Actix-web is dead (about unsafe Rust)

Update 2020-01-20: Actix oficial web repository is back and the maintainer has stepped down. Actix will continue to be maintained.

Recently the maintainer of Actix webserver took down the GitHub repository and left the code in his personal repository, deleting lots of issues, enraging a lot of people. He left a post-mortem:

What happened? I did my own read of the postmortem, and from Reddit I also found this article which summarizes the situation pretty well:

To summarize it in a few words in case you don’t feel like reading those: Rust community is heavily focused on a safe use of Rust where proper memory handling can be proven. For Rust, unless you use the “unsafe” keyword, the compiler guarantees no memory errors in a provable way, so usually for those small parts where the compiler is unable to prove the code, it’s okay to use “unsafe”. The remaining code should be small and easy to prove correct.

Actix was found by third parties abusing unsafe and when they were auditing most libraries found for Rust on the internet. When the unsafe code was audited it was found that on misuse, it can lead to serious vulnerabilities. So they opened a bunch of issues and added a lot of patches and PR’s in GitHub.

The response from the maintainer was that he doesn’t care, didn’t accept almost any of the patches, deleted the issues and the conversation heated up a lot and finally he deleted the repository itself from the official source and left it under his own username.

This is sad. Actix was known by its amazing speed on different benchmarks and was used by a lot of people. While it’s bad that the community sometimes is too harsh and some people lacks a lot of politeness (which makes maintainer life really hard), I’m going to be polemic here and say: It’s good that this happened and Actix-web got deleted.

I have been using Actix-web, seduced by its speed and I never thought I could be promoting a vulnerable webserver. I was assuming that because the library was coded on Rust, the author was taking care of not using unsafe where possible. But I was so wrong. Luckily I had other things to do and never released the article where I was going to promote Actix-web. Now I’ll have to redo the benchmarks before releasing anything.

The same happened for lots of other people, and all those uses combined, Actix-web has increased the surface area of attack for a lot of deployments.

I would have argued in other cases that for certain use cases, having software that prioritizes speed to security is good on certain scenarios where the inputs or the environment is not exposed to the internet. But this is a webserver, it’s main job is to serve as a facade for the internet. But even the project documentation never mentioned this aspect that the target was just to make the fastest webserver even if that meant to sacrifice security.

There’s no point on running Actix-web behind anything to reduce its potential problems: It is several times faster than raw Nginx or Apache serving static content. Adding anything on front will slow it down a lot. Also, there’s no reason to use it for internal networks: If it’s just serving HTTP to internal users, any web server will do, as internal networks have much less traffic. If it’s used to pipe commands along several machines, then HTTP is just a bad choice. use RPC’s instead like gRPC.

To be completely fair let me state that Actix-web never had a real issue as far as I know. It’s just that its correctness cannot be proven. Is this a problem? For me, yes, because if I wanted otherwise I would go with C or C++ instead. There are lots of really good, really fast web servers using raw C++. The point of using Rust in the first place is having memory guarantees, like using Java but without paying the performance penalties.

I understand that the maintainer just wanted to have fun with coding and there’s nothing wrong with that. But when your product starts getting recommended by others you have to care. This can’t be avoided: with great powers come great responsibilities.

This is the good thing with the Rust community. They’re fully committed to even inspect the sources of every single library out there and help by reducing the amount of unsafe code, even patching them.

It’s sad that the repository has been “deleted”, but this is good for Rust. Quality needs to be there and definitely they need to prevent unsafe code from gaining ground. There’s no point of having Rust if most libraries you can practically use are memory unsafe.

To conclude this: please be polite, everyone. It’s quite hard when you get a ton of people bashing at you. But also, keep the good job up!

7 thoughts on “Actix-web is dead (about unsafe Rust)”

  1. > […] if I wanted otherwise I would go with C or C++ instead
    > There’s no point of having Rust if most libraries you can practically use are memory unsafe.
    I disagree with this point you’re making. Rust is not a good language just for its memory safety and for me it’s a much better choice than C or C++ even if all you wrote was unsafe functions. The expressiveness, the type system, the standard library, etc make it so much more pleasant to use than C/C++ that it’s already a big win on them before considering the security aspect.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s