wasmtime VS cargo-crev

Compare wasmtime vs cargo-crev and see what are their differences.

wasmtime

A fast and secure runtime for WebAssembly (by bytecodealliance)

cargo-crev

A cryptographically verifiable code review system for the cargo (Rust) package manager. (by crev-dev)
Our great sponsors
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • WorkOS - The modern identity platform for B2B SaaS
  • SaaSHub - Software Alternatives and Reviews
wasmtime cargo-crev
171 55
14,224 2,000
2.7% 1.3%
10.0 7.9
6 days ago 16 days ago
Rust Rust
Apache License 2.0 Apache License 2.0
The number of mentions indicates the total number of mentions that we've tracked plus the number of user suggested alternatives.
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.

wasmtime

Posts with mentions or reviews of wasmtime. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-03-10.
  • Unlocking the Power of WebAssembly
    3 projects | dev.to | 10 Mar 2024
    WebAssembly is extremely portable. WebAssembly runs on: all major web browsers, V8 runtimes like Node.js, and independent Wasm runtimes like Wasmtime, Lucet, and Wasmer.
  • Howto: WASM runtimes in Docker / Colima
    5 projects | dev.to | 12 Jan 2024
    cpu: 4 disk: 60 memory: 12 arch: host hostname: colima autoActivate: true forwardAgent: false # I only tested this with 'docker', not 'containerd': runtime: docker kubernetes: enabled: false version: v1.24.3+k3s1 k3sArgs: [] network: address: true dns: [] dnsHosts: host.docker.internal: host.lima.internal # Added: # - containerd-snapshotter: true (meaning containerd will be used for pulling images) docker: features: buildkit: true containerd-snapshotter: true vmType: vz rosetta: true mountType: virtiofs mountInotify: false cpuType: host # This provisioning script installs build dependencies, WasmEdge and builds the WASM runtime shims for containerd. # NOTE: this takes a LOOONG time! provision: - mode: system script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 echo "Installing system updates:" apt-get update -y apt-get upgrade -y echo "Installing WasmEdge and runwasi build dependencies:" # NOTE: packages curl, git and python3 already installed: apt-get install -y make gcc build-essential pkgconf libtool libsystemd-dev libprotobuf-c-dev libcap-dev libseccomp-dev libyajl-dev libgcrypt20-dev go-md2man autoconf automake criu pkg-config libdbus-glib-1-dev libelf-dev libclang-dev libzstd-dev protobuf-compiler apt-get clean -y - mode: user script: | [ -f /etc/docker/daemon.json ] && echo "Already provisioned!" && exit 0 # # Setting vars for this script: # # Which WASM runtimes to install (wasmedge, wasmtime and wasmer are supported): WASM_RUNTIMES="wasmedge wasmtime wasmer" # # Location of the containerd config file: CONTAINERD_CONFIG="/etc/containerd/config.toml" # # Target location for the WASM runtimes and containerd shims ($TARGET/bin and $TARGET/lib): TARGET="/usr/local" # # Install rustup: # echo "Installing rustup for building runwasi:" curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- --default-toolchain none -y source "$HOME/.cargo/env" # # Install selected WASM runtimes and containerd shims: # [[ -z "${WASM_RUNTIMES// /}" ]] && echo "No WASM runtimes selected - exiting!" && exit 0 git clone https://github.com/containerd/runwasi echo "Installing WASM runtimes and building containerd shims: ${WASM_RUNTIMES}:" sudo mkdir -p /etc/containerd/ containerd config default | sudo tee $CONTAINERD_CONFIG >/dev/null for runtimeName in $WASM_RUNTIMES; do case $runtimeName in wasmedge) echo "Installing WasmEdge:" curl -sSfL https://raw.githubusercontent.com/WasmEdge/WasmEdge/master/utils/install.sh | sudo bash -s -- -p $TARGET echo echo "`wasmedge -v` installed!" ;; wasmtime) echo "Installing wasmtime:" curl -sSfL https://wasmtime.dev/install.sh | bash sudo cp .wasmtime/bin/* ${TARGET}/bin/ rm -rf .wasmtime echo "`wasmtime -V` installed!" ;; wasmer) echo "Installing wasmer:" curl -sSfL https://get.wasmer.io | sh sudo cp .wasmer/bin/* ${TARGET}/bin/ sudo cp .wasmer/lib/* ${TARGET}/lib/ rm -rf .wasmer echo "`wasmer -V` installed!" ;; *) echo "ERROR: WASM runtime $runtimeName is not supported!" exit 1 ;; esac cd runwasi echo "Building containerd-shim-${runtimeName}:" cargo build -p containerd-shim-${runtimeName} --release echo "Installing containerd-shim-${runtimeName}-v1:" sudo install ./target/release/containerd-shim-${runtimeName}-v1 ${TARGET}/bin sudo ln -sf ${TARGET}/bin/containerd-shim-${runtimeName}-v1 ${TARGET}/bin/containerd-shim-${runtimeName}d-v1 sudo ln -sf ${TARGET}/bin/containerd-shim-${runtimeName}-v1 ${TARGET}/bin/containerd-${runtimeName}d echo "containerd-shim-${runtimeName} installed." cd .. echo "[plugins.\"io.containerd.grpc.v1.cri\".containerd.runtimes.${runtimeName}]" | sudo tee -a $CONTAINERD_CONFIG >/dev/null echo " runtime_type = \"io.containerd.${runtimeName}.v1\"" | sudo tee -a $CONTAINERD_CONFIG >/dev/null done echo "containerd WASM runtimes and shims installed." # # Restart the systemctl services to pick up the installed shims. # NOTE: We need to 'stop' docker because at this point the actual daemon.json config is not yet provisioned: # echo "Restarting/reloading docker/containerd services:" sudo systemctl daemon-reload sudo systemctl restart containerd sudo systemctl stop docker sshConfig: true mounts: [] env: {}
  • MotorOS: a Rust-first operating system for x64 VMs
    7 projects | news.ycombinator.com | 7 Jan 2024
    When you say wasm container, you mean something like wasmtime that provides a non-browser wasm runtime?

