Packages Not For Holidays
I have been watching, with interest, the progression of the Rust debacle in the Debian community. The linked article describes the kerfuffle succinctly, but for the habitually lazy, it can be distilled into a single sentence. Apt, which is the Debian package manager used to install software for the entire Debian operating system, is going to be using Rust—a language that deals with eliminating nasty computer bugs like buffer overflows that cause memory leaks and unexpected crashes.
The problem with Rust though, is that it is harboring a kind of mind virus in its very existence—the political “woke” virus. In case what that means is not clear, you can head on over to their Code of Conduct where you can uncover this prize:
We will exclude you from interaction if you insult, demean or harass anyone. That is not welcome behavior. We interpret the term “harassment” as including the definition in the Citizen Code of Conduct; if you have any lack of clarity about what might be included in that concept, please read their definition. In particular, we don’t tolerate behavior that excludes people in socially marginalized groups.
Does Rust then purchase computers for people who cannot afford them so they can possibly contribute to the Rust community? What does it mean to demean, insult, or harass someone? While there are clear examples of these behaviors, there are also people’s feelings, which do not necessarily have a basis in reality. The bigger question, to me, though, is why on EARTH does a programming tool require any of the above? I am going to tell you why.
Be Nice Or We Won’t
Nowadays, everything suffers from an implied agreement in the technology world. Gone are the days where you could use a tool, disagree with the makers of the tool politically, and build something. An analogy might be that if you purchase a Craftsman ratchet, you ALSO have to agree that you will engage in certain behaviors consistent with the Craftsman brand of being whatever it is to be a “good human being”. If you don’t do that, well, you might still be able to use the ratchet, but if it breaks you are on your own since community guidelines dictate no aide will be given to someone who has violated whatever the community standards are. In this analogy, the ridiculousness of the situation is apparent. Nobody needs a political creed to use a ratchet to solve a problem. The ratchet simply needs to be a good ratchet. That’s it.
Now, we might like for the mechanic to be nice. However, what we really need from the mechanic, should we have a problem, is the ability for the problem to be fixable by the mechanic. I don’t need to like the guy/gal or agree with them on massive political issues. I don’t need to get their opinion on Rwandan genocides in a country neither of us live in nor really know all that much about. What I need is for them to fix whatever is wrong with my car using their tools and expertise. They do that, I pay them, life goes on.
Somewhere along the line, though, a bunch of tech people have decided that is not good enough even though nobody who programmed in C had to sign any kind of special conduct agreement to start programming in it. In fact, people were often very talented and mean and we still were able to learn something about programming from them—even if we otherwise hated their guts. In fact, many good teachers are often people that a student hates to deal with because a good teacher is going to make the student work and then, therefore, learn. That is, after all, their function. Nobody has to believe anything in common to learn from anyone. So, why then is technology so keen on making sure that if you use the tool you have to tacitly approve of the politics behind the tool?
Special Snowflakes?
There are whispers of “it’s a millennial issue.” While I’m not one to typically attribute problems to a generational gap, it does seem to me that the younger programmers out there are often misguided about what constitutes progress and what is really just some dipshit idea that was all ready tried a million times that all ready didn’t work. A big portion of that problem is that millennials are often sure of themselves without having any specific reason to be. It’s a false confidence that courts disaster.
With Rust, the problem is easy to spot by paying attention to the NPM ecosystem:
Yet another npm account has been compromised with malicious code. Sadly, it isn’t the first time. So far I’ve never heard of a similar attack against crates.io . But is that because crates.io is fundamentally more secure, or just luckier? I’d like to believe the former, but I fear the latter. What can we do to prevent attacks like this one? cargo-vet is the best idea I’ve heard so far, but I think its uptake is low.
One is not simply adding Rust to Debian but also a reliance on the public repository of Rust packages which makes Rust an even more likely target than NPM since if one can compromise Rust one MIGHT also, in the future, be able to compromise the Debian Apt package manager.
So yes, Rust might solve some long-standing buffer overflow issue that has been around for 40 years or so, but it might also introduce a host of new ones since everything is being re-programmed in Rust while also opening the door for some kind of Cargo (Rust package manager) exploit.
Super Inclusivity At The Mushroom Cloud
At least before some foreign national nation/state gets in there and blows up all of our infrastructure from our good intentions, though, we will have the consolation of saying to ourselves “Yeah, but look how tolerant and diverse we were!” At least Rust solved that problem that no one asked it to solve.