Firefox incorporated parts of the Servo effort which were able to reach maturity. Stylo (Firefox's current CSS engine) and Webrender (the rendering engine) and a few other small components came from the Servo project.
Most other parts of Servo were not mature enough to integrate at the time Mozilla decided to end support for the project and didn't look like they would be mature enough any time soon. The DOM engine for example was in the early stages of being completely rewritten at the time because the original version had an architecture that made supporting the entire breadth of web standards challenging.
Keep in mind that you can continue adding Rust to Firefox without replacing whole components. It's not like Mozilla abandoned the idea of using more Rust in Firefox just because they stopped trying to rewrite whole components from the ground up.
If that's the case, it would be a lot simpler (and equally accurate) to say that "no one knows" what the source repo is doing, either! The median consumer of packages in any packaging ecosystem is absolutely not reading the entire source code of their dependencies, in either the ground truth or index form.
That's certainly true - and would also be true (maybe even moreso) if vendoring dependencies was widespread. Seems just as easy to hide things in a "vendored" directory that's 20x the size of the library.
Do you think only the Israelis are pissed about the Iranians funding the Houthis and Hezbollah?
The Saudis were at war with the Houthis for several years, Hezbollah assassinate Lebanese politicians and repeatedly starts wars that nobody else in Lebanon wants, which also includes intervening in the Syrian civil war on behalf of Assad and starving out Syrian villages. Ask the Syrians how they feel about Hezbollah.
Rust is nowhere close to Node in terms of package number bloat. Most Rust libraries are actually useful and nontrivial and the supply chain risk is not necessarily as high for the simple reason that many crates are split up into sub-crates.
For example, instead of having one library like "hashlib" that handles all different kinds of hashing algorithms, the most "official" Rust libraries are broken up into one for sha1, one for sha2, one for sha3, one for md5, one for the generic interfaces shared by all of them, etc... but all maintained by the same organization: https://github.com/rustcrypto/
Most crypto libraries do the same. Ripgrep split off aho-corastick and memchr, the regex crate has a separate pcre library, etc.
Maybe that bumps the numbers up if you need more than one algorithm, but predominantly it is still anti-bloat and has a purpose...
While i agree the exact line “rust libraries are useful and non-trivial” i have heard from all over the place as if the value of a library is how complex it is. The rust community has an elitist bent to it or a minority is very vocal.
Supply chain attacks are real for all package registries. The js ones had more todo with registry accounts getting hacked than the compromised libraries being bad or useless.
Most programs only use one or a few hash functions, so grouping each family into a separate crate reduces compliation time for the majority of users. Could also help when auditing the removal of vulnerable hash functions.
As for ripgrep, the organization is quite sensible:
1. one crate to define an interface for regex matchers
2. one crate to implement the native matcher
3. one crate to implement the PCRE2 matcher
4. one crate to define a safe interface to the underlying PCRE2 library
Depending on the application, any one of 1+2+3+4, 1+2, 1+3+4, or 4 alone could be useful.
>I think that's an unfair framing. No one is paying Waterfox to allow ads
...
>Yes, that's correct. Startpage is the default search partner, and their search ads aren't blocked by default.
The framing seems fair to me. Certainly not more unfair than those who criticize Firefox for having a search deal that defaults to Google while allowing the user to change it (which some people do)
The distinction I'm drawing is between a revenue share from a search partnership and something like an acceptable ads programme where individual advertisers pay to bypass the blocker - those are different things.
"For how it works in practice: by default, text ads will remain visible on our default search partner’s page - currently Startpage. The idea is that this is what will keep the lights on."
Hezbollah has assassinated multiple government leaders and politicians and administrators within Lebanon, including a bombing that killed 23 people including the Prime Minister, and shootings that killed investigators responsible for investigating the Beirut port explosion a few years ago. Suspiciously this was shortly after Hezbollah was found by those investigations to have many links to the circumstances in which so much ammonium nitrate was being stored improperly in the first place.
Hezbollah also assisted the Assad regime in Syria during the Syrian Civil war - participating in laying siege to entire villages for long enough that people starved to death.
You are willfully ignorant. There is tremendous anger at Hezbollah even within Lebanon, especially since they restarted the war on Iran's behalf in recent weeks, giving Israel the causus belli to resume their bombing campaign against them.
Most other parts of Servo were not mature enough to integrate at the time Mozilla decided to end support for the project and didn't look like they would be mature enough any time soon. The DOM engine for example was in the early stages of being completely rewritten at the time because the original version had an architecture that made supporting the entire breadth of web standards challenging.
Keep in mind that you can continue adding Rust to Firefox without replacing whole components. It's not like Mozilla abandoned the idea of using more Rust in Firefox just because they stopped trying to rewrite whole components from the ground up.
reply