← Back to context

Comment by CDSlice

5 years ago

For context, this comes after yet another unsoundness bug has been found in Actix-web. Normally people in the Rust community don't get very worked up over these because we know that everyone makes mistakes, but the Actix project has had a consistent history of introducing unsoundness through the use of unsafe for dubious reasons like nebulous performance increases or bypassing Rust's safety guarantees (which is what this last one was about). Furthermore, when someone raised this issue and provided a patch to fix it the actix-web maintainer called the patch "boring"[1]. He also censored comments that talked about the unsoundness and eventually deleted the entire issue. This sort of behavior should not be acceptable from any open source maintainer that runs such a large, foundational part of the ecosystem.

[1] https://web.archive.org/web/20200116203731/https://github.co...

10 comments

CDSlice

Reply
jmiskovic  5 years ago

I completely disagree with your last sentence. Think of actix-web as a gift to the world (and judging by its popularity, a very nice gift). Being verbally abused by vocal majority of freeloaders would drive anyone furious.

I think I understand your perspective, though. It would benefit the community to have projects of great importance properly maintained. How to ensure it? Well, by paying people to do it, not necessary developers but active project mantainers. Only then you are entitled to complain about somebody doing a lousy job. To sponsor it, introduce micro-transactions for dependencies.

  • CDSlice  5 years ago

    Obviously being vocally abused is not OK no matter what the victim has done. This is a big problem and I think Steve's article that is currently on the top page of HN gives a good overview of that part of the situation.

    My problem with viewing all open source as a gift to the world, take it or leave it, is that when people create open source packages, market them as being ready for production use and as the best option for said production use, and then act unprofessionally towards security issues and reject patches that fix the security issues for no reason other than being "boring" and "not creative enough" people should be able to call them out on it as unacceptable behavior for an open source maintainer. If actix didn't claim to be production ready and instead stated that it was an experimental code base designed to advance the state of the art in web server performance I wouldn't have a problem with how it was managed. However, once you claim that something is production ready I think you need to be ready to take responsibility for it.

    • howeyc  5 years ago

      I strongly disagree, with extreme passion.

      They could have marketed it as the greatest gift to humanity for all I care. It's your responsibility to handle your use of code. Sure, you may find issue's in your dependencies, and you're welcome to submit a bug or provide a fix, but if you expect anything more than the code as it is, it's still your problem how to deal with it.

      The entitlement is astounding. A person providing free code doesn't owe you anything or "need to take responsibility" or whatever else you may want.

      2 replies →

rossjudson  5 years ago

You say, "This sort of behavior should not be acceptable from any open source maintainer that runs such a large, foundational part of the ecosystem."

Or what? What's the "punishment" here? Who's going to decide what's acceptable, and what's not?

Seems like you are demanding that the author of Actix do what you want.

Sometimes people take their football and go home. In this case the vocal complaining minority are free to make their own copy of the football, and proceed on their own...which is also known as "put up or shut up".

swsieber  5 years ago

> This sort of behavior should not be acceptable from any open source maintainer that runs such a large, foundational part of the ecosystem.

And the better solution wouldn't be to harass the guy, but to recommend and try to move the ecosystem away from actix.

trhway  5 years ago

>Actix project has had a consistent history of introducing unsoundness through the use of unsafe for dubious reasons like nebulous performance increases or bypassing Rust's safety guarantees

sounds like the author had specific strategic vision - "push the boundaries" - which he clearly explained, and there are other people who don't agree with such an approach, both are valid positions in their own right, and instead of being jerks and trying to shove their approach down the project owner's throat these other people should have just started their own project reflecting their more conservative approach.

It is like those people who try to push Linus to use C++ and do other funny stuff in the kernel - one should go and read Linus' responses to the people like these.

http://harmful.cat-v.org/software/c++/linus

"Quite frankly, even if the choice of C were to do nothing but keep the C++ programmers out, that in itself would be a huge reason to use C.

[...] I've come to the conclusion that any programmer that would prefer the project to be in C++ over C is likely a programmer that I really would prefer to piss off, so that he doesn't come and screw up any project I'm involved with."

StreamBright  5 years ago

> but the Actix project has had a consistent history of introducing unsoundness through

Then you can stop using Actix and create a better project or fork it and fix these unsoundness bugs and call it ActixSound. I do not see the point to rally up the crowd and raid his Github in the name of soundness. This reflects poorly on the Rust community.