Host

Rust is quietly spreading as a language of choice to build reliable and performant applications. But what makes it different? Alice Real is a software engineer working on Google's Android Rust team, a core maintainer of Tokyo, the de facto async runtime for Rust, and is a Rust language team advisor. In today's conversation, we cover the pitch on why Rust is worth to consider whether you are using TypeScript or C today, how concepts like ownership, the borrow checker, and the unsafe keyword work, and what are things that trip up newcomers to Rust, how the language is governed without a benevolent dictator, and how RFCs and additions work, and many more. If you want to understand what makes Rust different and why so many engineers say once it compiles, it works, this episode is for you. This episode is presented by Entithesis. Verify your system's correctness without human review or traditional integration tests, and avoid bugs or outages. This episode is brought to you by Sentry. Sentry is application monitoring software built by developers for developers. The first time I used sentry was 10 years ago back at Uber, where Sentry helped keep us honest on when and where our services were breaking. I also use Sentry today to help me understand if the services and APIs I built for the Pragmatic engineer are healthy or not. Sentry shows you the full context on issues Stack traces, user actions, environment details, and even the exact line of code that caused the issue. It supports pretty much every Modern Tech Stack, TypeScript, JavaScript, Python, Go, and others. It works on backend, frontend, mobile, you name it. One new feature Sentry launched is Seer, their AI debugging agent.

Interviewer

Let me show you.

Host

I open the Seer agent and ask about what are some repeated errors happening on my backend. Seer figures out that a repeated issue is a network call failure. I can then ask for more details and debug more efficiently with this AI agent integrated neatly into Sentry. Seer is a neat tool to fix the hard issues, the ones that are just hard to debug. Check out Sentry@Sentry IO Pragmatic and start monitoring today.

Interviewer

Alice, welcome to the podcast.

Alice Real

Thank you for having me.

Interviewer

It's really nice to have you here. How did you get into software engineering?

Alice Real

It actually all started with Minecraft.

Interviewer

No way.

Alice Real

I wanted to write my own mod for Minecraft so I learned Java. I didn't get very far with the Minecraft modding, but that's where it started.

Interviewer

How did you continue? Did you go to university?

Alice Real

This was just before I started in high school and then after High school, I had a year where I worked full time as a software engineer and then I moved on to starting my bachelor. Did that for three years, and then I did a master's for two years.

Interviewer

How did you end up at Google? Was that straight out of university?

Alice Real

Actually started part time at the same time as when I started my master's and then I switched to full time after I finished.

Interviewer

How did you get involved with the Rust community? Was it at Google? Was it before Google? Oh, way before, way before.

Alice Real

I've been doing Rust for a long time. When I was in school, I spent a lot of time on the. What's called the Rust users forum. Well, I was answering questions. Really. I have maybe 10,000 posts on there or something. At some point I also started being active in some chat servers, the Discord server for something called Tokyo. I kept doing that, answering questions. When I saw common questions, I would fix the documentation. That's how I got into Tokyo, which I'm now one of the maintainers of.

Interviewer

And then for those of us not as familiar with Rust and Tokyo, what is Tokyo inside of Rust and why is it important?

Alice Real

So Tokyo is. Well, it's an asynchronous runtime for Rust. You can think of it as the standard library for Rust when you're using Async. I mean, if you compare with something like JavaScript in the browser, you might compare Tokyo with the browser itself. For example, in JavaScript, you have this loop, this event loop, which has all the tasks that are able to run and then they get executed one after the other. And especially if you use the Await stuff, then you can have tasks pause and then another task starts running on the same thread. And Tokyo does something similar. It has a queue of things that are able to run and then it will run them. So unlike JavaScript, Tokio can be multi threaded, so you can have multiple queues running in parallel.

Interviewer

This seems like a pretty core part of Rust as a language, as a ecosystem. How did you gravitate towards this? Because it sounded like you were, if I understand you were lurking on the Rust forums, you were helping out here and there. What drew you to this part of the language or the ecosystem, should I say?

Alice Real

I think part of what I liked about Rust is this feeling that as you write the code, when it compiles, it works. I mean, this has to be in quotes, right? Because obviously it's possible that there are bugs. But this is something a lot of people say about Rust, and there's a reason people say it, even though it's not necessarily literally true.

Interviewer

How do some other languages compare to begin with?

Alice Real

I think to have a language that feels this way, you have to have a type system. That's where it all starts. I do think that even compared to other languages with type systems, I think Rust does a better job than many languages even or those with type systems. I mean, the classic example is Java's Null. It was Tony Hare who invented the null and he called it his billion dollar mistake because it's so easy to have. I mean, every time you call a function you might have a crash in your program. And in Rust I think they're really good at making sure that when you call a function, there's no chance that it might be null. Right. That problem just doesn't exist. So you can't have that kind of crash. And so you have to explicitly say this object might be null and then the compiler will force you to check for null before you use it. So you can't forget like you can in Java.

Interviewer

Can we talk about Rust as a whole? This was a language that was created 20 years ago in 2006 and it feels like it's become a lot more popular over time. Do you know of like the scale that Rust Rust is at in terms of usage or popularity or things that along the Rust community numbers that are known there?

Alice Real

One thing I found kind of funny, I checked here the other day and we have actually overtaken PHP and go on the TIOBE index.

Interviewer

Oh, that index tries to estimate the usage of languages. Right?

Alice Real

Usage or popularity or something like that. Wow.

Interviewer

Because the feeling I have again in general is Rust is popping up in more and more places, more companies are building on Rust. Oxide is a good example. They decide go all in on Rust and like there's a sense of Rust is becoming a popular place to build, I guess high performance applications, even increasingly contributing to the kernel. As an engineer who you know, might know other languages from like TypeScript, Java, et cetera, what would your pitch be on why it's worth checking out Rust or working with Rust?

Alice Real

That depends a lot on which language you're coming from.

Interviewer

Let's come from Typescript. It's one of the most popular languages right now.

