Tauri Foundations and Futures

Rate this content

Tauri is a rust-based, security-first, open-source application construction framework built on the philosophy of shipping better projects without compromising on our climate goals. This talk will introduce key components and benchmarks of the stable release of the fully-audited framework. Further it will discuss its future as a means of not only delivering desktop and mobile apps, but also its mission of backfitting servo in order to make a fully fledged all-platform webview provider. Finally, we will present our award for "2022's most secure modern web-framework" in the context of webview-based Tauri apps.

22 min
16 Jun, 2022

Video Summary and Transcription

Tauri is a tool built to improve the JS ecosystem, providing a lightweight alternative to Electron. It integrates the stack, focuses on security, and offers cross-platform compatibility. Security measures include a new iFrame interaction and a thorough audit. The importance of taking care of the planet and reducing app consumption is emphasized. Tauri's community, licensing, and future plans are discussed, as well as the challenges of web view support and the aim to create a consistent engine using Servo.

Available in Español

1. Introduction to Tauri

Short description:

Three years ago, I came to JS Nation for the first time. Today, I want to give you an introduction to Tauri, a tool we built to make our ecosystem better.

Hey, you know, three years ago I came to JS Nation for the first time and it was about a month or two after we started working on Tauri. So it's kind of an amazing feeling to be back here, especially after these past couple of years, which have been really weird, right?

Like, these, these meetups have been kind of modified by the screen so we didn't even have this distance, right? We didn't have this way to look across. Where are we going? Where did we come from? And I think today, what I want to do in the talk is give you an introduction to Tauri. There's going to be a short video, then I'll talk about the parts of our important stack and then bridge into our philosophy about it. So time's short. I'm just going to move ahead. There's questions later. But I'm waiting for my Wi-Fi. So while the video is loading, and if it doesn't load, I'll just skip ahead, but we built Tauri in order to address a bunch of concerns and none of them were our ecosystem is bad. We built a tool to make our ecosystem better.

2. Building Secure Applications with Rust

Short description:

Out of Adam grew Electron, which is a mixed bag. It allows you to do a lot of things, but it's heavy and ships an outdated browser and runtime. To address this, we built Tauri with Rust at the core. Tauri has three components: Tau, which creates windows and provides menus and system trays; Rai, which injects a web view into the Tau window; and an ecosystem that brings together systems-level engineers and front-end developers. Tauri integrates the stack, provides API access to the file system and build tools, and focuses on security and the basics.

When we look at how applications have been built, it all started, I think, in this context with Adam. I don't know if you remember that. It just got sunset a couple days ago. Out of Adam grew Electron and anyone who's been reading the Twitterati, they all know that Electron is kind of this mixed bag. It allows you to do a lot of things. But I guess I will skip the video. It allows you to do a lot of things, but it's very heavy. Basically, with Electron, with that system, you're shipping a browser that's generally out of date the moment you ship it. You're shipping an entire run time and also your JavaScript.

Now, there's this whole idea in the JavaScript community that isomorphic code is great. I mean it is generally good for the ease of use, and we're gonna get into the security implications of having everything easy later. But what also happens is attackers can jump from the JavaScript front-end to the JavaScript back-end, and you hear about terrible vulnerabilities and attacks all the time. So we decided to look at how we can rebuild this idea using Rust at the core. And so we have basically three components for Tauree, and it starts with a window. You know whether you're on Mac, Windows, Linux, or iOS, or Android, you need to have a window to put content into. And that's Tau. It allows you to create a window, it gives you menus, system trays, keyboard accelerators, and that's kind of like the skeleton, if you will.

The next part is Rai, and Rai allows you to inject a web view into the Tau window that you've already created. And what the important thing to remember here is that we built these libraries on Rust, but other people can use them too, not just Tauree. So for example, the Rai library is being used by Astrodon, which as you might know is a project to build applications with Deno. We've helped them, and they've helped us, and I think that that's something that we're going to keep on coming back to in the talk, and that is that this ecosystem of Tauree is kind of unique in my experience because we're bringing not only systems-level engineers into the project, but also front-end people from all different disciplines, whether it's React or Vue or Svelte, or from the Rust side Dominator and U. And this all kind of comes together in Tauree.

So basically what you get with Tauree is it integrates all of this stack. It gives you API access to, for example, the file system from the WebVue, and also the build tools, so that you get, if you need to assign the macOS binary, it'll do that for you. It will provide a system for automatic updates that you can give your users. And it's kind of the glue that holds it all together. So the features of Tauri are that you can bring your brownfield project, and it'll work. Of course, if you do a lot of things in Node.js, in Electron, you're gonna have to do some porting, but we really focus on security and the very basics. And I mentioned this earlier. It's super important for us that you, as developers, as engineering teams, have a baseline security that you know is there and that is verified and verifiable.

