Tauri is a rust-based, security-first, open-source application construction framework built on the philosophy of shipping better projects without compromising on our climate goals. This talk will introduce key components and benchmarks of the stable release of the fully-audited framework. Further it will discuss its future as a means of not only delivering desktop and mobile apps, but also its mission of backfitting servo in order to make a fully fledged all-platform webview provider. Finally, we will present our award for "2022's most secure modern web-framework" in the context of webview-based Tauri apps.
Tauri Foundations and Futures
AI Generated Video Summary
Tauri is a tool built to improve the JS ecosystem, providing a lightweight alternative to Electron. It integrates the stack, focuses on security, and offers cross-platform compatibility. Security measures include a new iFrame interaction and a thorough audit. The importance of taking care of the planet and reducing app consumption is emphasized. Tauri's community, licensing, and future plans are discussed, as well as the challenges of web view support and the aim to create a consistent engine using Servo.
1. Introduction to Tauri
Three years ago, I came to JS Nation for the first time. Today, I want to give you an introduction to Tauri, a tool we built to make our ecosystem better.
Hey, you know, three years ago I came to JS Nation for the first time and it was about a month or two after we started working on Tauri. So it's kind of an amazing feeling to be back here, especially after these past couple of years, which have been really weird, right?
Like, these, these meetups have been kind of modified by the screen so we didn't even have this distance, right? We didn't have this way to look across. Where are we going? Where did we come from? And I think today, what I want to do in the talk is give you an introduction to Tauri. There's going to be a short video, then I'll talk about the parts of our important stack and then bridge into our philosophy about it. So time's short. I'm just going to move ahead. There's questions later. But I'm waiting for my Wi-Fi. So while the video is loading, and if it doesn't load, I'll just skip ahead, but we built Tauri in order to address a bunch of concerns and none of them were our ecosystem is bad. We built a tool to make our ecosystem better.
2. Building Secure Applications with Rust
Out of Adam grew Electron, which is a mixed bag. It allows you to do a lot of things, but it's heavy and ships an outdated browser and runtime. To address this, we built Tauri with Rust at the core. Tauri has three components: Tau, which creates windows and provides menus and system trays; Rai, which injects a web view into the Tau window; and an ecosystem that brings together systems-level engineers and front-end developers. Tauri integrates the stack, provides API access to the file system and build tools, and focuses on security and the basics.
The next part is Rai, and Rai allows you to inject a web view into the Tau window that you've already created. And what the important thing to remember here is that we built these libraries on Rust, but other people can use them too, not just Tauree. So for example, the Rai library is being used by Astrodon, which as you might know is a project to build applications with Deno. We've helped them, and they've helped us, and I think that that's something that we're going to keep on coming back to in the talk, and that is that this ecosystem of Tauree is kind of unique in my experience because we're bringing not only systems-level engineers into the project, but also front-end people from all different disciplines, whether it's React or Vue or Svelte, or from the Rust side Dominator and U. And this all kind of comes together in Tauree.
So basically what you get with Tauree is it integrates all of this stack. It gives you API access to, for example, the file system from the WebVue, and also the build tools, so that you get, if you need to assign the macOS binary, it'll do that for you. It will provide a system for automatic updates that you can give your users. And it's kind of the glue that holds it all together. So the features of Tauri are that you can bring your brownfield project, and it'll work. Of course, if you do a lot of things in Node.js, in Electron, you're gonna have to do some porting, but we really focus on security and the very basics. And I mentioned this earlier. It's super important for us that you, as developers, as engineering teams, have a baseline security that you know is there and that is verified and verifiable.
3. Tauri Features and Future
Tauri is always going to stay dual licensed MIT Apache 2. The bundle size is minimal, allowing for very small applications. We tree shake the Rust that you ship with your app, only including the functional points you need. Tauri is cross-platform and has partnered with Cloudflare for global app distribution. You don't need to know Rust, just install the compiler. Tauri works in iOS and Android, provides alternative renderers, and an updater service is coming. WebRTC on Linux is being worked on. Cross compilation is available for local testing.
This is, I guess, one of the most important parts of free and libre open source software, which I mean, I'm a maximalist. I'm a maximalist for open source. Tauri is always going to stay dual licensed MIT Apache 2. I'll talk more about how we're proving that later.
The most important thing, though, for a lot of you is then, also, going to be the bundle size. And that is minimal. You know, we're seeing applications that are very, very, very big in the context of what they do. And they come in around 5, 6 megabytes. The gulf that we've seen, I think, was 540 kilobytes if you watch your icon sizes. So you can get really very small applications.
The reason for that is that we also kind of tree shake the rust that you ship with your app. So instead of shipping a full run time, we just ship the functional points that you need in order to run your system. And obviously, like I said, it's cross-platform. You can build on a Windows device and then use our CI that we wrote for GitHub. GitLab is coming soon. And it will produce the binaries that you need. And the announcement is coming next week. I'm happy to tell you though that we've paired up with Cloudflare, so that if your project is open source, you can use Cloudflare workers for free that will then globally distribute your apps wherever they're needed at the edge. It's exciting, and obviously, it's built on Rust. I was told to tell you though, you don't need to know Rust. You have to just install the compiler, and we take care of all of that for you.
Now, if you're familiar with Rust or you want to learn Rust, it's also a great opportunity to get your feet wet without committing. And where are we going from here? Well, since, I don't know, maybe a couple of days, we have verified that it works in iOS and Android. That's going to be landing in the next branch very soon. We're providing alternative renderers. If you don't like WebView, you can ship a GL window that will work on all the platforms as well. Like I mentioned, the updater service is coming. WebRTC on Linux is kind of the one thing that's stopping element from adopting Tauri. But we're working on that together with the WebKit GTK team. Cross compilation is important for a lot of you because you want to test it locally.