Alice Real

The PID from TypeScript would be a lot different than the pitch from C. But okay, so to begin with, I think when it comes to Typescript, Rust fits in as the backend language. That's where I would put it. I wouldn't use it in the front end. I think it's a pretty good fit for backends API servers. One way to put it is you don't want to be waking up at night because there are problems with your web server. You need a language that's reliable, that's gonna have as few bugs as possible. I mean, obviously it would be nice if it had zero bugs, but you know, it's gonna be hard to get there. But as few bugs as possible. That's the idea of Rust. I mean, I already mentioned null, but it does a lot of stuff like that. So there's no null checking. And this is done through, you know, it has this enum type, which, I mean, I think TypeScript can do something similar. TypeScript is actually kind of good on that front, but. Okay. The other thing I think is quite good is error handling. So, on one hand, Rust doesn't really use exceptions, so it actually returns the error as a value. So you return a value that's either using an enum, either the result or the error. And the way this is done is that there's an operator question mark which says, so you write my function and then question mark at the end. And this means if this function failed, return the error. So it's really easy to handle errors, but it's not zero characters like it is with exceptions. Right. So it's explicit. On the other hand, and if you forget to put the question mark, that's a compilation error.

Interviewer

Wonderful.

Alice Real

So you have to check it. Yeah, Right. And of course, you can also handle it manually. But the point is, it's this idea of there are these things where you write some code and there's some implicit error condition you didn't think of and now you just took down your server or something. Another thing I quite like is how it handles documentation.

Interviewer

How does it.

Alice Real

For one, when you have a comment, you make it into a documentation comment by having three slashes instead of two. Now, the thing is, you can of course write examples in your documentation, and Rust makes all examples into tests. This means that if you change the underlying code now, your test fails. And so this means that you can't forget to update your examples in your documentation. Yeah.

Interviewer

And I guess there's also things like you. Can you forget to initialize a variable in Rust?

Alice Real

I mean.

Interviewer

No, it doesn't allow you. Right.

Alice Real

Yeah. You have to set a value before you use it for the first time.

Interviewer

Yeah. And I guess the things with checking the format of incoming JSON, it also forces you to do that.

Alice Real

Yeah. So there's a pretty cool library called SERDE in Rust where you. You have your struct so your type, you know, with fields. And then you can say, I want to be able to pass this from, for example, JSON and then SERD A will, it's a macro. It will generate code which checks the JSON that it's in the same format. It has all the fields you need and they have the right types and it generates native code that's specific to that particular shape of JSON. So it's also really efficient.

Interviewer

And again, yeah, so it helps you avoid errors. And there's this thing which again I learned just very recently thanks to you, as we're talking ahead of this, is the switch statement. Right? So in almost every language you have a switch for an enum and you handle cases and then you might have a default or you know everything else and sometimes you forget one of them. It's not a big deal. Or maybe it's a big deal, but in Rust you cannot do that either, right?

Alice Real

That's right. So in Rust it's not called switch, it's called match. But it's the same idea. You can match on your enum and then you can have a branch for each possibility around B. And if you are missing one, that's a compiler error. Of course you can have a catch all case if you want to, but most of the time you would just list all the cases. And then in the future when you add a new variant, the compiler will tell you, oh, you need to update your code here, here, here and here. And I think this kind of leads to another way that Rust really helps with reliability, which is that if you're refactoring, I think Rust is really good at telling you all the places you need to update. I've done this sometimes where I would refactor something. I change the code, I change the return type or whatever it is, and then I just fix the compiler errors until the compiler stops shouting. And then once I've done that, I've updated every place I need to update.

Interviewer

I get a sense that the language designers have thought really hard of what are ways that typically go wrong in a lot of other programming languages and they just try to fix it through the compiler. The documentation example is the one where I'm still like, wow, it happens all the time. You have a comment example or not, and then it gets out of sync and we always complain about this and we don't know how to fix it. I know, I've been complaining for a decade. Plus, this Drost is the first language right here, like an actual solution, even if it's not a perfect one.

Alice Real

And I really think this pattern, just everywhere you look you have this kind of thing again and again that, oh, if you messed up, they, you know, either it won't compile or at the very least there's a lint for it. They just catch a lot of cases at compile time.

Interviewer

And we've had this pitch from Typescript or similar languages. What about the pitch from C?

Alice Real

So here I actually think it's even stronger. The thing with C is that if you make a mistake in JavaScript, maybe you take down your server, which is already bad enough, but in C, when you make a mistake there, now it's actually a security vulnerability. Most of the time if you do something as trivial as you did an off by one in your array or whatever it might be, that's a security vulnerability. And this just keeps happening. Small mistakes become security vulnerabilities. And in Rust. So Rust is memory safe, right? I mean, we talked a bunch about different ways that Rust is more reliable and we didn't even touch about memory safety.

Interviewer

Let's talk about memory safety.

Alice Real

Memory safety is this idea that no matter how stupid the code you write is, it's not going to have a certain class of bugs. And this is the kind of bug that usually leads into security vulnerabilities. The kind of thing where you repass the array and you just look at random memory, or you destroyed an object and then you used it afterwards. So now you actually touch the memory of some other random object. Yep.

Interviewer

And then an attacker who figures this out could populate something there, eventually get that code somehow executed or configuration read, and then boom.

Alice Real

The classic example in the kernel is, let's say you have some object and you manage to make it so that the object that's actually there because the original object is gone, so the memory got reused and now it has a task struct it's called, and that's basically your process and it has a field called User id. And it's pretty common for code to write zeros to memory, but if you write a zero to the user ID

Interviewer

now you're a root, that's a root user.

Alice Real

Yeah, that's a really classic way of exploiting this kind of vulnerability.

Interviewer

And then once an attacker manages to do that, they can take over whatever your server or whatever is running. And then of course from there on it can just fire a lot of control. Right.

Alice Real

Once you're root, you're lost.

Interviewer

Yeah. Do I understand that? A very strong pitch of Rust, especially coming from C, is Memory safety eliminates this whole class of bugs, which can turn into security vulnerabilities, which are one of the most serious threats any software can have.

Alice Real

Plus all of the reliability ones I mentioned in the beginning.

Interviewer

That is a pretty good pitch.