3. Tauri Features and Future

Short description:

Tauri is always going to stay dual licensed MIT Apache 2. The bundle size is minimal, allowing for very small applications. We tree shake the Rust that you ship with your app, only including the functional points you need. Tauri is cross-platform and has partnered with Cloudflare for global app distribution. You don't need to know Rust, just install the compiler. Tauri works in iOS and Android, provides alternative renderers, and an updater service is coming. WebRTC on Linux is being worked on. Cross compilation is available for local testing.

This is, I guess, one of the most important parts of free and libre open source software, which I mean, I'm a maximalist. I'm a maximalist for open source. Tauri is always going to stay dual licensed MIT Apache 2. I'll talk more about how we're proving that later.

The most important thing, though, for a lot of you is then, also, going to be the bundle size. And that is minimal. You know, we're seeing applications that are very, very, very big in the context of what they do. And they come in around 5, 6 megabytes. The gulf that we've seen, I think, was 540 kilobytes if you watch your icon sizes. So you can get really very small applications.

The reason for that is that we also kind of tree shake the rust that you ship with your app. So instead of shipping a full run time, we just ship the functional points that you need in order to run your system. And obviously, like I said, it's cross-platform. You can build on a Windows device and then use our CI that we wrote for GitHub. GitLab is coming soon. And it will produce the binaries that you need. And the announcement is coming next week. I'm happy to tell you though that we've paired up with Cloudflare, so that if your project is open source, you can use Cloudflare workers for free that will then globally distribute your apps wherever they're needed at the edge. It's exciting, and obviously, it's built on Rust. I was told to tell you though, you don't need to know Rust. You have to just install the compiler, and we take care of all of that for you.

Now, if you're familiar with Rust or you want to learn Rust, it's also a great opportunity to get your feet wet without committing. And where are we going from here? Well, since, I don't know, maybe a couple of days, we have verified that it works in iOS and Android. That's going to be landing in the next branch very soon. We're providing alternative renderers. If you don't like WebView, you can ship a GL window that will work on all the platforms as well. Like I mentioned, the updater service is coming. WebRTC on Linux is kind of the one thing that's stopping element from adopting Tauri. But we're working on that together with the WebKit GTK team. Cross compilation is important for a lot of you because you want to test it locally.

4. Tauri: Additional Bindings and Security

Short description:

At scale, you can use CI, but there are reasons to do it on one machine. Tauri allows you to write your back end in various languages and talk to the application the way you want. Security is a significant concern, and Tauri has taken measures to ensure the development of secure applications. They have invented a new kind of iFrame interaction to prevent third-party JavaScript from accessing sensitive systems. A thorough audit was conducted by Radically Open Security to validate and harden the system. The full audit can be found on their GitHub repo.

Obviously, at scale, you want to use CI, but there are reasons to do it on one machine. And then additional bindings. A word about that because you might not know exactly what that means. The additional bindings means that you can write your back end in Python, C, Go, Nim, C++, choose your language. As long as it's got interop with C, you can harness Tauri and direct it. So, if you're familiar with any of those languages, even I think Swift is coming soon as well, you'll be able to just use our build system and talk to the application the way you want.

So, I've got like nine minutes and 30 seconds left. I'm going to kind of breeze through security, but I shouldn't. Like, one of the things that we found in our help desks, is that people all the time, they say, well, we don't care about security. Like, who cares? Just make it easy. And, like, the biggest risk that we see with young engineers, especially with the advancement of the amazing DX that tools like Vite and Svelte and Tauri are bringing is that it's very easy to do stuff. So you don't even have to know what it means. You don't have to understand the implications of things. And we've tried to do our best to make it possible for you to make a perfectly secure application. To the point where we even invented a new kind of iFrame interaction with our API that prevents third party JavaScript from ever even being able to call it. Why is this important? Even in a sandbox browser, there are zero days, there are one days. And in the context of an application that gives the app access to the network stack, to the file system, to the microphone, to the camera, you run the risk of allowing attackers to just get granular access to your systems. And whether you like it or not, today's applications live in operating systems that are always being compromised. And if you don't take care of this, you're actually making a vector where people can attack you and your users. So don't be a tool.

Now, we had a lot of beliefs about the system we built. We thought it was safe, we did our best work. Turns out we had like 54 findings. Radically Open Security did an amazing job working together with us and not only validating our approach but also hardening it. So one of our prerequisites for launching the 1.0 was having this horizontal and vertical audit. You can find the full audit over at our GitHub repo. Now, it's kind of obvious. We're staying in an Airbnb here in Amsterdam. In a boat. On one of the canals.

