►
Description
Tauri is a rust-based system for making small, fast, and secure applications using system Web views for desktops (and mobile very soon). In this talk, I will speak about the history, philosophy, approach, and future of the OSS Project Tauri.
Special Thanks to Microsoft for their support
Rust Linz: https://rust-linz.at - https://twitter.com/rustlinz - https://sessionize.com/rustlinz
A
Our
project
has
people
talking
about
it
on
hacker
news
and
state
of
j
s,
and
it's
it's
something.
That's
just
been
growing
over
time,
it's
a
kind
of
normal
growth
curve.
I
think,
but
I'm
gonna
leave
this
this
chart
up
here
for
a
second,
so
I
can
talk
a
little
bit
about
where
we
came
from
back
in
the
summer
of
2019.
My
my
friend
and
colleague
lucas
and
I
were
trying
to
find
a
better
way
to
do
things
we
just
weren't
satisfied
with
you
know:
node
webkit,
adam
shell
electron.
A
A
Some
of
you
might
know
that
project
it
was
adopted
by
boscop
and
wrapped
into
rust,
and
basically
it's
a
bunch
of
c
and
c
plus
and
a
bit
of
objective
c,
and
it
has
bindings
to
all
of
the
system
web
views,
which
seemed
like
a
great
idea
at
the
time-
and
you
know
our
very
first
proof
of
concept-
was
written
in
go,
but
then
we
did
one
in
rust
and
I
think
we
just
loved
the
pain
because
back
then
we'd
heard
of
rust.
Neither
of
us
had
used
it
and
we
thought
well.
A
It
just
seemed
that
somebody
had
put
a
lot
of
thought
and
effort
into
making
it
an
enjoyable
experience,
because
I
guess
the
worst
thing
that
can
happen
is
undefined
behavior
I
mean
okay,
we're
not
going
to
get
into
the
the
the
nomicon
and
unsafe
behavior
I'll
talk
a
little
bit
about
how
we
deal
with
unsafe
later,
but
as
time
grew
or
passed.
You
know
we
started
trending
all
of
the
time
and
this
grew
our
community
and
we'll
talk
about
community
in
a
little
while
as
well.
A
It
got
to
the
point
where
you
know
today.
I
took
these
screenshots
today,
so
today
we're
in
the
top
300
projects
on
github
and
we're
still
in
the
the
throes
of
releasing
our
our
1.0.
I
mean
our
rc
is,
is
just
about
to
be
released
and
in
the
top
300
projects
on
github.
You
know,
I
guess,
there's
like
18
million
or
something,
but
only
four
of
them
are
written
in
rust
and
are
five
excuse
me.
A
A
One
of
the
things
we
all
have
to
recognize
today
is
that
we
can't
really
trust
any
of
our
devices.
You
know
if
you,
if
you've
been
following
twitter,
you
you
understand
that
there
are
already
massive
root
kits
being
spread
around
the
ukraine
and
people
are
getting
their
data
encrypted
and
it
it's
not
a
sign
of
the
times.
A
A
One
of
the
the
recommendations
that
the
the
auditors
gave
us
is
something
that
we're
going
to
be
returning
to
in
the
next
months,
and
that
is
that
we
want
to
help
people
to
employ
more
secure
coding
practices
and
provide
tooling.
That
gives
you
at
compile
time
heads-ups
and
allows
you
to
integrate
with
your
continuous
integration
pipeline
to
throw
a
non-zero
error.
A
If
one
of
your
requirements
hasn't
been
met,
you
know
just
talking
about
the
security
aspects
of
towery
would
be,
I
don't
know,
probably
a
45
minute
introduction,
but
I
also
don't
want
you
to
just
take
my
word
for
it.
We
are
working
on
a
very
large
body
of
documentation
and
I'm
just
cherry
picking
a
couple
things
here.
So,
as
you
may
know,
towery
uses
a
webview
as
the
user
interface
and
provides
a
rust-based
core
backend,
and
we
also
provide
an
api
by
which
the
user
interface
can
communicate
with
the
core.
A
So,
for
example,
let's
say
you
just
want
to
read
a
binary
file
and
dump
the
the
contents
into
the
user
interface.
