whether the target is being compile in debug mode or not.

16:40 Rust is also pretty authoritarian. You /could/ use a fork of Serde, but then YOUR serde types are not compatible with the serde types of the other library. You really have to decide. Do you want your own system, or do you want to use the system everyone else uses. You could also fork every lib you use and make them use your serde fork. It's mostly because of the orphan rules. I love them, but sometimes I hate them. I guess, that's the main reason why people coordinate to use the same crates. In most languages you would just implement serde for all the types you import, if they don't already implement them. In Rust, it's pretty annoying, so you'd rather demand everyone to use the serialization library you use for your crate. That forces everyone to use the same library. If you don't use it, you are excluded by parts of the ecosystem. And I consider that some kind of authoritarianism. It might be effective to coordinate on some specific systems, but it takes away some of your freedom. You either have to obey, or you have to do your own thing almost completely. You can't just implement your serde fork for each type form other libraries. You /could/ do it if you derive every library you use inside your serde fork itself, but that's far from scalable. You're never done.

Is the risk factor really any higher than the pre-compiled DLLs/.so/whatever a lot of other languages use for third party libraries? I understand there will be edge cases but for most of us, is it really any worse than (N)Hibernate, bass.DLL, etc?

20:21 This resembles the commit message I wrote, after begrudgingly unpinning chrono from 0.4.22 because 0.4.23 deprecated almost all panicking APIs (which I only used with literals anyway).

teej bouncing up and down while talking about rust got me feeling some typa way

I have a question. When did verbs become nouns?

i dont get why cargo cant just compile proc crates in release mode and save them somewhere i mean there's gotta be a reason to require a separate crate for proc macros right?

Isn't the solution to add an option to build proc_macros in release mode all the time?

That was a whole lot of reading for a video.

Did something happened to rust again

What's a long compilation at a big company?

This shows the problem with having a deficient standard library. All these third party packages are providing core functionality, and end up depended on by the vast majority of projects. But the third party maintainer gets very little in return for all of this, and too often ends up overworked and unable to effectively maintain the critical library.

Dramas are needed to solve problems in Rust. Because Rust is the Drama Queen, RDQ for short.

jhe-san format

What I'm not understanding is why does it matter? Like I totally understand the concept of a precompiled dll being an "attack vector", but at the same time how many people are downloading crates and manually going through and reviewing the code for it? So to me it just seems like a facade of security because nobody is actually going to be going through and reviewing the code themselves of the crates they use in their project so what difference does it make if you download it precompiled? So if it's established that this pre-compiled binary isn't malicious at all, but simply has the ability to be malicious then calling the guy a terrorist is completely uncalled for. I think the comment about having a separate crate for a pre-compiled version at 13:12 is the most reasonable suggestion lol. Maybe if someone could explain to me what the real issue is here, but to me if the repo is public, you can view the actions for it to see it gets compiled then uploaded as a crate I just don't see how that is different from downloading it uncompiled if no one is actually going through every single crate they use and reviewing its code.

dtolnay is David Tolnay. Look it up

So Python compiled interpreter is terroristic…..

Well he's not going to be in proc-macro3

2:30 They start explaining what happened EDIT: Actually they waffle for another while, try 3:20 instead. My bad.

424 people blocked on github and twitter now..

Lispchads stay winning.

Honestly it feels legal had the last laugh in this debacle.

Honestly, while I get why it'd make people _mad,_ I think DTolney is in the right here, and certainly not being malicious. It's his crate, he can do what he wants with it. Others can also fork it. It could've been handled better, sure. But I wouldn't say he's trying to "force cargo's hand", that's ridiculous.

Is TJ short for Tom Jenius

What's the meaning of "I am sorry or thank you"?

Nix helps with precompiled binaries while preserving trust well, in my opinion.

For those who are looking for it, the issue is resolved in 1.0.185, so versions 1.0.172-1.0.184 should be banned in security scanners.

Just write your own JSON parser, how hard could it be 🤷‍♂️

At what point do you lose control over your own projects? The MIT license is like two paragraphs and the entire second one is ALL CAPS saying that you are not guaranteed these very things.

If I were dtolnay, I would probably yank every version of all my crates then peace out

I swear I never had a compile time issue. Just get an extreme Workstation. You have to live with that in Rust.

seriously, i really really fail to see how this problem wouldn't be solved with better compile cache. does anyone care to explain why it doesn't?

im a react dev, i going to bet on golang instead of rust

Pre-compiled is a great way to slip in nation state backdoors.

All this was such an asinine situation. I honestly don't understand why the rust community isn't trying to make their compiler much faster. Linking with cargo is a freaking mess and especially in the case of macros, build times just explode if you are not careful. There's no excuse as to why the compiler needs to be this slow. It's also really sad to me that a handful of people control most of the popular crates in the ecosystem and yet their contributions are not heavily documented.

5:25 “What’s the solve?” Cringe. Why do people in tech insist on using verbs in place of nouns (nominalization) all the time? Informative video though. 😊

Rust seems cool, but there's enough drama in the world, I don't need a programming language with one.

Flip actually cut the joke out!

Due to the rust drama I've decided to learn zig instead.

Also, people who commented with a thumb down emoji on the serde changes got blocked by the serde organization (see the "serde-blocked" repository). The root cause is the fact that Rust has a poor standard library. Writing or using a serializer requires 3rd party dependencies, which is nuts. That should be part of the language or the standard library. Go and Zig never had such issues.

Rust isn't going to make it. It's peaked too early.

I wonder when Rust community acknowledges that broad standard library is a good thing...

RUST SUCKS I CAN'T LEARN RUST HELP OH GOD

All the complaints about Rust's compilation time... Why not build the Rust compiler in Rust? This is an intentionally dumb question btw.

0 days since TheDramaGenerator making clickbait drama.

Rust: solutionism the language.

I have 2 doughters and both are girls 😁

AGAIN??? What's this time?? too lazy to watch

Video with teej? No thx, I'm good...

Dtolnay's reaction (14:40) of (Im paraphrasing) " If MY CHANGE does not work for you, SOMEONE ELSE should make it work" comes off as unfair. He made the change, and now everyone else has to run in circles and react to it. In addition, the "(as I have done for ... and ... ... which I contribute SIGNIFICANTLY to)" that directly follows, comes off as arrogant and self-congratulatory. We show who we are not by our actions but by our reactions. IMO While I agree that this switch to precompiled binaries is a 💩y thing to do, calling it "terroristic" goes a bit too far. What this whole situation shows beautifully however is a problem that all package-based programming languages have. (Node, PHP, and Go have it too, to a certain degree). It is the fact that you now depend on 3rd parties and these 3rd parties get control over your projects. In Return, you get to use the results of knowledge you don't have. All so, that you can keep up with the breakneck speed that everything moves with.

So glad some fools thought adding RUST to the Linux Kernel was a good idea.