Something super cool happened on stage in the closing keynote of Rust Nation UK 2024. Tokio 1.37 was released and published live. The audience cheered (watch the clip below for confirmation). I was very impressed.

I was also terrified. It confirmed that there’s no external scrutiny placed on Tokio releases.

Tokio isn’t just an open source side project that is made for fun. It sits at the centre of many of the world’s most important messaging systems.

It is the kind of software that is ideal for nation states to attack.

Just from looking at the logos of its corporate sponsors, we can see that it’s important to AWS, Microsoft Azure, Facebook, Discord and Dropbox.

Here’s a screenshot from the way that the tokio.rs homepage looks today:

Anyone who is able to introduce a security back door through the project’s internal processes will open many of the most important technology platforms that the industry has produces.

This isn’t unique to Tokio, or to Rust. But the Rust community is especially vulnerable to supply chain security issues for (at least) 3 reasons:

• Most projects are dependent on a very small number of crates
• Those crates are maintained by a very small number of people
• We trust that Rust has enough inherent safeguards
• We expect that someone else would have checked the code

The current state is fragile at best. We (the West) face a very hostile security environment. I wholeheartedly support growing the number of contributors and increasing the accessibility of important open source projects, including Tokio. Let’s also increase their security posture.