- cross-posted to:
- linux@programming.dev
The subject is considerably more complex and nuanced than expressed by these one or two (obviously frustrated) people. I won’t presume to capture all the issues, but this person on HN does a decent job of capturing some of them:
You have a minority who wants to impose a change, and the concerns outlined in that video by the audience member reflects genuine concerns from many other maintainers and contributors.
That this discussion repeats itself can only be taken to be either:
-
Evil C programmers are stodgy and old, and can’t/won’t get with the program, boo!
-
The Rust minority has, as of yet, failed to properly answer what happens when C APIs change in either signature or semantics, either of which can break the Rust bindings. Some questions:
-
Who tests to avoid this?
-
Who’s expected to fix it? The one changing the C code, who might not know Rust or a separate bindings team?
-
Is there a process ? A person to contact/raise the issue with? To get help or to have the work done?
-
What happens if the bindings cannot be fixed in time for the next Kernel release? Put differently, will Rust bindings changes hold back changes to the C code?
If broken bindings indeed can hold back changes, then C changes are held back by Rust and indeed then the onus is on the committer to either forego improving/evolving the C API or pick up Rust and fix the bindings also. In that case, yes, the Rust bindings will either freeze the C API or force the individual contributor to learn Rust.
That people repeat their concerns isn’t an expression of stupidity any more than a result of the people driving Rust into the kernel have yet to properly communicate how they envision this process to work, I suppose.
And then there is this angle, which also exists:
The concern from those contributors (and we might soon see the same in QEMU) is that these bindings are essentially a weaponization which forces the great majority of contributors to learn Rust or drop out. Essentially a hostile takeover.
The vibes I got in the other thread about Wedson’s announcement is that the concerns may be valid but there are indeed a handful of contributors who are aggressively shouting down Rust contributor’s efforts to set up the processes you outlined based on hard prejudice. The video Wedson posted was hard to watch. From the outside looking in it looks to be way more about ego than any particular technical roadblock.
Furthermore Lina’s concerns here are only broader what you are saying:
When I wrote the DRM scheduler abstractions, I ran into many memory safety issues caused by bad design of the underlying C code. The lifetime requirements were undocumented and boiled down to “design your driver like amdgpu to make it work, or else”.
My driver is not like amdgpu, it fundamentally can’t work the same way. When I tried to upstream minor fixes to the C code to make the behavior more robust and the lifetime requirements sensible, the maintainer blocked it and said I should just do “what other drivers do”.
Mainlining memory safety improvements, in C, for C code should be welcomed and it is very concerning if she indeed got shunned because the end goal was to offer lifetime guarantees (which to my admittedly non-expert eye sounds like it would be a good thing for memory safety in general).
The concern from those contributors (and we might soon see the same in QEMU) is that these bindings are essentially a weaponization which forces the great majority of contributors to learn Rust or drop out. Essentially a hostile takeover.
Seems like a moral panic over absolutely nothing (where are the Rust developers allegedly forcing people to learn Rust? all I’ve seen in these threads today is Rust developers asking for an open mind and a willingness to collaborate), and that the response to this “concern” is to block any and all changes that might benefit Rust adoption is really concerning (but unfortunately not unsurprising) behavior.
Mainlining memory safety improvements, in C, for C code should be welcomed and it is very concerning if she indeed got shunned because the end goal was to offer lifetime guarantees (which to my admittedly non-expert eye sounds like it would be a good thing for memory safety in general).
It would be a good thing. Nobody is debating that. It’s why Linus agreed to start experimenting with Rust in certain parts of the kernel.
However, trying to integrate one very specific approach to it into a large, already-working system that works quite differently, is a lot harder than writing from scratch one small component that mainly has to work in its own native ecosystem (as Lina has done).
Without good and realistic answers to how the long-term maintenance of such changes would be managed, it is myopically unrealistic to propose those changes, let alone to push this hard for them and be so dismissive of the folks who actually have the experience and responsibility to keep it all running. Especially when it’s something that the entire world has come to depend upon in one way or another, as is the case with the linux kernel.