    https://github.com/bytecodealliance/wasmtime

  • Prettier $20k Bounty was Claimed
    16 projects | news.ycombinator.com | 27 Nov 2023
    The roadmap I linked above. The WASI folks have done a poor job at communicating, no doubt, but I'm surprised someone like yourself literally building a competitor spec isn't following what they are doing closely.

    Just for you I did some googling: see here[0] for the current status of WASI threads overall, or here[1] and here[2] for what they are up to with WASI in general. In this PR[3] you can see they enabled threads (atomic instructions and shared memory, not thread creation) by default in wasmtime. And in this[4] repository you can see they are actively developing the thread creation API and have it as their #1 priority.

    If folks want to use WASIX as a quick and dirty hack to compile existing programs, then by all means, have at it! I can see that being a technical win. Just know that your WASIX program isn't going to run natively in wasmtime (arguably the best WASM runtime today), nor will it run in browsers, because they're not going to expose WASIX - they're going to go with the standards instead. so far you're the only person I've met that thinks exposing POSIX fork() to WASM is a good idea, seemingly because it just lets you build existing apps 'without modification'.

    Comical you accuse me of being polarizing, while pushing for your world with two competing WASI standards, two competing thread creation APIs, and a split WASM ecosystem overall.

    [0] https://github.com/bytecodealliance/jco/issues/247#issuecomm...

    [1] https://bytecodealliance.org/articles/wasmtime-and-cranelift...

    [2] https://bytecodealliance.org/articles/webassembly-the-update...

    [3] https://github.com/bytecodealliance/wasmtime/pull/7285

    [4] https://github.com/WebAssembly/shared-everything-threads

  • Spin 2.0 – open-source tool for building and running WASM apps
    13 projects | news.ycombinator.com | 4 Nov 2023
    Thanks for the question!

    Spin could definitely run in more places than what we have pre-built binaries for. Specifically, we could run on all platforms Wasmtime supports today (https://github.com/bytecodealliance/wasmtime/releases/tag/v1...), including RISC and S390X, for example.

    And while we have been experimenting a bit with running Spin on RISC, we haven't really had the bandwidth or requirement to build a production build for those yet.

    Are you interested in a specific operating system or CPU architecture? Would love to understand your scenario.

  • Dave Cutler: The Secret History of Microsoft Windows [video]
    2 projects | news.ycombinator.com | 22 Oct 2023
    > I used to think we'd eventually get to capability based security, but now I see we'll always be stuck with application permission flags, the almost worthless bastard cousin, instead.

    My hope is that WASI will introduce capability based security to the mainstream on non-mobile computers [0] - it might just take some time for them to get it right. (And hopefully no half-baked status-quo-reinforcing regressive single—runtime-backed alternatives win in the meantime.)

    [0]: https://github.com/bytecodealliance/wasmtime/blob/main/docs/...

  • Requiem for a Stringref
    4 projects | news.ycombinator.com | 19 Oct 2023
    WasmTime finished finished the RFC for the implementation details in June: https://github.com/bytecodealliance/wasmtime/issues/5032
  • Should You Be Scared of Unix Signals?
    8 projects | news.ycombinator.com | 16 Oct 2023
  • MongoDB’s New Query Engine
    4 projects | news.ycombinator.com | 21 Sep 2023
    re LLVM: Yes, Cranelift was designed to address these issues

    https://github.com/bytecodealliance/wasmtime/blob/main/crane...