5. The Importance of Taking Care of Our Planet

Short description:

And when you wake up kind of thinking about what's going on on the planet, you think, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is actually the problem, I think, that got us to where we are right now. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. But what we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that, not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening, and we can do something and we have to.

And when you wake up kind of thinking about what's going on on the planet, you think, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is an example of the one I mentioned before. I think it was Jonas that built it from the team. You can make small binaries, but who cares, right? It's free real estate. This is actually the problem, I think, that got us to where we are right now, and that is in this room are about 100 people. Out there are another couple hundred. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. What we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that, not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening, and we can do something and we have to.

6. The Impact of App Consumption on Global Warming

Short description:

The more your app gets consumed, the more users download it, the more you're contributing to global warming. We still have to do everything we can to reduce our consumption.

Just as a really quick thing, the more your app gets consumed, the more users download it, the more you're contributing to global warming. This is just a little exercise in electricity consumption, and obviously your WebSockets, your REST requests, they consume traffic too, but we still have to do everything we can, and I think Taori is a great step in that direction, and we're always working to reduce the bundle size and educate people, hey, shrink your PNGs. Use SVGs. It's not just about time to delivery, it's not about this speed that you have to show a website. It's really important that we reduce our consumption.

7. Community, Discord, Conservancy, Launch, and API

Short description:

In the last few minutes, I'll discuss the community, running everything on Discord, the Commons Conservancy, the board of directors, the Open Collective, the book in progress, the recent 1.0 launch, and the stable API with bug fixes and new features coming.

So I've got about five minutes left. I'm going to talk about the community, who we are, and how you can get involved if you're interested.

So we run everything on Discord. We have a number of public channels. There are some private channels, but those are more for organizational purposes. That's because we believe in open source. We believe in community.

And when we first started getting contacted by venture capitalists, we didn't panic. We went to the Commons Conservancy, which is a foundation here in Amsterdam. What they do is they provide an organizational body that protects the code from license changing. It protects the code from people. It protects the code from someone coming in and saying it needs to be done differently, let's do it that way.

We have a board of directors, there is a new vote coming up soon, and we'll be announcing that in the Discord channels. We have an Open Collective where you can donate. We've used the funds from the Open Collective to pay for part of the audit that we had done, and also to pay for our trademark. If you're listening Red Bull, thank you very much for allowing us to use the name Towery. That was an interesting thing.

We're also working on a book, expect to be out this year. Together with PACT Publishing, we're going to be talking in depth about what makes a Towery app and the philosophy behind it. And I have three minutes left. I don't know if I can name everybody involved in this, but we did just launch the 1.0 at 5 a.m. this morning. Applause. Thank you.

What that means. That means that the API is stable, it's not going to change. We're only going to apply bug fixes and this is our audit seal. New features are going to be landing in the next branch, which you can consume from JavaScript and Rust. It's just a simple, you know, get hash revision or tag. And I'm going to try and thank a couple of people who have been really important to this project.


Lucas and I's Journey, Community, and Licensing

Short description:

Lucas and I started this as a hobby, and it turned into something that changed our lives. We have hundreds of contributors and a massive team. We want to grow with you and look forward to the next years of this project. Thank you for your questions. We took a taxi, and Tauri uses the MIT Apache 2 license. Let's discuss the militarization of open-source and the importance of community in shaping the ecosystem.

Lucas and I started this kind of as a hobby, and it turned into something that changed both of our lives. And he wanted me to tell you thank you. And I'm breaking down, sorry. I'm not even going to be able to remember all of the names. We have hundreds of contributors. You've got a massive team. We want the team to grow. We want to grow with you. And we really look forward to what's next, to the next years of this project. And yeah.

I'm just going to say thank you there and leave some more space for questions. Yeah. There's a reminder up here on the slides to please ask your questions. There aren't many yet, so I can ask all my questions, which is great. That's a great privilege of being an emcee.

So first question. Did you actually take the bike or did you take the taxi? We took the taxi. You thought I was not going to remember right? No, it's a good point. I'm scared of the bikes in Amsterdam. Well that's a fair point, I think. I had another question. So what kind of license does Tower use? Tower uses the MIT Apache 2 license, so it's up to you to use whichever you want. I always like to use that opportunity to talk about the militarization of open-source and how I personally don't believe in it. I think that as engineers we chose a license to enable people instead of to prevent them from doing things. I know there's been situations recently where people have decided to change their code or change their license, and it risks the health of the ecosystem. Community is the right place for that. Our guidelines, our expectations of behaviour, I think, are the morality, the backbone of open-source, and the license itself is just a legal agreement. It's not how we feel. Yeah, I think it's an interesting discussion anyway, but, yeah, I did notice that there is a couple of atmosphere licenses that I thought you — you probably considered all of that. Cool, very cool.