The concern from those contributors (and we might soon see the same in QEMU) is that these bindings are essentially a weaponization which forces the great majority of contributors to learn Rust or drop out. Essentially a hostile takeover.
Seems like a moral panic over absolutely nothing (where are the Rust developers allegedly forcing people to learn Rust? all I’ve seen in these threads today is Rust developers asking for an open mind and a willingness to collaborate), and that the response to this “concern” is to block any and all changes that might benefit Rust adoption is really concerning (but unfortunately not unsurprising) behavior.
The problem isn’t the immediate thing they’re asking for; it’s the inevitable chain reaction of events that will follow. They don’t seem to understand the bigger picture, so they don’t have answers for how it would be managed. The obvious but unstated solution would be that many kernel developers would have to invest an enormous amount of time (which they might not have) to become proficient in Rust and adapt an enormous amount of surrounding code to it, on top of their existing responsibilities. More than a few people (who are very much in a position to know) see that as unviable, at least for now.
No viable alternative has been offered. Hence the objection. And, since the vocal minority keep on pushing for their changes without addressing the issues that have been raised, the only sensible response is to reject their request.
Without good and realistic answers to how the long-term maintenance of such changes would be managed, it is myopically unrealistic to propose those changes
Lina is talking about a minor change though. It challenges the dominant paradigm but her opinion seems to be that it doesn’t have negative impact on the overall maintainability. To shift the discussion to maintainability is whataboutism; if these kernels maintainers can’t accept patches that do not have a negative impact on maintainability or directly involve Rust in any way because they are related to Rust in general, that’s disappointing tribalism regardless of your opinions on Rust or Rust developers.
I might be missing some context here as I’m only going off what Lina has said, but if half of it is true then we need to shift attitudes before talking about how to integrate Rust in the kernel ecosystem. It certainly feels very disingenuous and retrograde to present Rust as some kind of existential threat rather than a novelty or opportunity, as if no combination of processes and tools could ever possibly overcome the stated maintainability challenges.
If rust code relies on a C API (as it necessarily does), then a breaking change to the API requires changing that rust code. This is common sense.
If a process is set up for deferring rust maintenance to a rust developer, this can only last as long as rust maintainers are willing to staff it.
If C developers are unwilling to accept any risk of needing to touch rust code in the future, then rust contributions should not have been allowed in the first place.
Allowing rust contributions and then imposing restrictions on what can be done with it? That’s not reasonable.
i can definitely see it as a “hostile takeover” of sorts, but this is something the project has decided on, for better or worse. i can understand not wanting to learn a new language that you may not like or agree with, but that means you will have to divest yourself from a project that adopts that language to a certain extent. Rust is—again for better or worse—something Linus thinks is good for the project, and thus learning Rust at least enough to not break the builds is a requirement for the project. i can’t imagine working on a software team where a chunk of people refuse to take part in a major portion of it simply because they’re not immediately familiar with it. that does sound like old crotchety behavior. on the other hand it’s tragic that so many people with all this experience are being forced into a design decision that arguably may have been made hastily and that they had little say in.
that makes this definitely an old guard vs new issue. and maybe it is an olive branch for the old guard to say “let’s just take our time with this.” but we have crossed a threshold where seeing a new project in C is the oddity while new projects in Rust are commonplace. Rust is mainstream now, and “i don’t want to learn this” is a dogshit technical justification.
Rust is—again for better or worse—something Linus thinks is good for the project, and thus learning Rust at least enough to not break the builds is a requirement for the project.
That misrepresents the situation. Linus accepted Rust provisionally, and only into certain parts of the kernel (drivers). It’s more of an experiment than what you wrote would suggest.
Rust is mainstream now,
Rust is highly visible now, due in no small part to its deafening evangelism. But it is not remotely mainstream in the sense of being a prevailing language, nor in the sense of being representative of the majority. It brings to the table a novel way to solve certain problems, and that is useful, but let’s not mistake that as the only way or those as the only problems.
Rust is mainstream now, and “i don’t want to learn this” is a dogshit technical justification.