Host

We just talked about how Rust offers several safety features like memory safety, error handling and a type system. This is because reliability is not about one thing, but several things at once. This is where I need to mention our presenting sponsor, Antithesis. Like the designers of Rust, Antithesis also believes there's no one silver bullet for reliability. You need many different tools and approaches. This is why they've released Hegel Rust, a free open source property based testing library for Rust built by the team behind Hypothesis. Rust's compiler is brilliant at catching whole categories of bugs at compile time. But at the edge cases, the weird input combinations, the assumptions that turn out not to hold, those runtime bugs need a different tool. Hegel provides powerful ergonomic property based testing for fast local development. It'll check edge cases you never thought of and catch unknown unknowns before they bring down production. And if you try Hegel and Likeit, your Hegel test will run an antithesis as written, so you can easily add determinism and the world's most thorough runtime verification to your reliability Arsenal. Go to Hegel.dev to learn more. I'd also like to mention two conferences this year where I'll be talking and where we can also meet. On the 4th of June I'll be doing a keynote at Craft Conference in Budapest, Hungary. This conference is one of the very best ones in Europe, focused on software craftsmanship and one where I'm a returning speaker. For more details, check out craft-conf.com and on the 15th and 16th of September I'll be doing a keynote at LDX3 in New York. This is the festival for Modern Engineering leadership. Last year I was at LDX3 in London and so I'm excited to be back, this time in New York. For more details about this conference, head to leaddev.com if you'll be at either of them. I'll see you there. And with this, let's get back to Rust and to Alice.

Interviewer

I wanted to ask why Rust is getting so popular, but I think we're starting to answer this question right?

Alice Real

I think where Rust is really unique is in the combination of things. So on one hand it doesn't have a garbage collector and it's usable in low level contexts like the Linux kernel or firmware or whatever.

Interviewer

Why is it a good or a bad thing to have a garbage collector. Java has a garbage collector, C has a garbage collector.

Alice Real

So a garbage collector says, once you've done using your objects, there's going to be a little piece of code that checks all of your. Your object and says this is not used anymore. And then it cleans it up. Whereas in languages like Rust or C, the variable is cleaned up at the end of the scope when it goes out of scope, and in the other one they have to detect afterwards. And this kind of little piece of code that runs every so often to check all your objects for embedded use cases, this might simply be not possible or unacceptable.

Interviewer

The performance overhead, the fact that you will not be able to control the

Alice Real

memory as much, even for backend, it can be a problem because if you have a request incoming right, when it checks all of your objects, like you have some sort of latency spike where it takes much longer to reply. So that's one of the reasons it can be helpful in backend as well.

Interviewer

For someone who has not yet seen Rust code, how would you describe it, how it compares to, for example, TypeScript?

Alice Real

I mean, in many cases, Rust code is similar to many of the other languages that has braces. It's not like Python where you use indentation, it has braces, it has semicolons, and so on.

Interviewer

So it's pretty easy to read even if you don't. If you know some similar languages, you can look at it and you can get a rough idea.

Alice Real

Yeah, I think you'll figure it out. It's not that. It's not that foreign Rust has a

Interviewer

learning curve on the side of the more difficult languages to learn. What do you see devs typically struggle with who are new to Rust and what are the things that just makes it click for them.

Alice Real

I think the most tricky thing people run into is how should you put together your data structures? I mean, for your code you can mostly do the same things as you can in other languages. I mean, that's not entirely true, but the big thing is really the data structures. So if you have, I don't know what would be a good example? Let's say some sort. Okay, let's just say you have an object for a book and it has an array of pages, and then you have an object for each page. If I was writing Typescript, I would probably have a book field in the page that references the book, and then the book, of course, also references the page. Right. So it's cyclic. So the book goes to the page, goes back to the Book. And in Rust, you usually have to design your objects so that they're not cyclic. It has to be a tree or a deck, if you know what that means.

Interviewer

Yeah, the direct async graph.

Alice Real

So if you go out and actually start to use reference counting, it becomes possible to have cyclic objects with some caveats, like you mentioned. But what people end up doing when they're learning the language is that they try to make cyclic objects without anything like that, and then it just doesn't work. And they're going to run into all sorts of problems in their code while they're constructing. They're maybe creating their thing, and then they get a compiler error, and then they try to change the code and they get a compiler error again. But the thing that a lot of people struggle with is that they keep trying to change the code when the solution is to change the struct.

Interviewer

I can see how that's frustrating. Rust has another model that might be new for, especially for people coming from language types, is Rust's ownership model. What is the ownership model?

Alice Real

The ownership is just the idea that if you have a variable containing some object, then the object is only there. It's kind of exclusive. So, for example, if you have a variable, let A equals your string or whatever, and then you do let B equal to A, then this is a move. And so this means that using A afterwards is now a compiler error because its contents have been moved away. And of course, this is important when we don't have a garbage collector, because then when B goes out of scope, it has to clean up the string. Now, if A was also valid, but then when they both went out of scope, it would clean up the string twice, which is not legal in most other languages. The garbage collector takes care of this. A and B just go out of scope, do nothing, and then later it cleans up the string. But here we actually have to do it when we go out of scope. And the ownership model allows you to move from A to B, and then A becomes inactive or unusable and does not get cleaned up because it doesn't have a value to clean up anymore.

Interviewer

And how does reference counting relate to all of this?

Alice Real

In Rust, we have a bunch of different types which are essentially different kind of pointers. And one of the pointers is called arc and it's reference counters. And so the idea is you have some object somewhere and then you have an arc to the object. And what you can do is you can call clone on the arc, and this increments a counter. And now you have two arcs to the same underlying memory. So the object might be really big, but you have two arcs that share the same memory. And when they go out of scope, the counter is just decremented. And when the counter reaches zero, the object is cleaned up. So this is a way of saying this object actually needs to be in multiple places. There's no one place that owns it. And so this way you can use a counter to know how many owners are there. And then when the last owner goes away, it gets cleaned up.

Interviewer

And then Rust also has another thing that was new to me, the borrow checker.