  • Val, a high-level systems programming language
    10 projects | news.ycombinator.com | 18 Jul 2023
    No longer does Wasm/WASI need JS host! There are many spec-compliant runtimes built for environments from tiny embedded systems up to beefy arm/x86 racks:

    - https://github.com/bytecodealliance/wasm-micro-runtime

    - https://github.com/bytecodealliance/wasmtime

    - https://github.com/wasmerio/wasmer

    - https://github.com/tetratelabs/wazero

    - https://github.com/extism/extism (disclaimer, my company's project - makes wasm easily embeddable into 16+ programming languages!)

cargo-crev

Posts with mentions or reviews of cargo-crev. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-01-05.
  • Hard disk LEDs and noisy machines
    7 projects | news.ycombinator.com | 5 Jan 2024
    In other cases it may be more documented, such as Golangs baked-in telemetry.

    There should be better ways to check these problems. The best I have found so far is Crev https://github.com/crev-dev/crev/. It's most used implementation is Cargo-crev https://github.com/crev-dev/cargo-crev, but hopefully it will become more required to use these types of tools. Certainty and metrics about how many eyes have been on a particular script, and what expertise they have would be a huge win for software.

  • Rust Without Crates.io
    5 projects | news.ycombinator.com | 14 Nov 2023
    The main problem the author is talking about is actually about version updates, which in Maven as well as crates.io is up to each lib's author, and is not curated in any way.

    There's no technical solution to that, really. Do you think Nexus Firewall can pick up every exploit, or even most? How confident of that are you, and what data do you have to back that up? I don't have any myself, but would not be surprised at all if "hackers" can easily work around their scanning.

    However, I don't have a better approach than using scanning tools like Nexus, or as the author proposes, use a curated library repository like Debian is doing (which hopefully gets enough eyeballs to remain secure) or the https://github.com/crev-dev/cargo-crev project (manually reviewed code) also mentioned. It's interesting that they mention C/C++ just rely on distros providing dynamic libs instead which means you don't even control your dependencies versions, some distro does (how reliable is the distro?)... I wonder if that could work for other languages or if it's just as painful as it looks in the C world.

  • I don't care about cookies” extension bought by Avast, users jump ship
    2 projects | news.ycombinator.com | 7 Jun 2023
    For instance, the worst company imaginable may be in charge of software that was once FOSS, and they may change absolutely nothing about it, so it should be fine. However, if a small update is added that does something bad, you should know about it immediately.

    The solution seems to be much more clearly in the realm of things like crev: https://github.com/crev-dev/cargo-crev/

    Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.

  • [Discussion] What crates would you like to see?
    16 projects | /r/rust | 11 Apr 2023
    You can use cargo-geiger or cargo-crev to check for whether people you trusted (e.g. u/jonhoo ) trust this crate.
  • Pip and cargo are not the same
    4 projects | news.ycombinator.com | 25 Jan 2023
    There is a similar idea being explored with https://github.com/crev-dev/cargo-crev - you trust a reviewer who reviews crates for trustworthiness, as well as other reviewers.
  • greater supply chain attack risk due to large dependency trees?
    11 projects | /r/rust | 4 Jan 2023
    There are also crates like cargo-supply-chain, cargo-crev and cargo-vet working on this aspect.
    11 projects | /r/rust | 4 Jan 2023
    You're probably thinking of https://github.com/mozilla/cargo-vet or https://github.com/crev-dev/cargo-crev
    11 projects | /r/rust | 4 Jan 2023
  • Why so many basic features are not part of the standard library?
    3 projects | /r/rust | 31 Dec 2022
    [cargo-crev](https://github.com/crev-dev/cargo-crev) looks like a good step in the right direction but not really commonly used.
  • “You meant to install ripgrep”
    9 projects | news.ycombinator.com | 17 Oct 2022
    'cargo crev' makes this kind of workflow possible: https://github.com/crev-dev/cargo-crev

What are some alternatives?

When comparing wasmtime and cargo-crev you can also consider the following projects:

wasmer - 🚀 The leading Wasm Runtime supporting WASIX, WASI and Emscripten

SSVM - WasmEdge is a lightweight, high-performance, and extensible WebAssembly runtime for cloud native, edge, and decentralized applications. It powers serverless apps, embedded functions, microservices, smart contracts, and IoT devices.

quickjs-emscripten - Safely execute untrusted Javascript in your Javascript, and execute synchronous code that uses async functions

wasm3 - 🚀 A fast WebAssembly interpreter and the most universal WASM runtime

wasm-bindgen - Facilitating high-level interactions between Wasm modules and JavaScript

wasm-pack - 📦✨ your favorite rust -> wasm workflow tool!

wazero - wazero: the zero dependency WebAssembly runtime for Go developers

godot-wasm-engine

trunk - Build, bundle & ship your Rust WASM application to the web.

mold - Mold: A Modern Linker 🦠

PyO3 - Rust bindings for the Python interpreter

pybind11 - Seamless operability between C++11 and Python