That is a straw man.
i’m not really here to advocate for Rust in the kernel. i will say that i work on Rust professionally at a Fortune 100 company that is in the process of adopting it, which may skew my perception of it as mainstream, just to get the bias out of the way.
it is part of the project though, no? drivers still need to be interfaced with. so the people working on driver interfaces should be comfortable with it, again at least to preserve basic builds and do basic code review. this is specifically in reference to the issue that this thread is ostensibly started from: a kernel dev was getting worked up about “having to learn Rust”. so no, i don’t think it’s a strawman to point out the real people denying or frustrating patches just because they don’t understand the language. overly harsh maybe but not a total mischaracterization.
Your perspective makes more sense when you put it that way.
I think it’s important to understand that “having to learn Rust” is a proxy for “having to learn, become proficient in, become expert in, commit to regularly using, and take on the additional work of managing bindings between a large continually changing codebase and Rust, with no foreseeable end”. Multiply that by the number of kernel developers who would be affected, and remember that Rust in particular is famously time-consuming and (at least for some) often painful to use.
It’s not, “I don’t want to learn this”. (The people maintaining the kernel surely learn new things all the time in the course of their work, after all, as do most advanced programmers.) It’s more like, “I cannot reasonably take on such an enormous additional workload.”
The Rust camp in this disagreement doesn’t seem to grasp that yet. If everyone involved figures out a way to bridge that gap, I expect the frustrations will go away.
The thing here is that (even with things like the vfs interface), linux doesn’t have internal SPIs.
The friction here is that the rust devs want to write down the semantics in a formal fashion, and the C devs are used to a world where the semantics are implicit in the C code.
I thought the engagement in the video was the kind of useful feedback that was needed and asked for: “I’m not sure the semantics of this specific interface are precisely that,” which might have been out of place, but getting detail-focused feedback to an example is what you are going to have to expect from people who fit the role of VFS experts.
Ted was being an unconscionably rude fucker, but - diatribe aside - his process question is a reasonable one, although his solution “well you’re SOL” was poor, undiplomatic, and unhelpful.
Ted was being an unconscionably rude fucker, but - diatribe aside - his process question is a reasonable one, although his solution “well you’re SOL” was poor, undiplomatic, and unhelpful.
Maybe so. What I watched of the video had little surrounding context, though.
I’ve seen more than a few abrasive outbursts from people who care a lot about what they’re doing. When I see video of one, I try to keep in mind that they don’t often come out of nowhere. There’s a good chance that there was a much longer preceding exchange (perhaps not even in person) wherein the speaker had been trying to explain their perspective calmly and politely, but the other person was persistently missing it, due either to stubborn selfishness or to honest lack of understanding. Frustrated people sometimes resort to a blunt approach to try to get their message through.
In any case, I’m with you in noticing that important issues are being raised here. They’re not easy to solve, so it’s no surprise to see frustration along the way, but they still might lead to a good outcome.
Drew DeVault recently wrote up an idea similar to one that has been on my mind lately: What might come of a bunch of passionate Rust developers making a new kernel exposing Linux ABIs? It would be much faster and easier than a new kernel from scratch, because there’s already a working reference implementation in C. That seems like an effective way to work through design challenges without disrupting the existing system and development process, and once proven to work, might guide a better-defined path to integration with (or even replacement of) the C kernel. It would certainly have less friction than what we’re seeing now.
https://drewdevault.com/2024/08/30/2024-08-30-Rust-in-Linux-revisited.html
That’s an interesting notion (although it underestimates the effort, I think). Honestly, having machinery to write down contract semantics in a fashion amenable to automated proofs (meaning, does it type-check?) is massively promising; and I’m a dyed-in-the-wool C hacker. I would hope that the public exposure of this bad behaviour causes a few moments of self-reflection.
I suspect that attempting to chase a moving target of describing C apis with rust is just an avenue for burnout, unless there really is a mechanism for getting fixes back in the other direction, and professional respect flowing in both directions. That would be a massive shame, and an incredible missed opportunity.