Alice Real

So another pointer type we have in Rust is called the reference. And a reference is basically all it is, is that it, it's a pointer to the object and that's it. So we do no checking at runtime. So of course this means at compile time we have to make sure that the last use of the reference has to be before the object goes out of scope. And creating a reference is called borrowing. The owner owns the value and now we have a borrow of the value. The reference and the borrow checkout checks that the reference is like the last use of the reference is before the object goes out of scope. So if you have, say, let's say you have an immutable reference you're reading, then if you change the object, let's say it's a vector. So I have an immutable reference, I'm reading element 5 and then I change the vector I call clear. Then the borrow checker also ensures that you can't use the reference to object 5 afterwards.

Interviewer

Yes, because now it has been. As soon as you change it, it went out of scope, it's now cleared, right?

Alice Real

Yeah. The way it works is that if there are mutable borrows, it ensures that the mutable borrow ends or starts before or after the previous borrows have ended, basically so they don't overlap. So you can only have one writer at the time, or you can have any number of readers. It checks that on the scope, like in a function.

Interviewer

This concept is new to me. As someone who's not used Rust Rusher. It's very interesting. One thing I've read is on forums, people complaining about so called fighting the borrow checker. What can make it challenging when you

Alice Real

write some code that uses the object in a way that doesn't follow the rules I mentioned, that's a compiler error. And fighting the borrow checker is when you can't get out of those compiler errors, I guess. I think a lot of the time this has to do with the struct. One common mistake I see is that if you have a struct with a reference in it, Rust kind of assumes that it can check the scope of that reference by just looking at a single function. But if you have your struct and you're passing it over functions, it might not be possible to make that analysis. And so you just get a compiler error. And so in this case, the solution is maybe to use a different pointer type. For example, the reference counter pointer type often solves this kind of bug. So the solution is again to change the data structure.

Interviewer

Yeah, I'm starting to understand why you mentioned that data structures were a place of learning coming from other languages. Oftentimes the solution seems to be just think about your data structures, understand them, and do it in the Rust way. Right. We talked about memory safety, but there is a keyword in Rust called unsafe. What does this do? And in what cases do people typically use one? Does it make sense to use and why does it even exist? That's just a naive question from me.

Alice Real

So let me begin with the what, and let's take the why afterwards. So the what is so unsafe is the escape hatch, essentially. So I explained before how there are certain bugs where if your program has one of those bugs, that's usually a security vulnerability. What Rust ensures is that if you have no use of unsafe, then no matter how stupid your code is, you will never have one of those bugs. Now, if you do use unsafe, then there are still some guarantees, but it's a bit weaker because each unsafe operation that you can perform has a list of rules. And if you violate these rules, then you might end up with one of these bad bugs. But of course, if you don't, then it's okay. And it's interesting to point out here that unsafe does not disable the borrow checker or anything like that. It just gives you a few more operations you can perform that are not safe in general. And so you have to check yourself. Yeah, this is actually okay in this particular case to. I mean, let's take the vector example again. Normally when you index 5, it will say, oh, let me check the length. So if the length is six. Is at least six.

Interviewer

Yeah, because it starts with zero, then it's okay.

Alice Real

Otherwise you get a crash. But maybe you're writing some super high performance code and you want to avoid this.

Interviewer

If you want to avoid this check or if you're in a loop every time. So unsafe will just avoid checks. Is it runtime or compile Time checks or both.

Alice Real

What I would say here is that vector has two different ways of getting a value. There's the normal bracket operator. We're all used for other languages which will do the check and crash your program if you get it wrong. But there's another function called get unchecked. And so if you do write weq getunchecked, then it will give you element 5 without checking the length. And this function like in the function signature it says unsafe fn, that's the function signature. And so you can only call this function from an unsafe block.

Interviewer

Got it?

Alice Real

And so all that the unsafe block lets you do is call functions marked unsafe.

Interviewer

And then in practice, for sensible use, cases of unsafe, is it usually to do with high performance code typically? Or have you seen like what. What cases have you seen which are like legitimate? This is a great use case for unsafe.

Alice Real

So usually it will never show up in say a backend server. You would have zero uses of unsafe there. Generally when unsafe is used, it's to add a new feature to the language. Let's say the language didn't have a vector. The language still has a function to allocate memory, a function to free memory, a function to read at this pointer address, then you could write struct vec. The pointer is here and this is a raw pointer. So it's unsafe to use. The length is this, the capacity is this. And then you can write your little API. Of course the fields are private, so you can't access them from outside the module. I mean, if I could do vec length equal 20, just access the field, that would be pretty bad. And so you can write your own vector API. And using field privacy and good API design, you can add a vector to the language if it doesn't already exist. And unsafe if encapsulated properly in this kind of API that doesn't permit you to mess it up, then you can have a safe vector that you can use from safe code. And no matter how stupid the thing you do with that vector is, it's not going to do something bad, it's just going to crash or whatever. Check the length properly. As long as you design your API right, you can add new language features by using unsafe. The other classic example would be to call into a C library. You can write a library that calls into C and you can even have a safe API. And then you can enforce that you only call the C API in the right way.

Interviewer

Can we talk about the Rust ecosystem, the broader ecosystem? And when it comes to this, the first Thing that people come across, including myself, is the Crate ecosystem. Rust as package manager. What is Crate and how does it compare to other package managers in like, places like NPM or PIP in Python?

Alice Real

So crate is just the Rust word for a package. So it's just a package of your code. So the way it works is that Rust has a tool called Cargo, and Cargo is kind of. It does a lot of stuff. It's actually pretty neat tool that's kind of all in one. So it will do. It's both what you use to run your code. You do Cargo run and it will compile your code. You have this thing called Cargo Tunnel where you specify your dependencies and other information about your crate. And when you do Cargo run, it will download the dependencies to something called a registry, which is basically just a directory with all the crates you've ever downloaded.

Interviewer

Yeah.

Alice Real

And you can also do Cargo test. It will run all your tests. Cargo doc, it will generate your doc Kaggle test, will also run your doc tests. There's even benchmarks and examples. So it does all the whole suite, so to say. So you don't need different tools to fetch dependencies and run your code and generate docs. I think the biggest difference from something like Pip would be that they're not installed to your machine. Right. With Pip, you either install things globally or you have these virtual environments. So with Cargo, it's all local. You just run Cargo Run and it's only local to this. The only thing that's shared is this registry, which is just to avoid downloading the same thing twice.

