Rust community typically uses
cargo and libraries from crates.io.
Chromium is built using
ninja and a curated set of dependencies.
When writing code in Rust, your choices are:
ninjawith the help of the templates from
rust_static_librarythat we’ll meet later). This uses Chromium’s audited toolchain and crates.
cargo, but restrict yourself to Chromium’s audited toolchain and crates
cargo, trusting a toolchain and/or crates downloaded from the internet
From here on we’ll be focusing on
ninja, because this is how Rust
code can be built into the Chromium browser. At the same time, Cargo is an
important part of the Rust ecosystem and you should keep it in your toolbox.
Split into small groups and:
- Brainstorm scenarios where
cargomay offer an advantage and assess the risk profile of these scenarios.
- Discuss which tools, libraries, and groups of people need to be trusted when
Ask students to avoid peeking at the speaker notes before completing the exercise. Assuming folks taking the course are physically together, ask them to discuss in small groups of 3-4 people.
Notes/hints related to the first part of the exercise (“scenarios where Cargo may offer an advantage”):
It’s fantastic that when writing a tool, or prototyping a part of Chromium, one has access to the rich ecosystem of crates.io libraries. There is a crate for almost anything and they are usually quite pleasant to use. (
clapfor command-line parsing,
serdefor serializing/deserializing to/from various formats,
itertoolsfor working with iterators, etc.).
cargomakes it easy to try a library (just add a single line to
Cargo.tomland start writing code)
- It may be worth comparing how CPAN helped make
perla popular choice. Or comparing with
Development experience is made really nice not only by core Rust tools (e.g. using
rustupto switch to a different
rustcversion when testing a crate that needs to work on nightly, current stable, and older stable) but also by an ecosystem of third-party tools (e.g. Mozilla provides
cargo vetfor streamlining and sharing security audits;
criterioncrate gives a streamlined way to run benchmarks).
cargomakes it easy to add a tool via
cargo install --locked cargo-vet.
- It may be worth comparing with Chrome Extensions or VScode extensions.
Broad, generic examples of projects where
cargomay be the right choice:
- Perhaps surprisingly, Rust is becoming increasingly popular in the industry for writing command line tools. The breadth and ergonomics of libraries is comparable to Python, while being more robust (thanks to the rich typesystem) and running faster (as a compiled, rather than interpreted language).
- Participating in the Rust ecosystem requires using standard Rust tools like Cargo. Libraries that want to get external contributions, and want to be used outside of Chromium (e.g. in Bazel or Android/Soong build environments) should probably use Cargo.
Examples of Chromium-related projects that are
serde_json_lenient(experimented with in other parts of Google which resulted in PRs with performance improvements)
- Fontations libraries like
gnrttool (we will meet it later in the course) which depends on
clapfor command-line parsing and on
tomlfor configuration files.
- Disclaimer: a unique reason for using
cargowas unavailability of
gnwhen building and bootstrapping Rust standard library when building Rust toolchain.)
run_gnrt.pyuses Chromium’s copy of
gnrtdepends on third-party libraries downloaded from the internet, by
--lockedcontent is allowed via
- Disclaimer: a unique reason for using
Students may identify the following items as being implicitly or explicitly trusted:
rustc(the Rust compiler) which in turn depends on the LLVM libraries, the Clang compiler, the
rustcsources (fetched from GitHub, reviewed by Rust compiler team), binary Rust compiler downloaded for bootstrapping
rustup(it may be worth pointing out that
rustupis developed under the umbrella of the https://github.com/rust-lang/ organization - same as
- Various internal infrastructure (bots that build
rustc, system for distributing the prebuilt toolchain to Chromium engineers, etc.)
- Cargo tools like
cargo vet, etc.
- Rust libraries vendored into
//third_party/rust(audited by email@example.com)
- Other Rust libraries (some niche, some quite popular and commonly used)