Tauri Web View Support and Future

Short description:

Tauri web views use different engines on different platforms, but we are working on retrofitting Servo to ensure consistency. The lack of standards for web views makes them challenging to work with, but the operating systems usually handle updates. Our research project aims to create a dedicated web view for Tauri using Servo, ensuring the same CSS and JavaScript engine across platforms.

Let's see if there's any other questions. I did see something come in. Is the JavaScript support the same in the Tauri web view as in a browser? We support ES 2021. I think the complicated part is that we use WK WebKit on Mac-type devices, we use WebKit GTK on Linux-type devices, and we use WebView2 on Windows-type devices. And as much as we love the web views, they're kind of like the unloved children of the browser ecosystem. Because what happens is there's no real standards for them. And so, they just kind of work or they don't work. And how do you get them updated? And I think that the actual operating systems do a pretty good job of keeping them up-to-date. But one of our research projects is, in fact, focusing on retrofitting Servo to become a proper web view for, specifically for Tauri. Because then we can guarantee that it's the same CSS. It's the same JavaScript engine on all platforms. Cool. I hope the person's question is answered.

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

React Summit Remote Edition 2021React Summit Remote Edition 2021
33 min
Building Better Websites with Remix
Top Content
Remix is a new web framework from the creators of React Router that helps you build better, faster websites through a solid understanding of web fundamentals. Remix takes care of the heavy lifting like server rendering, code splitting, prefetching, and navigation and leaves you with the fun part: building something awesome!
React Summit 2023React Summit 2023
32 min
Speeding Up Your React App With Less JavaScript
Too much JavaScript is getting you down? New frameworks promising no JavaScript look interesting, but you have an existing React application to maintain. What if Qwik React is your answer for faster applications startup and better user experience? Qwik React allows you to easily turn your React application into a collection of islands, which can be SSRed and delayed hydrated, and in some instances, hydration skipped altogether. And all of this in an incremental way without a rewrite.
JSNation 2022JSNation 2022
28 min
Full Stack Documentation
Top Content
Interactive web-based tutorials have become a staple of front end frameworks, and it's easy to see why — developers love being able to try out new tools without the hassle of installing packages or cloning repos.But in the age of full stack meta-frameworks like Next, Remix and SvelteKit, these tutorials only go so far. In this talk, we'll look at how we on the Svelte team are using cutting edge web technology to rethink how we teach each other the tools of our trade.
GraphQL Galaxy 2021GraphQL Galaxy 2021
32 min
From GraphQL Zero to GraphQL Hero with RedwoodJS
Top Content
We all love GraphQL, but it can be daunting to get a server up and running and keep your code organized, maintainable, and testable over the long term. No more! Come watch as I go from an empty directory to a fully fledged GraphQL API in minutes flat. Plus, see how easy it is to use and create directives to clean up your code even more. You're gonna love GraphQL even more once you make things Redwood Easy!
JSNation 2023JSNation 2023
28 min
SolidJS: Why All the Suspense?
Solid caught the eye of the frontend community by re-popularizing reactive programming with its compelling use of Signals to render without re-renders. We've seen them adopted in the past year in everything from Preact to Angular. Signals offer a powerful set of primitives that ensure that your UI is in sync with your state independent of components. A universal language for the frontend user interface.
But what about Async? How do we manage to orchestrate data loading and mutation, server rendering, and streaming? Ryan Carniato, creator of SolidJS, takes a look at a different primitive. One that is often misunderstood but is as powerful in its use. Join him as he shows what all the Suspense is about.
React Summit Remote Edition 2021React Summit Remote Edition 2021
43 min
RedwoodJS: The Full-Stack React App Framework of Your Dreams
Top Content
Tired of rebuilding your React-based web framework from scratch for every new project? You're in luck! RedwoodJS is a full-stack web application framework (think Rails but for JS/TS devs) based on React, Apollo GraphQL, and Prisma 2. We do the heavy integration work so you don't have to. We also beautifully integrate Jest and Storybook, and offer built-in solutions for declarative data fetching, authentication, pre-rendering, logging, a11y, and tons more. Deploy to Netlify, Vercel, or go oldschool on AWS or bare metal. In this talk you'll learn about the RedwoodJS architecture, see core features in action, and walk away with a sense of wonder and awe in your heart.