Well,
we
do
this
with
message
passing,
and
so
you
would
pass
a
message
calling
the
api
to
the
core.
The
core
would
then
find
that
file
if
you've
granted
the
application
permissions
to
read
that
specific
folder
and
then
return.
A
However,
you
want
to
get
that
information
back.
I
mean
if
it's
a
if
it's
a
jpeg,
you
could
just
you
know,
get
the
image
back
now.
You
might
hear
a
lot
of
alarm
bells
going
off
in
your
head.
Oh
my
gosh,
unsafe
javascript
and
I
have
to
tell
you
the
web-
is
a
hot
steaming
mess
the
moment
you
are
consuming
any
kind
of
third-party
package,
whether
it's
a
node
module,
a
rust
crate
or
even
a
wasm
blob
you're.
A
In
fact,
you
could
also
use
a
cdn
to
deliver
javascript
into
your
app
or
who
knows,
you
might
actually
render
an
entire
website
from
slack
hq
or
whatever
into
the
web
view,
and
the
issue
is
not
your
code
because
obviously
you're
doing
a
good
job,
but
an
attacker
can,
with
enough
pen
testing
social
engineering
github
reviewing
detect
that
you're
calling
certain
apis.
Maybe
they
know
that
you've
accept
listed
the
entire
body
of
apis
and
they
want
to
read
your
etc
shadow
file.
A
If
you've
permitted
everything,
then
maybe
it's
possible
for
them
to
do
that
and
what
the
isolation
pattern
does
is.
It
provides
a
secure
pathway
so
that
only
trusted
code
can
call
that
api
now
there's
a
there's,
an
entire
write-up.
On
this
page,
I
encourage
you
to
read
about
it
if
you're
interested.
A
A
We
all
feel
that
it's
absolutely
relevant
to
take
every
step
that
we
can
to
protect
the
environment
and,
if
you're
used
to
downloading
normal
applications
for
linux
windows
or
mac
you're
used
to
things
being
several
hundred
megabytes.
I
think
recently
I
saw
that
the
the
vs
code
project
is
about
500.
Megabytes
slack
is
like
300.
A
A
You
know
you'll
see
an
app
size
of
about
three
megabytes.
If
you
are
really
careful
about,
you
know,
embedding
fonts
and
applying
all
of
the
the
build
time.
Optimizations
three
megabytes
is
pretty
normal
and
you
know
it's
similar
for
other
applications
using
other
systems.
You
know
whether
it's
nwjs
or
electron
or
webview
200
is,
is
pretty
normal
when
they
ship
an
electron
app,
for
example,
you're
you're
shipping,
a
chromium
browser,
you're
shipping,
a
node
runtime
you're
shipping,
all
of
your
javascript
compressed
as
an
asar
and
for
a
long
time
that
worked
well.
A
But
this
afternoon
I
I
I
spent
a
lot
more
time
than
I
I
would
like
to
admit,
but
I
spent
a
little
time
going
through.
You
know
some
some
typical
scenarios
for
app
life
cycles,
and
so
what
what
you
see
here
is
you
know
the
download
time
for
a
single
unit
of
an
app.
So
if
it's
a
tower
app,
it
would
be
three
a
medium
size.
App
of
200
would
take.
A
You
know
it's
200
megabytes,
that's
you
know
about
16
seconds
to
download
on
a
normal,
100
mbs
system,
and
then
we
have
the
number
of
downloads.
So
you
know
if
it's
a
hobby
app,
you
might
get
a
thousand
downloads
over
time
if
it's
bigger
might
be
a
hundred
thousand
and
if
it's
even
bigger.
Well
I
mean,
if
you're,
a
very,
very,
very,
very
successful,
app
that's
around
for
several
years
and
you
push
out
updates
regularly.
A
I
can
tell
you
that
the
the
10
million
number
isn't
actually
very
far
away
from
reality,
maybe
on
the
short
side,
and
then
you
know
you
calculate
the
transit.
How
much
you
know,
electricity,
you
really
consumed
and
if
you
start
really
doing
the
math,
like
one
big,
very
successful
app
produces
enough
co2
that
it
would
need
2
million
160
000
trees
to
be
mature.