It looks to me like there’s a bit of deadline ignoring going on, but even if it really is at heart reluctance to learn rust, aren’t a lot of linux developers volunteers? Getting cross that a bunch of volunteers don’t want to commit to permanently supporting rust (with its famously steep learning curve and famously hard to please borrow checker) seems a bit entitled to me.
“You there! Volunteers! Get on with doing exactly what I want exactly the way I want it and before you release your next version. Stop resisting the inevitable rise of your new priority: doing things our way. It’s better, so you’re wrong. Quickly now, stop resisting.”
No, the vast majority of linux developers are professionally employed to do it.
Ah OK, yes. Then “Hey, Intel, Red Hat, Linaro, IBM and 500 other companies and a bunch of other people, You have to make this massive C project rust compliant otherwise you’re tech luddites.” It’s still entitled.
What you describe would, indeed, be risible. Fortunately it’s merely histrionic twaddle.
Rust is mainstream now,
I mean, if you mean “Rustplaining is commonplace”, yeah.
-
In the spirit of making suggestions, as this frustrated Rust developer was doing, and in the spirit of reducing vulnerabilities, as Rust itself is trying to do:
Screen shots on lemmy are mostly hosted on remote sites, so they don’t show up for people who block off-site media (e.g. to avoid tracking). They don’t work with screen readers (e.g. for the vision impaired). They don’t work with search at all.
And since Mastodon won’t show anything unless the visitor allows javascript, and since it’s a distributed platform instead of a single well-known site, a would-be visitor would have to allow javascript on random web sites in order to view Mastodon posts. That would expose them to tracking and browser exploits.
For these reasons, quoting the text you want to share would be better than screen shots or Mastodon links, for convenience, utility, and safety.
Full text of the post by Asahi Lina (@lina@vt.social):
I regretfully completely understand Wedson’s frustrations.
A subset of C kernel developers just seem determined to make the lives of the Rust maintainers as difficult as possible. They don’t see Rust as having value and would rather it just goes away.
When I tried to upstream the DRM abstractions last year, that all was blocked on basic support for the concept of a “Device” in Rust. Even just a stub wrapper for struct device would be enough.
That simple concept only recently finally got merged, over one year later.
When I wrote the DRM scheduler abstractions, I ran into many memory safety issues caused by bad design of the underlying C code. The lifetime requirements were undocumented and boiled down to “design your driver like amdgpu to make it work, or else”.
My driver is not like amdgpu, it fundamentally can’t work the same way. When I tried to upstream minor fixes to the C code to make the behavior more robust and the lifetime requirements sensible, the maintainer blocked it and said I should just do “what other drivers do”.
Even when I pointed out that other C drivers also triggered the same bugs because the API is just bad and unintuitive and there are many secret hidden lifetime requirements, he wouldn’t budge.
One C driver works, so Rust drivers must work the same way.
Making the Rust bindings safe would have required duplicating much of the functionality of the C code just to track things to uphold the lifetime requirements. It made no sense. It would have been easier to just rewrite the whole thing in Rust (I might end up doing that).
To this day, bugs in the DRM scheduler have been the only causes of kernel panics triggered via my Apple GPU driver in production.
The design of that component is just bad. But because I come from the Rust world, the maintainer didn’t want to listen to my suggestions.
If it takes a whole year to get a concept as simple as a trivial “device” wrapper upstreamed (not any device model functionality, literally just an object wrapping a struct device so we can pass it around) then how is Rust for Linux ever going to take off?
Rust works. I’m pretty sure I’m the only person ever to single handedly write a complex GPU kernel driver that has never had a memory safety kernel panic bug (itself) in production, running on thousands of users’ systems for 1.5 years now.
Because I wrote it in Rust.
But I get the feeling that some Linux kernel maintainers just don’t care about future code quality, or about stability or security any more. They just want to keep their C code and wish us Rust folks would go away. And that’s really sad… and isn’t helping make Linux better.
There are some situations where I can see Rust’s type-ststem potentially being counterproductive. For instance, it may be valid to invert lock order in a chain of operations under some circumstances, and rust might prevent you from expressing that. I grew up with C (from the pre-ANSI days) and while lifetimes and ownership are things that good C devs care about, they are tacit - and the ability to play fast and loose when necessary is great.