Workshops on related topic

JSNation 2023JSNation 2023
170 min
Building WebApps That Light Up the Internet with QwikCity
Featured WorkshopFree
Building instant-on web applications at scale have been elusive. Real-world sites need tracking, analytics, and complex user interfaces and interactions. We always start with the best intentions but end up with a less-than-ideal site.
QwikCity is a new meta-framework that allows you to build large-scale applications with constant startup-up performance. We will look at how to build a QwikCity application and what makes it unique. The workshop will show you how to set up a QwikCitp project. How routing works with layout. The demo application will fetch data and present it to the user in an editable form. And finally, how one can use authentication. All of the basic parts for any large-scale applications.
Along the way, we will also look at what makes Qwik unique, and how resumability enables constant startup performance no matter the application complexity.
React Summit 2023React Summit 2023
106 min
Back to the Roots With Remix
Featured Workshop
The modern web would be different without rich client-side applications supported by powerful frameworks: React, Angular, Vue, Lit, and many others. These frameworks rely on client-side JavaScript, which is their core. However, there are other approaches to rendering. One of them (quite old, by the way) is server-side rendering entirely without JavaScript. Let's find out if this is a good idea and how Remix can help us with it?
Prerequisites- Good understanding of JavaScript or TypeScript- It would help to have experience with React, Redux, Node.js and writing FrontEnd and BackEnd applications- Preinstall Node.js, npm- We prefer to use VSCode, but also cloud IDEs such as codesandbox (other IDEs are also ok)
JSNation 2023JSNation 2023
109 min
Beyond the Framework: Distributing Your Desktop App Like a Pro
Building apps using web technology is great; however, at times you may encounter limitations regardless of what framework you choose. During this workshop, we will talk about choosing a framework, common problems and how to overcome them.
Table of contents- Introduction: The intertwined history of the Web and Apps- So many desktop app technologies! How do I choose one?- Common issues and how to think about apps- Conclusion
Node Congress 2021Node Congress 2021
128 min
Learn Fastify One Plugin at a Time
Fastify is an HTTP framework for Node.js that focuses on providing a good developer experience without compromising on performance metrics. What makes Fastify special are not its technical details, but its community which is wide open for contributions of any kind. Part of the secret sauce is Fastify plugin architecture that enabled developers to write more than a hundred plugins.This hands-on workshop is structured around a series of exercises that covers from basics "hello world", to how to structure a project, perform database access and authentication.

JSNation 2023JSNation 2023
66 min
Build a Universal Reactive Data Library with Starbeam
This session will focus on Starbeam's universal building blocks. We'll use Starbeam to build a data library that works in multiple frameworks.We'll write a library that caches and updates data, and supports relationships, sorting and filtering.Rather than fetching data directly, it will work with asynchronously fetched data, including data fetched after initial render. Data fetched and updated through web sockets will also work well.All of these features will be reactive, of course.Imagine you filter your data by its title, and then you update the title of a record to match the filter: any output relying on the filtered data will update to reflect the updated filter.In 90 minutes, you'll build an awesome reactive data library and learn a powerful new tool for building reactive systems. The best part: the library works in any framework, even though you don't think about (or depend on) any framework when you built it.
Table of contents- Storing a Fetched Record in a Cell- Storing multiple records in a reactive Map- Reactive iteration is normal iteration- Reactive filtering is normal filtering- Fetching more records and updating the Map- Reactive sorting is normal sorting (is this getting a bit repetitive?)- Modelling cache invalidation as data- Bonus: reactive relationships
React Advanced Conference 2022React Advanced Conference 2022
81 min
Build a Product Page with Shopify’s Hydrogen Framework
Get hands on with Hydrogen, a React-based framework for building headless storefronts. Hydrogen is built for Shopify commerce with all the features you need for a production-ready storefront. It provides a quick start, build-fast environment so you can focus on the fun stuff - building unique commerce experiences. In this workshop we’ll scaffold a new storefront and rapidly build a product page. We’ll cover how to get started, file-based routing, fetching data from the Storefront API, Hydrogen’s built-in components and how to apply styling with Tailwind.You will know:- Get started with the hello-world template on StackBlitz- File-based routing to create a /products/example route- Dynamic routing /products/:handle- Hit the Storefront API with GraphQL- Move the query into the Hydrogen app- Update the query to fetch a product by handle- Display title, price, image & description.- Tailwind styling- Variant picker and buy now button- Bonus if there’s time: Collections page
Prerequisites: - A Chromium-based browser (StackBlitz)- Ideally experience with React. A general web development background would be fine.