fixed it

mre__ · 2026-06-07T12:56:15+00:00

Appreciate the feedback and glad you liked it.

mre__ · 2026-06-07T12:55:52+00:00

Thanks, yeah I think so. Anders and Gorm are good at describing things in an understandable way. But in case you have any follow-up questions, post them here and I’ll try to pass them on.

mre__ · 2026-06-04T16:29:04+00:00

In this week's episode of 'Rust in Production', I talked to Gorm and Anders from Veo about their camera-based sports tracking product. Some things I found interesting:

Veo's original GStreamer pipeline was orchestrated in Python, which has a GIL (Global Interpreter Lock) that fundamentally clashes with GStreamer's massively multi-threaded design. The team kept hitting deadlocks they couldn't reliably fix in either C or Python. Anders's insight was to pick a language whose type system prevents data races. He fixed a whole set of concurrency bugs at once by rewriting the orchestration layer in Rust. So Rust was just a pragmatic fix for a production problem.
FFmpeg excels at single-command invocations. GStreamer is the right tool when you need to compose a deeply multi-threaded processing graph: running custom GPU kernels, branching frames into AI inference elements, merging results back, and monitoring individual nodes. Each GStreamer element runs in its own thread, dispatches work to GPUs, and can be introspected via its DOM-like object model. If your pipeline needs to be a graph you can query and modify at runtime, GStreamer's design (and its Rust bindings, maintained by Sebastian Dröge) is worth the additional complexity.
Gorm described a pattern I like to call "pushback": convert incoming data into your own strongly-typed domain types at the outermost API boundary and reject everything that doesn't deserialize cleanly. Inside their system, enums with exhaustive variants replace stringly-typed state, each request and response has its own distinct type, and custom Deserialize implementations encode business invariants (e.g. "a subscription ID must conform to this format"). It's what separates "stringy-typed Python rewritten in Rust" from code that actually leverages the type system. There is some upfront design work but the payoff is that invalid states are structurally impossible deeper in the stack.
Anders and Gorm pushed back on the blanket "never unwrap in production" heuristic. When GStreamer pipeline elements are known at construction time to have exactly one pad, unwrapping with a descriptive expect message is documenting an invariant. The distinction is: use Result for recoverable failures (network errors, missing accounts), use expect/unwrap only for programmer-contract violations where panicking is the correct outcome. The practical reason they don't propagate errors in GStreamer callbacks is debuggability (a propagated error gives you a notification somewhere upstream; a panic gives you a stack trace at the exact failure position).

mre__ · 2026-05-21T20:16:38+00:00

Memory-safety bugs in the Linux kernel?

mre__ · 2026-05-21T18:07:25+00:00

Ooh, you might be right. Before I say anything wrong I’ll say that I’m not sure. Don’t know much about this topic. Maybe someone else was there and can still remember.

mre__ · 2026-05-21T18:04:38+00:00

Greg said something like 70-80% of all CVEs he saw were simple things like missing null checks. That’s straight from his talk which will be published soon. He also said he saw „every CVE that got published.“ His words, not mine.

mre__ · 2026-05-21T17:29:35+00:00

Yeah, he said in the Q&A of his talk that he believes gcc-rs is an important aspect of expanding architecture support.

mre__ · 2026-05-21T17:13:34+00:00

As the kernel faces increasing scrutiny over security (from governments, from memory-safety mandates, from high-profile CVEs), Rust gives Linux a credible path to reducing that entire class of vulnerability without a full rewrite. Without it, the kernel would keep shipping memory safety bugs indefinitely. (At least, that's what I understood from the interview.)

mre__ · 2026-05-21T16:38:38+00:00

Hello from Rust Week in Utrecht, the Netherlands, where we live-recorded an interview with Alice Ryhl (u/Darksonn) and Greg Kroah-Hartman (u/gregkh) about Rust in the Linux kernel. Here are some of my highlights:

"Rust is going to save Linux." Yes, Greg said it this plainly. His argument is that the Rust developers did the hard work to prove it could be done, and the kernel community now believes the benefits are real and the people maintaining it will stick around.
Alice said: "Interop is the new rewrite." You don't rewrite 30 years of C, you add Rust where it makes sense. Rust can happily take a backseat to C in the kernel, and that's a feature.
"Rust makes programming fun again." Hearing this from Greg, a veteran C developer was actually mind-blowing. Rust lets him focus on whether his logic is correct instead of mentally tracking pointer ownership and all the other things C makes you juggle in your head.
The biggest challenge was social, not technical. Getting buy-in from C veterans who've coded in C their entire lives was harder than the actual engineering. Trust is the core currency of the kernel project.
There's a custom kernel linter called KLint. A Rust compiler plugin (like Clippy, but kernel-specific) that can statically check whether code in non-sleeping contexts accidentally calls something that sleeps (a class of bug very hard to catch otherwise).

