crev VS accesskit

In other cases it may be more documented, such as Golangs baked-in telemetry.

There should be better ways to check these problems. The best I have found so far is Crev https://github.com/crev-dev/crev/. It's most used implementation is Cargo-crev https://github.com/crev-dev/cargo-crev, but hopefully it will become more required to use these types of tools. Certainty and metrics about how many eyes have been on a particular script, and what expertise they have would be a huge win for software.

Looks like there's an implementation of it for npm: https://github.com/crev-dev/crev

I've been willing to try it for a while for Rust projects but never committed to spend the time. Any feedback?

If you don't know the author, signatures do nothing. Anybody can sign their package with some key. Even if you could check the author's identity, that still does very little for you, unless you know them personally.

It makes a lot more sense to use cryptography to verify that releases are not malicious directly. Tools like crev [1], vouch [2], and cargo-vet [3] allow you to trust your colleagues or specific people to review packages before you install them. That way you don't have to trust their authors or package repositories at all.

That seems like a much more viable path forward than expecting package repositories to audit packages or trying to assign trust onto random developers.

[1]: https://github.com/crev-dev/crev [2]: https://github.com/vouch-dev/vouch [3]: https://github.com/mozilla/cargo-vet

I don't think it makes much sense to verify pypi authors. I mean you could verify corporations and universities and that would get you far, but most of the packages you use are maintained by random people who signed up with a random email address.

I think it makes more sense to verify individual releases. There are tools in that space like crev [1], vouch [2], and cargo-vet [3] that facilitate this, allowing you to trust your colleagues or specific people rather than the package authors. This seems like a much more viable solution to scale trust.

[1]: https://github.com/crev-dev/crev

Crev?

Alternatives to cargo-vet that has been mentioned before here on HN:

- https://github.com/crev-dev/crev

- https://github.com/vouch-dev/vouch

Anyone know of any more alternatives or similar tools already available?

I plug this every time, but here goes: https://github.com/crev-dev/crev solves this by providing code reviews, scales via a web-of-trust model, and relies on cryptographic identities. That way, you can depend on a package without having to trust its maintainers and all future versions.

I understand your worries about the number of dependencies you're "forced" to use, however, most of them tend to be doing something that's both non-trivial and useful for more than a single project. As for being able to trust all your transitive dependencies, well, that's something that the Crev project is trying to address, although I don't believe that has gained much traction yet.

It's good that having a reproducible build process is a requirement for the Gold rating, as is signed releases.

Perhaps there needs to be a Platinum level which involves storing the hash of each release in a distributed append-only log, with multiple third parties vouching that they can build the binary from the published source.

Obviously I'm thinking of something like sigstore[0] which the Arch Linux package ecosystem is being experimentally integrated with.[1] Then there's Crev for distributed code review.[2]

[0] https://docs.sigstore.dev/

[1] https://github.com/kpcyrd/pacman-bintrans

[2] https://github.com/crev-dev/crev

If you were to implement this yourself, i'd look into either swash or cosmic-text for the text rendering stack (this is one of the things you really don't want to write from the ground up). For accessibility, AccessKit has quickly become the standard for communicating with crossplatform accessibility APIs in rust GUI. lightningcss (or its lower level counterpart cssparser) are both decent options for CSS parsing. Taffy handles some of what browsers offer for a layout engine, but is still being worked on.

> Fleet relies on the Java AWT/Swing framework to get a window from an operating system, but it doesn’t use the Java platform for managing its GUI components besides one JFrame and JPanel on top of it.

This is a terrible decision that is going to bite them in the long run. Doing things this way makes it far, far more difficult to implement accessibility, and regulations on this are only going to get stricter.

Implementing accessibility for a framework like that would involve three separate implementations for three separate platforms and the need to interface with D-Bus, COM and Objective C, from Java. I imagine that the latter two would be particularly difficult, considering how bad Java's FFI support is. It's not just calling methods either, you'd actually need to implement your own classes that conform to the relevant COM interfaces / Objective C protocols. There are libraries that can help with this[1], but I don't think they would work particularly well for something as complex as a code editor.

[1] https://github.com/AccessKit/accesskit

fltk-accesskit is an accesskit integration crate for fltk-rs, the gui crate. It's implemented as an external crate to allow for more experimentation before stabilizing the api, especially since fltk is at version 1.4.

Libraries for a lot of this stuff exist (albeit in many cases not very mature yet):

- https://github.com/pop-os/cosmic-text does text layout (which Taffy explicitly considers out of scope)

- https://github.com/AccessKit/accesskit does accessibility

- https://github.com/servo/rust-cssparser does value-agnostic CSS parsing (it will parse the general syntax but leaves value parsing up to the user, meaning you can easily add support for whatever properties you what). Libraries like https://github.com/parcel-bundler/lightningcss implement parsing for the standard css properties.

- There are crates like https://github.com/BurntSushi/bstr and https://docs.rs/wtf8/latest/wtf8/ for working with non-unicode text

We are planning to add a C API to Taffy, but tbh I feel like C is not very good for this kind of modularised approach. You really want to be able to expose complex APIs with enforced type safety and this isn't possible with C.

There are a number of up-and-coming Rust-based frameworks in this niche:

- https://github.com/iced-rs/iced (probably the most usable today)

- https://github.com/vizia/vizia

- https://github.com/marc2332/freya

- https://github.com/linebender/xilem (currently very incomplete but exciting because it's from a team with a strong track record)

What is also exciting to me is that the Rust GUI ecosystem is in many cases building itself up with modular libraries. So while we have umpteen competing frameworks they are to a large degree all building and collaborating on the same foundations. For example, we have:

- https://github.com/rust-windowing/winit (cross-platform window creation)

- https://github.com/gfx-rs/wgpu (abstraction on top of vulkan/metal/dx12)

- https://github.com/linebender/vello (a canvas like imperative drawing API on top of wgpu)

- https://github.com/DioxusLabs/taffy (UI layout algorithms)

- https://github.com/pop-os/cosmic-text (text rendering and editing)

- https://github.com/AccessKit/accesskit (cross-platform accessibility APIs)

In many cases there a see https://blessed.rs/crates#section-graphics-subsection-gui for a more complete list of frameworks and foundational libraries)

Using HarfBuzz makes sense. But if you're looking for a pure-Rust alternative, I hear cosmic-text (made by Pop!_OS) is good. There's also AccessKit for accessibility.

There are efforts to support a cross platform accessibility library:

https://github.com/AccessKit/accesskit

egui is an easy-to-use immediate mode GUI for Rust, and I just released 0.20. It's a big release!

There is now support for AccessKit (https://github.com/AccessKit/accesskit) which brings accessibility to egui (a first for an immediate mode GUI?).

There is also better table support, nicer keyboard shortcut handling, better looking text in light mode (still not great, but better).

See more in the changelog: https://github.com/emilk/egui/blob/master/CHANGELOG.md

Try it out at www.egui.rs