wapm-cli VS cargo-geiger

To actually compile this we can use a tool called WABT (WebAssembly Binary Toolkit). It's basically a mess that requires CMake and I couldn't get it to run on WSL and I wasn't going to install MinGW. Instead there's a nice tool called WAPM from Wasmer which works like npm for webassembly packages and since it's been compiled down to webassembly we can run it in any environment. In fact we don't even need to add configuration so long as wapm is installed. We can run wax wat2wasm -- wat/mat.wat -o wasm/mat.wasm. wax is like npx for npm. If you're wondering the command we give wax is defined by the wasmer/wabt package: https://wapm.io/wasmer/wabt. Also for some reason you can't prefix local paths with ./ so wax wat2wasm -- ./wat/mat.wat doesn't work which tool me a while to figure out. Anyway this provides a nice simple compile environment if you want to work on raw WAT files.

That's the main reason we should start using WebAssembly for distributing and using packages.

Shamless plug: Wasmer [1] and WAPM [2] could help a lot on this quest!

[1]: https://wasmer.io/

[2]: https://wapm.io/

There's WAPM

If it's buildable for the WebAssembly WASI target, consider also distributing it through WAPM.

I don't know if many people have heard of it, but there's actually a WebAssembly Package Manager. It's similar to crates.io, except you upload WebAssembly binaries written in any language instead of Rust source code!

You can see this paying off with wapm, which lets you download applications that would have normally required compilation for your environment and run them anywhere with a supported runtime, which is imo pretty neat.

One step closer to the day when I can put actix-web creations up on WAPM so "Just type wax my-cool-thing to try it out" can be one of the distribution options.

I've added limited support to run wapm.io directly from the Terminal. Examples of commands that work well are wapm cowsay {Text} and wapm uuid.

Instead of looking at the crates themselves, you might want to check your (or others') Rust application with https://github.com/rust-secure-code/cargo-geiger to get a sense of effective prevalence. I also dispute that the presence of unsafe somewhere in the dependency tree is an issue in itself, but that's a different discussion that many more had in other sub-threads.

There's still plenty. Run cargo geiger on any of your projects and see for yourself.

On point 2, the answer is cargo geiger, and judging how much memory safety you need for a given project.

You can use cargo-geiger or cargo-crev to check for whether people you trusted (e.g. u/jonhoo ) trust this crate.

The amount of unsafe code is also a factor. cargo geiger is a handy tool for measuring it.

We have cargo-geiger that does just that.

For that, I believe you need to use cargo-geiger[0] and audit the results.

[0] - https://github.com/rust-secure-code/cargo-geiger

cargo-geiger is a subcommand you can install which will check all the crates in your dependency graph for unsafe blocks and print out a report (which also shows if a crate has #![forbid(unsafe_code)] or not). You can then inspect those crates' sources to judge their use of unsafe for yourself. I don't think it has a "check" mode that simply errors if your dependency graph contains unsafe though, it's more about just collecting that information.

wrt to memory safety, keep in mind that many rust crates use "unsafe" internally. There are tools available that can find these such as cargo-geiger. So I would suggest to avoid unsafe deps as much as possible. Since they cannot be avoided entirely, it is a good idea to keep a list of unsafe deps.