Interviewer

You told me a funny anecdote about Linus Tor Worlds and his reaction or what he told you about Rust and Cargo.

Alice Real

The first time I was at the Linux Plumbers conference at the very end. So Linux wasn't anywhere to be seen throughout the entire conference. But at the very end, at the social event, he showed up and I went over to say hi. I mentioned I worked on Rust and immediately he started telling me about how he didn't like Cargo. And so the reason for that is that Cargo downloads code from the Internet and runs it like any package manager.

Interviewer

Yep.

Alice Real

And he doesn't want any. Any code on his computer to do that other than his distributions package manager. He doesn't trust anybody else to do that.

Interviewer

In the node world, we're seeing more problems with vulnerabilities being injected into packages. Just a bad actor overtaking packages. You know, they put in whatever code might be from crypto, which is the, I guess the better part to security Vulnerabilities. Does Cargo have this problem as well? Just like any package manager that is on the Internet?

Alice Real

I mean, in principle, yeah. I mean, ultimately, if you somehow got a hold of, you know, my keys to upload new Tokyo versions, you could upload them and there's just one. I don't think we've had much problems with it compared to something like npm, but I don't really know if we. I mean, it's a hard problem, right?

Interviewer

It's a hard problem because if somebody

Alice Real

can impersonate the maintainer of a library, then I mean, I think they do do stuff like delete, go scratting malicious crates and stuff like that.

Interviewer

Yeah. Where do you see the Rust ecosystem being the most mature and the least mature right now?

Alice Real

My opinion is that the least mature area is front end. There have been some attempts to compile Rust to webassembly and then run it on the web as a front end as a replacement for Typescript. But if I was writing a web server, I would totally use Rust for the backend and TypeScript for the front end. I would not really go the webassembly route. On the other hand, for backend, I actually think it's a pretty great fit. And there's also stuff like command line tools. I think it's really, really great fit for that. And then of course we have, we are expanding into Linux and we are also expanding into a lot of embedded projects. And there are even projects that are like C code bases that are starting to say, hey, it went into Linux, maybe we should start using it too. Maybe we should have a memory sig language too. I know that Git is talking about it, I know that CPython is talking about it. There are probably others. Qemu maybe.

Interviewer

Can we talk about how the language is built? Who builds Rust, what the process for doing it? How does it compare to a project like Linux? I know it's not a language, but it's still a large open source project.

Alice Real

I mean, it's really an open source project. I mean, you may know that it originally originates from Mozilla, but it's not a Mozilla project anymore at all. So today there's the Rust project, which has a bunch of different teams. There's the language team which deals with the language. There's the library API team which decides on the API of the standard library. And these teams kind of govern it. So it's the people who are on these teams that run the language.

Interviewer

And one interesting difference, compared to some other popular languages Like Python or projects like Linux is, they have a benevolent dictator for life and Rust does not. How is this working and how are decisions made, especially when they're contagious or it could help for just someone to just make a decision.

Alice Real

Honestly, if the team doesn't sign off on it, it doesn't happen. I mean if something is really contentious or really big, it will probably end up being discussed at a conference, for example. So there's a conference called Rust Week where they have an event called the Rust All Hands where they're basically taking all of the Rust developers and putting them in one place. So if there was a problem like that, they would probably discuss it there.

Interviewer

And how are these teams structured? So like you said, there's a compiler, language library and dev tools at the very least. How do they define the boundaries? Is it just a team kind of roughly defining them and then you just kind of agree? Because as I'm thinking at a corporate level, like as a company would run, there's typically teams are found that often top down leadership does a mandate, this will be this team, that team, there's bottoms up happening, but oftentimes it's top down just because it's easier. But here, as I understand, there is no top down. It's. It's people self organizing.

Alice Real

Yeah, really when it comes to the design of the language, the teams are really, that's really it. Teams have been pretty good as far as I've seen at delegating. So I've seen them sometimes say we think this is a Libs API decision and we will go with whatever Libs API decides.

Interviewer

One thing that is interesting to talk about is the RFC process. So there's requests for process, rfc, request

Alice Real

for comment is the way the Rust project makes big decisions but you know, big ones is important to say. Basically the way it works is let's say you have a language feature that's kind of big. For example, I had one called Derive Smart Pointer which basically makes some types in the standard library less special. So I mean sometimes people begin implementation already, but the idea is that you write the RFC first.

Interviewer

By the way, that's no different inside of like at Uber we had RFC process and the same thing usually you followed, but sometimes you kind of start to build it and then just the

Alice Real

idea is you write the RFC first.

Interviewer

Yeah, I know, it's just funny how it happens everywhere where there's engineers. I think it's an ish to build,

Alice Real

you write this doc and it has a template and I think it's actually A pretty good template. The idea is the first section is, I think, motivation. Well, the first one is summary, but the first important one is motivation. So we explain why this feature. And then I think they have two really interesting sections. They have the guide level explanation and the reference level explanation. And what this is is that in the guide level explanation, you explain your feature as if you were writing a guide as if the feature already existed. And in the reference level explanation, you explain your feature again as if it already existed, but as if it would be in the language reference instead of a tutorial.

Interviewer

This is really interesting. You know, Amazon does just relate to this. When they ask people to build a feature, they have a press release like, imagine if you announced this. I just love how, like both this and what you're saying, it forces you to just think of them from a very different perspective. Right from how people will use this feature. And then other sections, there's, I think you mentioned rationale, alternatives, prior art, future possibilities.

Alice Real

Yeah, so you get to explain. So rational and alternatives, I think, is a pretty important section because you get to answer all of the questions before they get asked. And you get to explain why did you pick this design and some other design. And I think that's usually a pretty big part of an rfc. And then of course, it's good to look at what did C do and what can we do in the future as well.

Interviewer

And once you have the rfc, you send it out, what happens then?