In
order
to
remove
the
co2
that
they've
produced,
I
mean
hey,
we
can
argue
about.
You
know
if
it's
0.06
kilograms
of
co2
or
0.1
kilowatts
per
hour
per
gigabyte.
A
A
A
You
know
wk
webkit,
on
mac
and
webkit
gtk
and
there's
css
rendering
problems,
and
it's
not
always
the
same
on
all
platforms,
but
as
someone
who's
been
involved
in
the
web
for
the
better
part
of
two
decades,
I
can
tell
you
it's
always
been
that
way
on
every
browser
I
mean
seriously.
Try
to
use.
Google
meets
on
firefox
on
linux.
A
A
We
really
prefer
the
tofu
approach,
trust
on
first
use,
you
come,
you
want
to
get
involved,
you're
absolutely
welcome
to,
and
I
think
that
that's
a
model
that
really
grew
out
of
you
know
off
the
heels
of
free
and
libra
open
source
software
where
that
community
came
from
was
yeah.
We
can
do
this
together
and
we
want
to
do
it
together,
so
we
don't
raise
the
bar
to
make
it
difficult.
There's,
no,
you
know
tests
just
show
up
and
say:
hey.
A
I
want
to
help
and
in
order
to
take
that
kind
of
one
step
further
with
our
community,
we
joined
the
commons
conservancy,
so
the
entire
code
base
is
owned
by
a
foundation
in
the
netherlands.
So
it's
the
towery
program
inside
within
the
commons
conservancy.
That's
our
spdx
claim
on
all
the
files
in
all
of
the
repos
and
the
reason
why
this
is
important
is
because,
as
the
project
has
grown.
A
We
wanted
to
not
only
address
the
very
real
concerns
of
maintainership
burnout,
but
also
hostile
takeovers
and
the
ability
for
funding
to
come
in
and
change
the
project
in
ways.
We
didn't
want
it
to
change
and
that's
why
there
is
no
open
core
model.
Everything
is
open.
Everything
is
dual
licensed
mit
apache
2.0,
and
it's
always
going
to
stay
that
way.
A
A
You
know
the
free
part
of
open
source
into
something
other
than
free
real
estate.
You
know
that's
this
kind
of
ideological
model
of
of
open
source-
that's
sort
of
been,
I
don't
know,
crushing
us
for
such
a
long
time
as
a
community,
and
it's
why
people
burn
out
and
it's
why
people
only
do
open
source
on
weekends
and
nights,
and
I
don't
know.
I
think
I
think
that
that's
something
that
we
can
all
address
and
work
toward
changing.
A
A
I
alluded
at
the
beginning
to
the
the
way
in
which
we
were
interacting
with
the
webview
community
via
the
project
from
z,
serge
and
what
we
discovered
there
was.
We
were
constantly
using
multiple
language
paradigms
in
order
to
address
different
pro
different
operating
systems,
and
so
we
we
sort
of,
went
back
to
basics,
and
I
mean
actually
the
first
thing
we
built
was
rye.
The
the
web
view
rendering
library
that
injects
it
into
a
window,
but
we
needed
to
create
a
window
and
we
were
using
at
first
the
amazing
win
it
project.
A
A
I
think
it
also
has
room
for
improvement
and
we're
looking
forward
to
engaging
with
that
community
as
time
goes
on
and
continuing
our
engagement
and
for
linux,
we're
using
webkit,
gtk
and
webkit.
Gtk
is
also
a
special
case,
but
the
fun
doesn't
really
stop
there,
because
you
know
on
windows
and
mac.
You
always
really
know
more
or
less.
A
What's
what's
serving
up
your
your
window,
but
on
linux
there's
a
variety
of
things
you
have
to
contend
with
whether
it's
x,
server
or
if
you're,
using
gnome
or
I
mean
the
the
matrix
of
of
possibilities
on
linux,
really
makes
that
system
into
a
whole
number
of
unique
edge
cases
that
we're
still
working
on.
So
anyone
out
there
really
interested
in
getting
involved.
We,
I
think
that
that
linux
is,
is
the
family,
where
a
lot
of
attention
could
be
spent,
especially
with
regard
to
packaging,
but
that's
telry.
