Tauri is a rust-based, security-first, open-source application construction framework built on the philosophy of shipping better projects without compromising on our climate goals. This talk will introduce key components and benchmarks of the stable release of the fully-audited framework. Further it will discuss its future as a means of not only delivering desktop and mobile apps, but also its mission of backfitting servo in order to make a fully fledged all-platform webview provider. Finally, we will present our award for "2022's most secure modern web-framework" in the context of webview-based Tauri apps.
Tauri Foundations and Futures
From:

JSNation 2022
Transcription
Hey, you know, three years ago I came to JS Nation for the first time, and it was about a month or two after we started working on Tauri. So it's kind of an amazing feeling to be back here, especially after these past couple of years which have been really weird, right? Like, these meetups have been kind of modified by the screen, so we didn't even have this distance, right? We didn't have this way to look across, where are we going? Where did we come from? And I think today what I want to do in the talk is give you an introduction to Tauri. There's going to be a short video, then I'll talk about the parts of our important stack, and then bridge into our philosophy about it. So time's short, I'm just going to move ahead, there's questions later, but I'm waiting for my Wi-Fi. So while the video is loading, and if it doesn't load I'll just skip ahead, but we built Tauri in order to address a bunch of concerns, and none of them were our ecosystem is bad. We built a tool to make our ecosystem better. When we look at how applications have been built, it all started I think in this context with Adam. I don't know if you remember that, it just got sunset a couple days ago. Out of Adam grew Electron, and you know anyone who's been reading the Twitterati, they'll know that Electron is kind of this mixed bag. It allows you to do a lot of things, but I guess I'll just skip the video. It allows you to do a lot of things, but it's very heavy. So basically with Electron, with that system, you're shipping a browser that's generally out of date the moment you ship it. You're shipping an entire runtime, and also your JavaScript. Now there's this whole idea in the JavaScript community that isomorphic code is great. I mean it is generally good for the ease of use, and you know we're going to get into the security implications of having everything easy later, but what also happens is attackers can jump from the JavaScript front end to the JavaScript back end, and you hear about terrible vulnerabilities and attacks all the time. So we decided to look at how we can rebuild this idea using Rust at the core, and so we have basically three components for Tauri, and it starts with a window. You know whether you're on Mac, Windows, Linux, or iOS, or Android, you need to have a window to put content into, and that's Tau. It allows you to create a window, it gives you menus, system trays, keyboard accelerators, and that's kind of like the skeleton, if you will. The next part is Rai, and Rai allows you to inject a web view into the Tau window that you've already created, and what the important thing to remember here is that we built these libraries on Rust, but other people can use them too, not just Tauri. So for example the Rai library is being used by Astrodon, which as you might know is a project to build applications with Dino, and we've helped them, and they've helped us, and I think that that's something that we're going to keep on coming back to in the talk, and that is that this ecosystem of Tauri is kind of unique in my experience because we're bringing not only systems level engineers into the project, but also front-end people from all different disciplines, whether it's React, or Vue, or Svelte, or from the Rust side, Dominator, and you know, you. And this all kind of comes together in Tauri. So basically what you get with Tauri is that it integrates all of this stack, it gives you API access to, for example, the file system from the web view, and also the build tools, so that you get, if you need to assign a macOS binary, it will do that for you, it will provide a system for automatic updates that you can give your users, and it's kind of the glue that holds it all together. So the features of Tauri are that you can bring your brownfield project and it will work. Of course, if you do a lot of things in Node.js, in Electron, you're going to have to do some porting, but we really focus on security, and I mentioned this earlier, it's super important for us that you as developers, as engineering teams, have a baseline security that you know is there and that is verified and verifiable. This is, I guess, one of the most important parts of free and libre open source software, which, I mean, I'm a maximalist. I'm a maximalist for open source. Tauri is always going to stay dual-licensed MIT, Apache 2. I'll talk more about how we're proving that later. The most important thing, though, for a lot of you is then also going to be the bundle size, and that is minimal. We're seeing applications that are very, very, very big in the context of what they do, and they come in around 5, 6 megabytes. The gulf that we've seen, I think, was like 540 kilobytes, if you watch your icon sizes. You can get small applications. The reason for that is we also kind of tree-shake the rust that you ship with your app. Instead of shipping a full run time, we ship the points you need to run your