Earlier this week, an npm supply chain attack.

It’s turn for crates.io, the main public repository for Rust crates (packages).

The phishing e-mail looks like this:

And it leads to a GitHub login page that looks like this:

Several maintainers received it — the issue is being discussed on GitHub.

The crates.io team has acknowledged the attack and said they’d see if they can do something about it.

I have long been at war against Rust compile times.

Part of the solution for me was to buy my way into Apple Silicon dreamland, where builds are, like… faster. I remember every time I SSH into an x86_64 server, even the nice 64-core ones.

And another part was, of course, to get dirty with Rust itself.

I wrote Why is my Rust build so slow?, which goes in-depth into rust build performance, down to rustc self-profiling even!

Addressing the rumors

There have been rumors going around, in the Reddit thread for facet, my take on reflection in Rust, which happened a bit too early, but here we are, cat’s out of the bag, let’s talk about it!

Rumors that I, podcaster/youtuber fasterthanlime, want to kill serde, serialization / deserialization framework loved by many and which contributed greatly to Rust’s success, and I just wanted to address those rumors and say that…

I’ve been bragging about my website software for years! For… whew, it’s been 5 years!

I’ve been teasing folks about the cool things I did from the beginning — here are all the articles and series I’ve written that mention it:

• 2020: A new website
• 2021: Don’t shell out!
• 2022: Updating fasterthanli.me

The part that makes Rust scary is the part that makes it unique.

And it’s also what I miss in other programming languages — let me explain!

Rust syntax starts simple.

This function prints a number:

fn show(n: i64) { println!("n = {n}"); }

And this program calls that function — it looks like any C-family language so far, we got parentheses, we got curly brackets, we got, uhh…

The most popular option to decompress ZIP files from the Rust programming language is a crate simply named zip — At the time of this writing, it has 48 million downloads. It’s fully-featured, supporting various compression methods, encryption, and even supports writing zip files.

However, that’s not the crate everyone uses to read ZIP files. Some applications benefit from using asynchronous I/O, especially if they decompress archives that they download from the network.

In December 2023, a minor miracle happened: async fn in traits shipped.

As of Rust 1.39, we already had free-standing async functions:

pub async fn read_hosts() -> eyre::Result<Vec<u8>> { // etc. }

…and async functions in impl blocks:

impl HostReader { pub async fn read_hosts(&self) -> eyre::Result<Vec<u8>> { // etc. } }

What’s a ktls

I started work on ktls and ktls-sys, a pair of crates exposing Kernel TLS offload to Rust, about two years ago.

kTLS lets the kernel (and, in turn, any network interface that supports it) take care of encryption, framing, etc., for the entire duration of a TLS connection… as soon as you have a TLS connection.

For the handshake itself (hellos, change cipher, encrypted extensions, certificate verification, etc.), you still have to use a userland TLS implementation.