The linux kernel is built on a foundation of these implicit semantics. Some of it is written down, some of it isn’t. I can see why asking “but what does this mean?” can lead to frustrating conversations and overly-qualified answers, but not everyone in that video was hostile to the prospect.
Is that not what
unsafe
is for?It’s what C is for, too.
The point is that there may be cases already where the type system that rust provides its guarantees off the back of is insufficiently expressive. (I say “may be” because there are ingenious qays to use what it does provide, although nonobvious and not necessarily without cost.) If you’re using
unsafe
then it’s just an uglier C. I don’t think anyone considers the current state of Rust’s type system to be the be-all and end-all of expressivity.
Based C devs.
The rust road WILL be built, the rust hotel WILL be built, and fuck whoever the land belonged to and all the previous infrastructure. They’ll simply replace everything with Rust™ built infrastructure.
Rust wants to force itself into everything and to change everything it needs to get itself working, and for some reason it has a cult defending all of its moves to make everything Rust™ compatible.
This shit is getting ridiculous.
C developers are basically the angry neighbor complaining that the city is building a bike lane.
Biking is really popular these days, because it’s healthier, cheaper, and better for the environment than driving, but new residents moving to the neighborhood will only move in if there’s good bike lanes. Now, nobody is asking the C developer to give up their car, but they’re still mad about the bike lane. They can’t be bothered to learn how to drive alongside bicyclists, and they say that bicyclists just have to deal with the fact that the C developers might run them over, and they should just get a car. All the bicyclists are afraid to use the bike lane because people keep getting run over by the C developer, and the C developer refuses to learn new driving techniques to share the road with bicyclists.
This eventually leaves to all the bicyclists moving to another city where they can bike safely, and the C developer’s neighborhood turning into a shithole ghost town with no developers left, all because the C developer is an asshole who can’t accommodate change.
tl;dr Language elitist salty that project owners don’t want them to refactor in more bugs.
Am I misunderstanding? I thought there were existing bugs caused by unclear lifetimes, and adding a simple C wrapper would prevent those, and make Rust Interop easier at the same time? Which they eventually did, but it took one year?
Why does fixing bugs and making the API more solid = “refactor in more bugs”?
We have one side’s unilateral description of how they perceive the existing state of things and their changes. Folks are very likely to poorly characterize things in a way that would sound crazy to disagree. However the truth is usually somewhere in between.
I have had very very vocal user that decry very deliberate design that the wider user base wanted as a “bug”. If someone read their rant without the wider context one would think my team was unreasonable and producing bad software. Even after fellow users took time to explain why they wanted his request rejected, he was quite adamant that everyone else was wrong.
UB is only one class of error you can get in a big, complex program. Re-writing functionality opens the door to every other potential class of error too.
I liked the approach the kernel devs were taking where rust modules were being integrated without the ‘core’ code being touched. I think people who want a complete re-write of everything (if they exist outside of my convenient straw man) are probably better off starting a fresh kernel project.
Nothing is being rewritten in Rust.
Yes, you’re right, from my understanding nothing is in the kernel. Was more referring to the “re-write in rust!!” meme but admittedly that’s a strawman.
Because that’s the inevitability when major changes are introduced, especially when solely for purposes not directly related to bugfixes.
refactoring does fix bugs
Refactoring replaces old, working bugs with new, untested bugs.
Might as well never write new code then 🤷
Maybe pick a proper time and place, yeah?
What time would SpaceNoodle allow? You’re in a thread about Kernel devs talking about contributing new code and why some new code is permissible, but other code, including C code, with fixes for C, are arbitrarily not allowed because it’s coming from a Rust dev.
With the “refactoring replaces old, working bugs, with new, untested bugs” mindset, you might as well stick with the good stuff from 50 years ago. Those bugs are very well-known.
It says “When I tried to upstream minor fixes to the C code to make the behaviour more robust”. That doesn’t sound like a major changes to me and related to some bugs 🤷♂️