Video Summary and Transcription
Tauri is a tool built to improve the JS ecosystem, providing a lightweight alternative to Electron. It integrates the stack, focuses on security, and offers cross-platform compatibility. Security measures include a new iFrame interaction and a thorough audit. The importance of taking care of the planet and reducing app consumption is emphasized. Tauri's community, licensing, and future plans are discussed, as well as the challenges of web view support and the aim to create a consistent engine using Servo.
1. Introduction to Tauri
Three years ago, I came to JS Nation for the first time. Today, I want to give you an introduction to Tauri, a tool we built to make our ecosystem better.
Hey, you know, three years ago I came to JS Nation for the first time and it was about a month or two after we started working on Tauri. So it's kind of an amazing feeling to be back here, especially after these past couple of years, which have been really weird, right?
Like, these, these meetups have been kind of modified by the screen so we didn't even have this distance, right? We didn't have this way to look across. Where are we going? Where did we come from? And I think today, what I want to do in the talk is give you an introduction to Tauri. There's going to be a short video, then I'll talk about the parts of our important stack and then bridge into our philosophy about it. So time's short. I'm just going to move ahead. There's questions later. But I'm waiting for my Wi-Fi. So while the video is loading, and if it doesn't load, I'll just skip ahead, but we built Tauri in order to address a bunch of concerns and none of them were our ecosystem is bad. We built a tool to make our ecosystem better.
2. Building Secure Applications with Rust
Out of Adam grew Electron, which is a mixed bag. It allows you to do a lot of things, but it's heavy and ships an outdated browser and runtime. To address this, we built Tauri with Rust at the core. Tauri has three components: Tau, which creates windows and provides menus and system trays; Rai, which injects a web view into the Tau window; and an ecosystem that brings together systems-level engineers and front-end developers. Tauri integrates the stack, provides API access to the file system and build tools, and focuses on security and the basics.
When we look at how applications have been built, it all started, I think, in this context with Adam. I don't know if you remember that. It just got sunset a couple days ago. Out of Adam grew Electron and anyone who's been reading the Twitterati, they all know that Electron is kind of this mixed bag. It allows you to do a lot of things. But I guess I will skip the video. It allows you to do a lot of things, but it's very heavy. Basically, with Electron, with that system, you're shipping a browser that's generally out of date the moment you ship it. You're shipping an entire run time and also your JavaScript.
Now, there's this whole idea in the JavaScript community that isomorphic code is great. I mean it is generally good for the ease of use, and we're gonna get into the security implications of having everything easy later. But what also happens is attackers can jump from the JavaScript front-end to the JavaScript back-end, and you hear about terrible vulnerabilities and attacks all the time. So we decided to look at how we can rebuild this idea using Rust at the core. And so we have basically three components for Tauree, and it starts with a window. You know whether you're on Mac, Windows, Linux, or iOS, or Android, you need to have a window to put content into. And that's Tau. It allows you to create a window, it gives you menus, system trays, keyboard accelerators, and that's kind of like the skeleton, if you will.
The next part is Rai, and Rai allows you to inject a web view into the Tau window that you've already created. And what the important thing to remember here is that we built these libraries on Rust, but other people can use them too, not just Tauree. So for example, the Rai library is being used by Astrodon, which as you might know is a project to build applications with Deno. We've helped them, and they've helped us, and I think that that's something that we're going to keep on coming back to in the talk, and that is that this ecosystem of Tauree is kind of unique in my experience because we're bringing not only systems-level engineers into the project, but also front-end people from all different disciplines, whether it's React or Vue or Svelte, or from the Rust side Dominator and U. And this all kind of comes together in Tauree.
So basically what you get with Tauree is it integrates all of this stack. It gives you API access to, for example, the file system from the WebVue, and also the build tools, so that you get, if you need to assign the macOS binary, it'll do that for you. It will provide a system for automatic updates that you can give your users. And it's kind of the glue that holds it all together. So the features of Tauri are that you can bring your brownfield project, and it'll work. Of course, if you do a lot of things in Node.js, in Electron, you're gonna have to do some porting, but we really focus on security and the very basics. And I mentioned this earlier. It's super important for us that you, as developers, as engineering teams, have a baseline security that you know is there and that is verified and verifiable.