A
So
towery
takes
the
the
tau
and
the
win
libraries
and
adds
apis
application
structure
and
build
tooling
into
the
into
the
mix,
and
so
with
the
apis.
What
you?
What
you
end
up
getting
are
things
you
can
call
from
well
things
low-level
system
interfaces
that
you
can
call
from
rust
or
from
javascript
in
the
user
interface,
and
so
we
know,
we've
we've
provided
interfaces
to
classical
things
like
the
file
system,
and
you
know
the
dialogue
for
where
do
you
open
or
save
a
file?
A
A
You
then
determine
which
parts
of
the
javascript
system
and
which
parts
of
the
rust
system
you
want
to
use
in
your
final
binary-
and
you
know
it's
one
of
those
twofers
well,
on
the
one
hand,
you
have
a
smaller
binary
size
and
the
second
hand
you
have
a
smaller
attack,
surface
area,
you
know,
and
instead
of
you
know,
placing
the
entire
v8
engine
inside
of
your
application,
you're
only
placing
the
exact
things
that
you
need.
I
mean
I'm
preaching
to
the
choir.
A
Doing
a
wonderful,
a
wonderful
integration
of
rye
so
that
they
can
build
desktop
applications,
and
you
know
they
they
take
care
of
the
the
rest
of
the
bundling
on
their
side,
and
it
just
goes
to
show
that
there's
a
lot
of
possibilities
out
there
and
by
modularizing
your
libraries,
you
can
make
them
accessible
to
people
who
might
not
want
the
whole
kitchen
sink
right.
So
I'll.
Just
briefly
talk
about
a
couple
of
the
features
that
the
towery
project
brings
so,
first
and
foremost
on
everyone's
mind
here
is:
do
I
have
to
install
node.js
you?
A
A
A
One
common
use
case
for
this
is
to
spin
up
a
transparent,
splash
screen,
while
the
bulk
of
your
application
is
loading,
but
you
can
also
make
a
sort
of
headless
application
that
just
lives
in
the
system.
Tray
there's
also
a
lot
of
use
cases
for
that,
and
we've
even
seen
some
jenkins.
That's
not
the
name,
some
jarvis,
I
forgot
the
name,
but
this
type
of
spotlight
application.
A
You
know
learning
the
lessons
from
from
other
frameworks
and
I'll
get
to
the
updater
in
a
second.
We
have
a
little
bit
of
a
couple
announcements
for
you
all
here
today
and
obviously
there's
also
dev
tools.
So
in
the
web
view
you
can
hook
into
the
javascript
console
you
can
step
through.
You
can
analyze
the
traffic,
the
memory
consumption.
Basically
everything
you
would
expect
from
a
modern,
html
javascript
css
renderer.
A
We
also
provide
a
secure
context
without
needing
you
to
without
strong
arming
you
into
using
a
localhost
web
server
and
it's
sort
of
low-key.
I
think,
but
it's
one
of
the
things
that
we're
very
proud
of
and
and
that
is
in
isolation,
type
projects
in
greenfield
projects
where
you
get
to
design
how
you
do
everything
just
because
you're
using
html,
css
and
js
for
the
user
interface
doesn't
mean
you
have
to
comply
with
the
rest
of
what
html
is.
A
Like
I
said,
we
provide
mac
os
windows
in
linux
and
we
have
a
github
action
for
building
all
platforms,
we're
working
on
a
gitlab
version
of
that.
But
it's
complicated,
I'm
not
going
to
talk
about
that
today.
It's
future
and
it
works
with
all
web
frameworks.
I
will
mention
one
key
thing:
I'm
not
really
gonna,
I'm
not
good
at
calling
people
out,
but
in
this
case
I
think
a
commendation
is
definitely
in
order.
A
If
you're
familiar
with
javascript
there's
a
thing
called
the
object,
prototype
and
you
can
as
a
developer,
modify
that
prototype
as
a
hacker.
It's
great
stuff,
it's
really
fun
to
to
modify
the
prototype,
and
one
of
the
security
features
that
we
are
offering
in
1.0
is
the
ability
to
freeze
that
prototype,
which
means
that
people
that
you
probably
don't
want
messing
around
with
the
prototype.