Alice Real

Well, somehow people get people to look at it. There is an RFC's repository and you can open a pull request there with your markdown document with RFC and people can discuss it. You might also write up your doc somewhere else. Then we call it a pre RFC if it's not in the RFC directory. But it's kind of the same thing. Let's say that the language team, it's a language team ifc, and they're happy with it. So I said the RFC was how the language makes big decisions, but then they actually use a process that comes up for all decisions, essentially called the final comment period. And so the idea is they tell the bot to please start the approval process, and then it will create a comment on GitHub with a checkbox for every team member. And then team members check their own checkbox. And once everybody from the team, except for at most two, have checked their checkbox, then the final comment period will begin, which is two weeks.

Interviewer

Oh, so when it's only two checkboxes left, then two weeks start. What's the rationale for this, this is very interesting. It's a historic fact.

Alice Real

More like, I mean, you know, let's say that everybody checks that bug immediately and then the two other people didn't get a chance to look yet. So it's to make sure that everybody has a chance to see it.

Interviewer

Yes, I understand. And also to keep things moving at a sensible pace.

Alice Real

So there's another part of the process which is concerns. Team members can file a concern which basically pauses the process until it's resolved and then once the two weeks pass, it's accepted. So that's essentially how the team makes decision. And this is not just IFCs. If you have, I don't know, a pull request, changing something in the reference, then the language team might say, oh, we need to make sure that everybody is on board with this change. They'll tell the bot to start an FCP on this random PR or some random issue or wherever it might be. The same process applies.

Interviewer

And then once let's say it says language feature, okay, the RFC is accepted, we know what we're going to build, then the feature is just built. You start to open your pull requests and get into the language pretty much.

Alice Real

But you put the feature behind a feature flag. In Rust we have this thing called nightly features, which basically means that you can't use it normally, but if you use the nightly build of the compiler, you can. Once you have your feature, I mean, you might begin, but once you have your accepted rfc, you start submitting pull requests, you implement your feature, it gets merged and people start using it experimentally.

Interviewer

On a nightly build.

Alice Real

Yeah, and then at some point you might say, okay, I think this feature is ready. And this is kind of a recent invention, but we have come up with this idea of a stabilization report in the pull request that removes the feature flag. We write up a little report saying, for example, how it's been used and explaining like, oh, here are the Dangerous edge cases, here are the tests for each of the dangerous Edge. So that kind of stuff. And then they use the FCP process again to agree to stabilize it and then it's merged. And so now you have a feature without a feature flag in the main branch.

Interviewer

Yes.

Alice Real

Between zero days and six weeks from that, there will be a beta release of the compiler. And it will be.

Interviewer

And it will be in it.

Alice Real

Yeah, it will be in it. And then six weeks later the beta release becomes the next stable release.

Interviewer

Okay, so like Rust has a strict six week release cycle, unlike with Linux. Well, Linux also has a rough female, but here you just take the stable batch, you're not doing any special.

Alice Real

Yeah, and so we don't really have a concept of beta features that are only available on beta.

Interviewer

You have the nightly, pretty much nightly, or people can get onto the latest branch which is not yet cut.

Alice Real

Yeah, the main purpose of beta is to test like you get six weeks to test the stable release. So hopefully if there's any problems we can fix them before it goes out into a stable release.

Interviewer

And you mentioned that RFCs are only for large decisions that need to be made, and you haven't written that many either just because they're large. What about smaller decisions that you also want to get consensus on?

Alice Real

So here there are a few different ways to do it. So let's say you want to add a new function in the standard library or a new type. Then the library team actually has this thing called an acp, an API change proposal, which is basically just an issue on GitHub. So you open your issue, you describe your API, describe what the interface is and explain why you should have it. And it's much smaller than an IFC would be. And then the library team can say, this is okay with us. And then you can implement it unstable or nightly, and then later you can then stabilize it. And similarly, the compiler team has it's kind of major change proposals.

Interviewer

You need to say how it's called mcps. Oh, that's going to confuse a lot of people outside of we're not inside of Rust. Yeah, it is what it is.

Alice Real

Which are for the smaller features, even though it's called major. Right. It's big enough that they need you to put up an issue, but not big enough to need an rfc. And for the compiler team, the classic example would be a new compiler flag.

Interviewer

Now, Rust has new builds every six weeks, right. But it also has additions. There's one in 2015, 2018, 2021, 20. What are additions?

Alice Real

So the thing about additions that is different from versions is that if you're using version 1.90 of the compiler, everything is using that version, but different crates can use different editions. And so I might have a crate using the 2025 edition of the language, and I can keep using that forever because Rust has a really, really high backwards compatibility guarantee. So you write all of your code and the guarantee is that it's going to keep working forever. That's the idea. Anyway, Additions are basically the way that Rust makes breaking changes without breaking people, because they might change the syntax of the language. For example, Async Await was added, or an Additional and so code using the old edition can't use async await there you could have a variable called async if you want, let async equal 5. And then in the new edition you can't, but you can still mix and match code written in different editions, so they work together.

Interviewer

Oh, interesting.

Alice Real

So I might have a library written in the 2021 edition and you can write your library in 2024 edition or your binary project, and then you can still use my library.

Interviewer

Why do you think Rust decided on additions? Which feels a bit more confusing to me as a developer, as opposed to versions, like when I look at java's versions or PHP's versions, or even Ruby on Rails versions, you know, there's always a. There's a major number. And I might be wrong, but it sounds to me that an addition is almost an equivalent of a major version at other languages. Is that putting it correctly or am I missing some details here?

Alice Real

Really the big idea is to say we want the old code to continue working, but we still want to change the language. And so the difference from other kinds of versions of languages, I mean Python 2 version, Python 3 comes to mind, is that you can totally mix and match in any way you want.

Interviewer

You are a Language Team advisor, or you recently became one. What is Language Team Advisor and what do you do as part of this role?

Alice Real

We have of course, the Language Team, which, you know, they have meetings every week and they do a lot of stuff and so on and so forth. The Language Team Advisor role is a way to be part of the language team liked in some sense. So you're someone that they've said, okay, we trust this person's opinion. But you don't necessarily go to every single meeting. Like there's no checkbox for you on an FTP, so you can still file a concern. So yeah, it's really a way to participate in or help the language team without full membership. And full membership might entail a lot of things, right? For example, for me it would entail going to meetings every Wednesday evening instead of like when I would normally have dinner.