3. Tauri Features and Future
Tauri is always going to stay dual licensed MIT Apache 2. The bundle size is minimal, allowing for very small applications. We tree shake the Rust that you ship with your app, only including the functional points you need. Tauri is cross-platform and has partnered with Cloudflare for global app distribution. You don't need to know Rust, just install the compiler. Tauri works in iOS and Android, provides alternative renderers, and an updater service is coming. WebRTC on Linux is being worked on. Cross compilation is available for local testing.
This is, I guess, one of the most important parts of free and libre open source software, which I mean, I'm a maximalist. I'm a maximalist for open source. Tauri is always going to stay dual licensed MIT Apache 2. I'll talk more about how we're proving that later.
The most important thing, though, for a lot of you is then, also, going to be the bundle size. And that is minimal. You know, we're seeing applications that are very, very, very big in the context of what they do. And they come in around 5, 6 megabytes. The gulf that we've seen, I think, was 540 kilobytes if you watch your icon sizes. So you can get really very small applications.
The reason for that is that we also kind of tree shake the rust that you ship with your app. So instead of shipping a full run time, we just ship the functional points that you need in order to run your system. And obviously, like I said, it's cross-platform. You can build on a Windows device and then use our CI that we wrote for GitHub. GitLab is coming soon. And it will produce the binaries that you need. And the announcement is coming next week. I'm happy to tell you though that we've paired up with Cloudflare, so that if your project is open source, you can use Cloudflare workers for free that will then globally distribute your apps wherever they're needed at the edge. It's exciting, and obviously, it's built on Rust. I was told to tell you though, you don't need to know Rust. You have to just install the compiler, and we take care of all of that for you.
Now, if you're familiar with Rust or you want to learn Rust, it's also a great opportunity to get your feet wet without committing. And where are we going from here? Well, since, I don't know, maybe a couple of days, we have verified that it works in iOS and Android. That's going to be landing in the next branch very soon. We're providing alternative renderers. If you don't like WebView, you can ship a GL window that will work on all the platforms as well. Like I mentioned, the updater service is coming. WebRTC on Linux is kind of the one thing that's stopping element from adopting Tauri. But we're working on that together with the WebKit GTK team. Cross compilation is important for a lot of you because you want to test it locally.
4. Tauri: Additional Bindings and Security
At scale, you can use CI, but there are reasons to do it on one machine. Tauri allows you to write your back end in various languages and talk to the application the way you want. Security is a significant concern, and Tauri has taken measures to ensure the development of secure applications. They have invented a new kind of iFrame interaction to prevent third-party JavaScript from accessing sensitive systems. A thorough audit was conducted by Radically Open Security to validate and harden the system. The full audit can be found on their GitHub repo.
Obviously, at scale, you want to use CI, but there are reasons to do it on one machine. And then additional bindings. A word about that because you might not know exactly what that means. The additional bindings means that you can write your back end in Python, C, Go, Nim, C++, choose your language. As long as it's got interop with C, you can harness Tauri and direct it. So, if you're familiar with any of those languages, even I think Swift is coming soon as well, you'll be able to just use our build system and talk to the application the way you want.
So, I've got like nine minutes and 30 seconds left. I'm going to kind of breeze through security, but I shouldn't. Like, one of the things that we found in our help desks, is that people all the time, they say, well, we don't care about security. Like, who cares? Just make it easy. And, like, the biggest risk that we see with young engineers, especially with the advancement of the amazing DX that tools like Vite and Svelte and Tauri are bringing is that it's very easy to do stuff. So you don't even have to know what it means. You don't have to understand the implications of things. And we've tried to do our best to make it possible for you to make a perfectly secure application. To the point where we even invented a new kind of iFrame interaction with our API that prevents third party JavaScript from ever even being able to call it. Why is this important? Even in a sandbox browser, there are zero days, there are one days. And in the context of an application that gives the app access to the network stack, to the file system, to the microphone, to the camera, you run the risk of allowing attackers to just get granular access to your systems. And whether you like it or not, today's applications live in operating systems that are always being compromised. And if you don't take care of this, you're actually making a vector where people can attack you and your users. So don't be a tool.