system. Like I said, it's cross-platform. You can build on a Windows device and use our CI that we wrote for GitHub. GitLab is coming soon, and it will produce the binaries that you need, and the announcement is coming next week. I'm happy to tell you, though, that we've paired up with CloudFlare so if your project is open source, you can use CloudFlare workers for free that will then globally distribute your apps wherever they're needed at the edge. It's exciting. And, obviously, it's built on Rust. I was told to tell you, though, you don't need to know Rust. You have to install the compiler, and we take care of all of that for you. Now, if you're familiar with Rust, or you want to learn Rust, it's a great opportunity to get your feet wet without committing. And where are we going from here? Well, since, I don't know, maybe a couple of days, we've verified that it works on iOS and Android. That's going to be landing in the next branch very soon. We're providing alternative renderers, so, if you don't like WebView, you can ship a GL window that will work on all the platforms as well. Like I mentioned, the updater service is coming. WebRTC on Linux is the one thing that's stopping Element from adopting Tauri, but we're working on that together with the WebKit GTK team. Cross-compilation is important for a lot of you because you want to test it locally. Obviously, at scale, you want to use CI, but there are reasons to do it on one machine. And then additional bindings. A word about that, because you might not know exactly what that means. The additional bindings means that you can write your back end in Python, C, Go, Nim, C++, choose your language, as long as it's got interop with C, you can harness Tauri and direct it. If you're familiar with any of those languages, even I think Swift is coming soon as well, you will be able to use our build system and talk to the application the way you want. So I've got like nine minutes and 30 seconds left. I'm going to breathe through security, but I shouldn't. One of the things we found in our help desks is that people all the time say, well, we don't care about security. Who cares? Just make it easy. The biggest risk we see with young engineers, especially with the advancement of the amazing DX that tools like Vite and Svelte and Tauri are bringing is that it's very easy to do stuff. You don't have to know what it means. You don't have to understand the implications of things. And we've tried to do our best to make it possible for you to make a perfectly secure application to the point where we even invented a new kind of iframe interaction with our API that prevents third party JavaScript from ever even being able to call it. Why is this important? Even in a sandbox browser, there are zero days, there are one days. And in the context of an application that gives the app access to the network stack, to the file system, to the microphone, to the camera, you run the risk of allowing attackers to just get granular access to your systems. And whether you like it or not, today's applications live in operating systems that are always being compromised. And if you don't take care of this, you're actually making a vector where people can attack you and your users. So don't be a tool. Now, we had a lot of beliefs about the system we built. We thought it was safe. We did our best work. Turns out we had, like, 54 findings. Radically Open Security did an amazing job working together with us and not only validating our approach, but also hardening it. So one of our prerequisites for launching the 1.0 was having this horizontal and vertical audit. You can find the full audit over at our GitHub repo, just under the audits page. Now, it's kind of obvious. We're staying in an Airbnb here in Amsterdam, in a boat, on one of the canals. And when you wake up, kind of thinking about what's going on on the planet, you think, well, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is an example of the one I mentioned before. I think it was Jonas that built it from the team. You can make small binaries, but who cares, right? It's free real estate. This is actually the problem, I think, that got us to where we are right now. And that is in this room are about 100 people. Out there are another couple hundred. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. What we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that. Not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening and we can do something and we have to. Just as a really quick thing, the more your app gets consumed, the more users download it, the more you're contributing to global warming. This is just a little exercise in electricity consumption. And obviously your web sockets, your REST requests, they consume traffic too. But we still have to do everything we can. And I think Tauri is a great step in that direction and we're always working to reduce the bundle size and educate people, hey, shrink your PNGs, use SVGs. It's not just about time to delivery, it's not about this speed that you have to show a website. It's really important that we reduce our consumption. So I've got about five minutes left. I'm going to talk about the community, who we are and how you can get involved if you're interested. So we run everything on Discord. We have a number of public channels. There are some private channels, but those are more for organizational purposes. That's because we believe in open source, we believe in community, and when we first started getting contacted by venture capitalists, we didn't panic. We went to the Commons