Interviewer

From your observation, what is the corporate influence like on. On Rust in the sense that when I talk with, with Greg Kh, he was telling me that in practice about 80% of the frequent Linux contributors are typically employed by a company which sees value in adding their, their features or maintaining their features in Linux, which, which turns out to be like a nice kind of, I guess, symbiosis in some ways. For Rust, the people working on it are they usually paid by their employers like you are. I'm sure there's people who are just every now and then contributing with people who are spending more time on this. Do you see a pattern of corporations actually supporting this or is there a foundation that also supports people to work on this full time or close to full time?

Alice Real

I would say here that the Linux kernel is truly unique in this particular aspect in that they have thousands of contributors doing it on work time. I actually think that the Rust project is doing pretty well at having people do it and get paid for it, like by their employer. But it's nowhere near to the same extent as the Linux kernel. The Rust project also has a few other interesting things. So the Rust foundation have some grants that allow. I mean, for example, if you're a student and you want to work on something, you might be able to get a grant, some money from the Rust Foundation. I think that's a super cool thing

Interviewer

that the foundation is doing, especially I think, getting people involved, students involved, or the people who would find it harder or more daunting to get involved in a project like this. Speaking of which, for a software engineer who would be interested to contribute to the Rust ecosystem, what would your suggestion be in terms of both resources or ways to get started?

Alice Real

I mean, obviously you can go to the issue tracker and look for issues that interest you. I think that often it's. I mean, the best way to contribute something is if you have something you want to change about it. I think that's often a pretty good starting point. So if you wanted to contribute to the Rust language itself, Rust does a lot of its stuff on something called sulip, which is a chat server where people talk and you could go there and talk to people. So the Rust for Linux project has a pretty nice contributing page. So rustforlinux.com and there's a contributing page there with. For one, there are a few different drivers you might be able to contribute to and they have links to the issue tracker there. Another thing that's really cool is you can contribute to the Linux kernel without contributing to the Linux kernel, right? Because you might take a Rust language feature we need and implement it. And now you've contributed to the Linux kernel indirectly. Or maybe you want to work on the Rust in GCC project and help move that forward. And so I think there are a lot of different projects other than the Linux kernel that would help Rust in the Linux kernel a lot to contribute there. Can we talk a little bit about

Interviewer

Rust in the Linux kernel on how that has Evolved how you got involved in writing Rust in the Linux kernel and have you seen the approach of especially Linux kernel devs change or soften towards Rust? Because I know it was a very heated topic earlier on, Linux has this

Alice Real

conference called Linux Plumbers, which as part of my work on Rust for the Linux kernel I've been going through for the past few years and one thing I think has been really obvious is every time I've gone you can say things have totally changed. Since last year I've experienced this like four times in a row.

Interviewer

That's kind of pretty cool.

Alice Real

Yeah, I think there's really a lot of stuff that's happening. I mean, one year I might go and people think, oh, that's some nice little thing you have there. Right. And then the next year, now they have Rust code in their subsystem. It kind of keeps going. The most recent Linux plumbers from December 2025 was there. The big news were that at the Linux Kernel Maintainer Summit we agreed that Rust is no longer experimental in the kernel. That was really big for us compared to the previous year.

Interviewer

Yeah. So now that means that it's official. Like Rust has the same status as C, which is the language that the kernel is written in, right?

Alice Real

I guess. Wow.

Interviewer

Not necessarily the same status, but not being experimental, it clearly marks that it's more stable. Experimental sounds like it's not as stable.

Alice Real

Basically we've proved this is gonna work.

Interviewer

I mean, based on what you've laid out, just with memory safety and of course being able to use unsafe when you need to, that already like shows a lot of, I guess, promise. Plus there's some regulation as well. Right? There's, I think the U.S. department of Defense passed some regulations saying that they will not allow their agencies to use non memory safe languages for the concern of security vulnerabilities. And this would practically mean that Rust and other memory safe languages could be used. But C, C or maybe one day systems that are built in this one might see larger scrutiny.

Alice Real

Yeah, there have been different stuff like that from multiple different governments. Right. These governments are saying you guys are using C or C in this project and it's causing an unacceptable amount of memory safety vulnerabilities that simply don't happen if you just don't.

Interviewer

So what if you didn't do that in this conversation? We managed to go for a very long time without even mentioning AI once, which given where the world right now is and how these tools are spreading, that's pretty impressive. I was interested. Do you use any of The AI tools for your day to day work building Tokyo, contributing to Rust projects, have you found a need for them at all?

Alice Real

So I have been trying to use them. Honestly, I'm still learning how to use these tools, but I have used them. I quite like the Gemini command line interface. I think it's pretty neat.

Interviewer

These tools are pretty proficient at outputting code or, you know, giving a prompt and putting out code. But in your day to day work, how, how much code do you actually type as opposed to reviewing code, thinking about what to do, making a plan. Because it sounds like as we're talking about the rfc, for example, the RFC process, my sense was most of that was thinking about what to build, getting a consensus, making sure it's right. And it almost sounded like the actual code itself would be the, I don't know, lesser. Of course, you know, there's a lot of work involved, but you see what I mean. The actual time spent will probably be less than everything else around it.

Alice Real

I think it's still an important part of the process. I mean, a lot of people talk about that when you use AI, it's really important to write tests and that kind of thing because then the AI is actually able to tell if it did it right. I explained this story from before about how I was refactoring something, I just did what the compiler told me. I think the same kind of principle applies with agents in that they can talk to the compiler, it will tell them what to fix.

Interviewer

So I guess this could be a case, we'll see. But Rust could be a pretty promising candidate for, to use for agents because they can get more feedback and it's just hard, it's harder to ship certain type of bugs or maybe impossible to have certain type of bugs.