4. Tauri: Additional Bindings and Security
Obviously, at scale, you want to use CI, but there are reasons to do it on one machine. And then additional bindings. A word about that because you might not know exactly what that means. The additional bindings means that you can write your back end in Python, C, Go, Nim, C++, choose your language. As long as it's got interop with C, you can harness Tauri and direct it. So, if you're familiar with any of those languages, even I think Swift is coming soon as well, you'll be able to just use our build system and talk to the application the way you want.
Now, we had a lot of beliefs about the system we built. We thought it was safe, we did our best work. Turns out we had like 54 findings. Radically Open Security did an amazing job working together with us and not only validating our approach but also hardening it. So one of our prerequisites for launching the 1.0 was having this horizontal and vertical audit. You can find the full audit over at our GitHub repo. Now, it's kind of obvious. We're staying in an Airbnb here in Amsterdam. In a boat. On one of the canals.
5. The Importance of Taking Care of Our Planet
And when you wake up kind of thinking about what's going on on the planet, you think, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is actually the problem, I think, that got us to where we are right now. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. But what we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that, not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening, and we can do something and we have to.
And when you wake up kind of thinking about what's going on on the planet, you think, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is an example of the one I mentioned before. I think it was Jonas that built it from the team. You can make small binaries, but who cares, right? It's free real estate. This is actually the problem, I think, that got us to where we are right now, and that is in this room are about 100 people. Out there are another couple hundred. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. What we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that, not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening, and we can do something and we have to.
6. The Impact of App Consumption on Global Warming
The more your app gets consumed, the more users download it, the more you're contributing to global warming. We still have to do everything we can to reduce our consumption.
Just as a really quick thing, the more your app gets consumed, the more users download it, the more you're contributing to global warming. This is just a little exercise in electricity consumption, and obviously your WebSockets, your REST requests, they consume traffic too, but we still have to do everything we can, and I think Taori is a great step in that direction, and we're always working to reduce the bundle size and educate people, hey, shrink your PNGs. Use SVGs. It's not just about time to delivery, it's not about this speed that you have to show a website. It's really important that we reduce our consumption.
7. Community, Discord, Conservancy, Launch, and API
In the last few minutes, I'll discuss the community, running everything on Discord, the Commons Conservancy, the board of directors, the Open Collective, the book in progress, the recent 1.0 launch, and the stable API with bug fixes and new features coming.
So I've got about five minutes left. I'm going to talk about the community, who we are, and how you can get involved if you're interested.
So we run everything on Discord. We have a number of public channels. There are some private channels, but those are more for organizational purposes. That's because we believe in open source. We believe in community.
And when we first started getting contacted by venture capitalists, we didn't panic. We went to the Commons Conservancy, which is a foundation here in Amsterdam. What they do is they provide an organizational body that protects the code from license changing. It protects the code from people. It protects the code from someone coming in and saying it needs to be done differently, let's do it that way.
We have a board of directors, there is a new vote coming up soon, and we'll be announcing that in the Discord channels. We have an Open Collective where you can donate. We've used the funds from the Open Collective to pay for part of the audit that we had done, and also to pay for our trademark. If you're listening Red Bull, thank you very much for allowing us to use the name Towery. That was an interesting thing.
We're also working on a book, expect to be out this year. Together with PACT Publishing, we're going to be talking in depth about what makes a Towery app and the philosophy behind it. And I have three minutes left. I don't know if I can name everybody involved in this, but we did just launch the 1.0 at 5 a.m. this morning. Applause. Thank you.
Lucas and I's Journey, Community, and Licensing
Lucas and I started this as a hobby, and it turned into something that changed our lives. We have hundreds of contributors and a massive team. We want to grow with you and look forward to the next years of this project. Thank you for your questions. We took a taxi, and Tauri uses the MIT Apache 2 license. Let's discuss the militarization of open-source and the importance of community in shaping the ecosystem.
Lucas and I started this kind of as a hobby, and it turned into something that changed both of our lives. And he wanted me to tell you thank you. And I'm breaking down, sorry. I'm not even going to be able to remember all of the names. We have hundreds of contributors. You've got a massive team. We want the team to grow. We want to grow with you. And we really look forward to what's next, to the next years of this project. And yeah.
I'm just going to say thank you there and leave some more space for questions. Yeah. There's a reminder up here on the slides to please ask your questions. There aren't many yet, so I can ask all my questions, which is great. That's a great privilege of being an emcee.
So first question. Did you actually take the bike or did you take the taxi? We took the taxi. You thought I was not going to remember right? No, it's a good point. I'm scared of the bikes in Amsterdam. Well that's a fair point, I think. I had another question. So what kind of license does Tower use? Tower uses the MIT Apache 2 license, so it's up to you to use whichever you want. I always like to use that opportunity to talk about the militarization of open-source and how I personally don't believe in it. I think that as engineers we chose a license to enable people instead of to prevent them from doing things. I know there's been situations recently where people have decided to change their code or change their license, and it risks the health of the ecosystem. Community is the right place for that. Our guidelines, our expectations of behaviour, I think, are the morality, the backbone of open-source, and the license itself is just a legal agreement. It's not how we feel. Yeah, I think it's an interesting discussion anyway, but, yeah, I did notice that there is a couple of atmosphere licenses that I thought you — you probably considered all of that. Cool, very cool.
Tauri Web View Support and Future