Conservancy, which is a foundation here in Amsterdam. What they do is they provide an organizational body that protects the code from license changing. It protects the code from people. It protects the code from someone coming in and saying it needs to be done differently, let's do it that way. We have a board of directors. There is a new vote coming up soon and we'll be announcing that in the Discord channels. We have an open collective where you can donate. We've used the funds from open collective to pay for part of the audit that we had done and also to pay for our trademark. If you're listening, Red Bull, thank you very much for allowing us to use the name Taure. That was an interesting thing. We're also working on a book. It is expected to be out this year. Together with Pact Publishing, we're going to be talking in depth about what makes a Taure app and the philosophy behind it. And, you know, I have three minutes left. I don't know if I can name everybody involved in this, but we did just launch the 1.0 at 5.00 this morning. Thank you. What that means. That means that the API is stable, it's not going to change. We're only going to apply bug fixes and this is our audit seal. New features are going to be landing in the next branch, which you can consume from JavaScript and Rust. That's just the simple, you know, git hash revision or tag. And I'm going to try and thank a couple people who've been really important to this project. Lucas and I started this kind of as a hobby, and it turned into something that changed both of our lives. And he wanted me to tell you thank you, and I'm breaking down. Sorry. I'm not even going to be able to remember all of the names. We have hundreds of contributors. We've got a massive team. We want the team to grow. We want to grow with you. And we really look forward to what's next to the next years of this project, and, yes, I'm just going to say thank you there, and leave some more space for questions. There is a reminder up here on the slides to please ask your questions. There aren't many yet, so I can ask all my questions, which is great. That's a great privilege of being an MC. So, first question, did you actually take the bike or did you take the taxi? We took the taxi. You thought I was not going to remember, right? No, it's a good point. I'm scared of the bikes in Amsterdam. That's a fair point, I think. I had another question. So what kind of licence does Taure use? He uses the MIT Apache 2 licence. I always like to use that opportunity to talk about the militarisation of open source and how I personally don't believe in it. I think that, you know, as engineers, we chose a licence to enable people instead of to prevent them from doing things. I know there's been situations recently where people have decided to change their code or change their licence and it risks the health of the ecosystem. Community is the right place for that. Our guidelines, our expectations of behaviour, I think, are the morality, the backbone of open source, and the licence itself is just a legal agreement. It's not how we feel. I think it's an interesting discussion anyway, but I did notice that there is a couple of atmosphere licences that I thought you... But you probably considered all of that. Cool, very cool. Let's see if there's any other questions. I did see something come in. Is the JavaScript support the same in the Taure web view as in a browser? We support ES 2021. I think the complicated part is that we use WK WebKit on Mac-type devices, we use WebKit GTK on Linux-type devices, and we use WebView2 on Windows-type devices. As much as we love the web views, they're kind of like the unloved children of the browser ecosystem, because what happens is there's no real standards for them, and so they just kind of work or they don't work, and how do you get them updated? I think that the actual operating systems do a pretty good job of keeping them up to date, but one of our research projects is in fact focusing on retrofitting Servo to become a proper web view for, specifically for Taure, because then we can guarantee that it's the same CSS, it's the same JavaScript engine on all platforms. Cool. I hope the person's question is answered. I love this one. It's more of a request rather than a question, I think. Have you thought of making workshops for on-boarding and educating the community towards better apps and security-oriented apps? Yes, we are planning a code workshop this fall in Malta that will then culminate in a one-day conference or something, some kind of event where the people from the workshop could present what they did and then people from Core and other companies can talk about their experience with Taure. Awesome. Let's do one more quick one. Can a Taure app be deployed as a desktop and a web app simultaneously? Well, I mean, basically the way that Taure works is you ship your React code, for example, you build it, and then Taure takes that build and puts it into the binary, right? And if your pipeline is able to differentiate the builds, then, yes, and obviously, you know, with some clever JavaScript, you can detect if you are in a Taure context and if so, apply the Taure APIs, and if not, then apply the web APIs. Awesome. Thank you for that. Our time is up, unfortunately, but I think we can all find you later, right, in the discussion rooms. There is the Q&A rooms that are just outside of this room. Do find our speakers there and ask your further questions. I think you're also joined by our remote audience there, so that might be really, really nice. Thank you so much. Thank you.