Alice Real

Yeah, I think there is an aspect

Interviewer

of that for places like the Linux kernel where I mean, correctness is extremely important. Reliability is very important. There's already multiple layers of human review which is in place. Do you see potential for AI generated code to prove helpful somewhere like actually truly helpful? Again, assuming that these things can generate as per specification or as per what you need. Or could this be a place where it might be one of the places where we might not need that much because it already feels a kernel to me, it feels like a place where there's a lot of people coming in, contributing and there's a reason that change can propagate slower.

Alice Real

When I was at the Linux Kernel Maintainer Summit, one of the topics that came up was using AI for code review. And there were some People there who had, for example, set up bots that would say when you send an email to the mailing list, it would feed it into an AI agent which would leave a review, that kind of stuff. And for example, Linus and others were talking about how these reviews were actually really impressive for kernel code, at least what's being discussed in the kernel community. That kind of use case seems like something people are excited about.

Interviewer

And it sounds like this would not be a replacement, obviously, but just one more way to get feedback, maybe doing it quicker and just an additional safety net, if you will. Right.

Alice Real

I mean, that's the thing with memory safety, right? You make some sort of trivial mistake. It's not some complex thing, it's just you make some trivial mistake and there's a bajillion places you could make it. So even if you're a really good programmer and only make it 0.1% of the time or whatever, it's still going to happen, right? And so if the AI can catch a lot of those, then, you know, that's pretty good.

Interviewer

Well, I guess some creative use cases could be, for example, their tests are a big thing, but AI might be able to help figure out if there's edge cases missing again, if the language itself does not support it. But there could be, what I understand, and there could be a lot of potential to add more safety nets that do not exist today.

Alice Real

I think that's right.

Interviewer

I like this approach. So this is one of the first conversations I'm having where we're talking about AI, where we're talking about how to increase quality with AI, because again, in startups or whoever is building, there's a lot of talk about how it can make it faster, faster iteration. And there's usually a quality trade off that we usually do not talk about. But I love that we're actually talking about the things that can increase quality, or at least keep it at the same level.

Alice Real

I mean, I have actually written a few patches with AI myself. It worked okay. I mean, it definitely required my review before sending it out to the list. It really did sometimes. But you know, another place I remember using it was I had this commit that made Binder faster in some way. And one of the review comments I had received was, hey, can you run a benchmark? I said, oh my God, now I have to write a benchmark. But then I got the AI to benchmark it for me and what it did was it actually went and found an existing benchmark and modified it a little bit in a quite clever way. And then it ran it for me and then it wrote a Python script to analyzed the text file with the numbers and presented it in a nice table.

Interviewer

So it sounds like this was toil work that you could have done, but you might have not done as good of a work because you might have not found that utility. You might not figure it out to do that.

Alice Real

I mean, at least in that instance, it saved me time.

Interviewer

If nothing else, for a senior engineer who would like to learn Rust or just build with it, what would your suggestion to be? To get started, of course. For example, AI might be one of the things which makes it a lot easier just to get started. But if you would like to learn, what do you recommend for people who actually want to become professional at the language?

Alice Real

So for one, I would say that the Rust book, which is so it's on the official Rust website, it's actually really good, right? You don't have to. It's freely available online. Rust has this idea of calling tutorials for books for some, even though they're online, which is kind of funny. But anyways, I think the Rust book is really good. Other than that, I think honestly the way you learn a language is you have a project, you implement some sort of project with it. I mean, maybe some sort of web server or something.

Interviewer

And one more thing on AI, so it's easy to get started with languages these days because you can just prompt the AI to write this or that. In the case of Rust, do you think that could create a false sense of understanding? Especially we talked about the importance of understanding structures, of understanding compiler issues, which are there for a reason. Tools could just generate through this and create code that runs.

Alice Real

Yeah, it's totally a danger. I recently tried using it for something where I guess I was not writing Rust code, I was writing make files. I wanted to add some support in the Linux kernel build system for some feature, and it went into the makefile and added the Rust flags necessary to do it. But then I looked at the code and it had added the necessary build flags. But to the csize it was passing a few more flags which were not required per se, but they were there for a reason and it had just ignored them. Any human looking at this would be like, why did you add Rust versions of all the flags?

Interviewer

What is your favorite Rust feature, if there is one?

Alice Real

I'm currently working on a new feature which I think is really exciting. It's something that we ran into in the Linux kernel where we needed in place initialization, the ability to construct values while knowing where they're being constructed so they don't get moved afterwards. I'm pretty excited about our work to put that into the language, but it's very much ongoing. I think that's pretty cool stuff.

Interviewer

And as closing, what are books you would recommend that you've enjoyed and why

Alice Real

I already mentioned the official Rust book. I also think that so Jon Gangstadt has another book that I think is really good, and this book is kind of aimed at the intermediate Rust developer, the Rust developer who has gotten some Rust experience but wants to go further. I think that's also a pretty good book for that audience. Some other resources which are not books but which I think are also really good is there's this thing called Rustlings and the idea is that they give you some unfinished Rust code and your task is to finish it.

Interviewer

Oh nice.

Alice Real

And I think that's a pretty cool way to learn the language as well.

Interviewer

Awesome. Alice, thank you so much for this. This was really interesting and I've learned a bunch.

Alice Real

Thank you for having me on.

Host

I hope you enjoyed getting into the details about Rust as much as I did. One thing I appreciated talking about is how deliberately rustic process seems to have been designed around the question what mistakes do programmers actually keep making and how do we eliminate those mistakes? A few examples include memory safety, not having a null and the errors being values that you cannot ignore. The documentation example is also an interesting one. Documentation tests or doc tests are automatically run as tests. If your example breaks, then your build breaks. This is the first time I've heard this clever idea implemented in a way that's easy to use and language. Finally, the question on why Rust is becoming so popular might be because it's in a category that did not exist before. A language that's reliable and also performant at the same time. This makes it usable for high performance computing cases like kernel work, while also being a good alternative for higher level backend languages. Do check out the show notes for related the Pragmatic Engineer deep dives that go even deeper into backend topics and stories of building languages like Kotlin and Swift. If you've enjoyed this podcast, please do subscribe on your favorite podcast platform and on YouTube. A special thank you if you also leave a rating on the show. Thanks and see you in the next one.