A
Can't
there
is
one
framework
out
there
that
we've
noticed
works.
Fine
if
you
freeze
the
prototype,
and
that
is
felt
if
you
don't
know,
svelt
big
thumbs
up
to
that
team.
Amazing,
crew,
wonderful,
wonderful,
build
system,
tiny,
binaries,
logical
or
not
binaries,
but
tiny,
tiny
blobs
that
you
render
out
and
super
performant
easy
to
understand,
great
to
use
highly
recommended,
and
you
can
freeze
the
object
prototype.
A
The
fully
audited
and
stable
1.0,
that's
coming
in
the
next
week
or
two,
maybe
three,
but
we're
we're
we're
already
at
a
number
of
rcs.
For
this.
This
big
release
and
it
has
been
audited.
The
auditors
have
approved
it,
they're
still
keeping
a
watchful
eye
over
us,
and
this
is
sort
of
the
the
semi
biggest
announcement.
If
you
are
running
a
open
source
project
on
github
we've
partnered
with
a
pretty
large
company
out,
there
called
cloudflare
who
are
providing
the
towery
organization,
unlimited
workers,
and
what
that
means
is
using
our
updater
service.
A
A
It's
been
audited
by
our
friends
at
radically
open
security
and
it's
an
easy
low-friction
way
for
your
project
to
get
out
there,
and
it
will
ultimately
save
you
time
and
effort,
so
mobile
apps
are
coming.
We
already
have
proofs
of
concept
for
android
and
ios
they're,
both
obviously
differently
complicated.
A
Maybe
you
want
to
prune
that
down
then
the
elephant
in
the
room
bindings
to
other
languages.
Why
would
anyone
ever
want
to
use
a
different
language?
You
ask
rust,
is
perfect,
we're
not
maximalists.
We
come
from
a
place
where
we
recognize
that
every
developer
might
want
to
do
things
their
own
way.
They
might
use
c
sharp.
A
They
might
want
to
use
dino,
they
might
want
to
use
java,
they
might
want
to
use
python,
and
our
plan
is,
after
the
1.0
launches,
to
create
bindings
to
the
core
functionality
of
towering,
so
that
you
know,
instead
of
merely
creating
a
side
car,
you
can
actually
rig
and
run
an
entire
towery
application
from
the
comfort
of
of
emacs
and
common
lisp.
If
that's
your
thing,
so
next
up
webrtc,
it
already
works
on
windows
and
mac.
A
But
obviously,
if
you
do
not
compile
webkit
gtk
yourself,
you're
not
going
to
get
webrtc
and
since
that's
something
that
nobody's
doing
right
now,
it's
not
technically
available.
We
are
working
with
agelia
to
push
this
forward
and
big
shout
out
to
the
g
streamer
team.
Amazing.
If
you
haven't
heard
of
g
streamer,
then
go
back
to
crawling
under
your
rock,
because
that
project
has
been
around
forever
and
it's
still
kicking
next
up.
Gl
windows
we're
working
on
a
proof
of
concept
with
egui.
A
If
you
haven't
heard
of
it
awesome
project,
it
is
fantastic
and
we
hope
to
be
releasing
an
update
later
this
summer,
where
that's
been
integrated
and
available,
it
might
only
be
on
the
next
branch
because
it
hasn't
been
audited.
Obviously
you
know
us.
We
only
want
you
to
be
safe.
If
you're
able
to
audit
it
yourselves
and
you
think
it's
safe,
then
I'm
sure
it's
okay
to
use
in
production,
but
we
like
to
have
those
guarantees,
and
so
the
final
thing
here
is
the
books
books.
A
It's
not
going
to
be
the
the
codex
that's
coming
out
later
this
year,
it'll
be
a
much
bigger
volume
where
we
go
into
every
teeny,
tiny
corner
of
towering,
but
this
book
will
be
coming
out
in
the
next
several
months.
There's
a
link
down
there.
I
think
that's
where
you
can
find
it
online
thanks
to
our
publisher
pact,
we're
really
looking
forward
to
it
and
thank
you.