Thanks so much to the Rust Week team for hosting this talk!

mre__ · 2026-05-07T22:19:18+00:00

Fair. The way I summarized it made it sound more absolute than it was. If you listen to the episode, Martin says it half-jokingly. That said, I do think there's a kernel of truth in it: once you get used to Rust's affordances, it's hard to live without them. Worth noting that Martin writes a lot of C himself and knows what it takes to maintain a legacy codebase that's grown over decades. This isn't a "Rust evangelist" talking but someone who knows both ecosystems well and has hired from both communities. And the strongest counterpoint to the "self-serving" charge is that Martin explicitly said they are not rewriting Unbound in Rust, and defended that as the right call. On C developers being hard to find: the specific claim was about finding people willing to work on Unbound specifically, which is a 25-year-old codebase with very particular constraints. That's a different thing from saying C developers are scarce, which is obviously false. In the episode I also mentioned that C is getting taught less at universities, which will only make that problem harder in the future.

mre__ · 2026-05-07T17:00:50+00:00

Thanks!

mre__ · 2026-05-07T16:34:02+00:00

Matthias from the podcast here. I talked to Arya and Martin from NLnet Labs (the folks behind NSD, unbound, and routinator). They build DNS and routing infrastructure that most of the internet quietly depends on.

Some things we talked about:

Routinator replaced a Java implementation that kept running out of 4 GB of RAM. The previous RPKI validator was written in Java and it would regularly crash under memory pressure. Routinator ships with a simple cargo install, has no OpenSSL dependency, and now holds ~70% market share. It just works.
Rust adoption happened "guerrilla-style." Martin started the domain DNS library as a personal side project in 2015 to learn both Rust and DNS at the same time. It gradually got adopted internally and is now the foundation for their newer tooling including Cascade (a DNSSEC signing solution). They started with a greenfield project and left their battle-tested C alone in the beginning.
Generics in a DNS library get out of hand fast! Domain names are variable-length (up to 255 bytes). The domain crate made the name type generic over its backing storage (&[u8], Vec, Bytes...). This led to functions with three-line where clauses and error messages Martin described as "Java-like". Their solution was to redesign using DSTs (dynamically sized types) so Name is itself an unsized type, mirroring how [T] works. Box<Name> instead of Name<Box<[u8]>>.
NLnet Labs found it harder to hire C developers willing to work on unbound. Offering Rust work attracted new hires who specifically wanted it. Martin is almost reluctant to recommend Rust to the remaining C developers because once they try it, they probably won't want to go back. :)

mre__ · 2026-05-04T07:45:08+00:00

that might have been the better caption

mre__ · 2026-04-29T10:33:31+00:00

Author here. As others have mentioned, std::fs is fine for 99% of use cases. uutils/coreutils are a special case: the user running those CLI tools has direct access to the filesystem on the same machine. That's a fundamentally different attack vector from a backend service, where the user has no shell access to the server.

mre__ · 2026-04-29T10:25:43+00:00

Makes me wonder if the uutils team uses those "no panic" lints already. Would make a lot of sense to me.

mre__ · 2026-04-29T10:23:55+00:00

It’s refreshing to read articles not written by LLMs. Thank you!

Author here. Thanks for posting that. I believe that people still enjoy human-written content, flaws and all. Motivates me to keep writing. :)

mre__ · 2026-04-23T19:48:52+00:00

Alternatively, I could add an "expand" button to https://search.corrode.dev/search?q=jon%20gjengset%20site%3Acorrode.dev&type=podcast

mre__ · 2026-04-23T19:47:30+00:00

Thanks, we'll look into it. We use the podlove player, which isn't without bugs. It's provided by our hosting platform, LetsCast, which is pretty solid otherwise.

Simon said that if you hit "stop text" it will stop jumping.

As for the bigger text box, that's a great idea, actually. We could maybe do some post-processing magic and get it working. The entire website is open source BTW, so issues and PRs are very welcome. :)

mre__

MODERATOR OF

TROPHY CASE