Now, we had a lot of beliefs about the system we built. We thought it was safe, we did our best work. Turns out we had like 54 findings. Radically Open Security did an amazing job working together with us and not only validating our approach but also hardening it. So one of our prerequisites for launching the 1.0 was having this horizontal and vertical audit. You can find the full audit over at our GitHub repo. Now, it's kind of obvious. We're staying in an Airbnb here in Amsterdam. In a boat. On one of the canals.
5. The Importance of Taking Care of Our Planet
And when you wake up kind of thinking about what's going on on the planet, you think, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is actually the problem, I think, that got us to where we are right now. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. But what we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that, not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening, and we can do something and we have to.
And when you wake up kind of thinking about what's going on on the planet, you think, should we take a bike or a taxi? Right? And we worked really hard to make small binaries. This is an example of the one I mentioned before. I think it was Jonas that built it from the team. You can make small binaries, but who cares, right? It's free real estate. This is actually the problem, I think, that got us to where we are right now, and that is in this room are about 100 people. Out there are another couple hundred. In the internets are thousands and thousands and thousands of people and everyone is building the next cool thing and we want to support that. What we don't want to continue supporting is this ravaging of our planet because we have to take responsibility for that, not just the security of our apps, not just the privacy of our users, but we really have to take care of our planet because like it or not, water is rising, droughts are everywhere, war is happening, and we can do something and we have to.
6. The Impact of App Consumption on Global Warming
The more your app gets consumed, the more users download it, the more you're contributing to global warming. We still have to do everything we can to reduce our consumption.
Just as a really quick thing, the more your app gets consumed, the more users download it, the more you're contributing to global warming. This is just a little exercise in electricity consumption, and obviously your WebSockets, your REST requests, they consume traffic too, but we still have to do everything we can, and I think Taori is a great step in that direction, and we're always working to reduce the bundle size and educate people, hey, shrink your PNGs. Use SVGs. It's not just about time to delivery, it's not about this speed that you have to show a website. It's really important that we reduce our consumption.
7. Community, Discord, Conservancy, Launch, and API
In the last few minutes, I'll discuss the community, running everything on Discord, the Commons Conservancy, the board of directors, the Open Collective, the book in progress, the recent 1.0 launch, and the stable API with bug fixes and new features coming.
So I've got about five minutes left. I'm going to talk about the community, who we are, and how you can get involved if you're interested.
So we run everything on Discord. We have a number of public channels. There are some private channels, but those are more for organizational purposes. That's because we believe in open source. We believe in community.
And when we first started getting contacted by venture capitalists, we didn't panic. We went to the Commons Conservancy, which is a foundation here in Amsterdam. What they do is they provide an organizational body that protects the code from license changing. It protects the code from people. It protects the code from someone coming in and saying it needs to be done differently, let's do it that way.
We have a board of directors, there is a new vote coming up soon, and we'll be announcing that in the Discord channels. We have an Open Collective where you can donate. We've used the funds from the Open Collective to pay for part of the audit that we had done, and also to pay for our trademark. If you're listening Red Bull, thank you very much for allowing us to use the name Towery. That was an interesting thing.
We're also working on a book, expect to be out this year. Together with PACT Publishing, we're going to be talking in depth about what makes a Towery app and the philosophy behind it. And I have three minutes left. I don't know if I can name everybody involved in this, but we did just launch the 1.0 at 5 a.m. this morning. Applause. Thank you.
What that means. That means that the API is stable, it's not going to change. We're only going to apply bug fixes and this is our audit seal. New features are going to be landing in the next branch, which you can consume from JavaScript and Rust. It's just a simple, you know, get hash revision or tag. And I'm going to try and thank a couple of people who have been really important to this project.
Lucas and I's Journey, Community, and Licensing
Lucas and I started this as a hobby, and it turned into something that changed our lives. We have hundreds of contributors and a massive team. We want to grow with you and look forward to the next years of this project. Thank you for your questions. We took a taxi, and Tauri uses the MIT Apache 2 license. Let's discuss the militarization of open-source and the importance of community in shaping the ecosystem.
Lucas and I started this kind of as a hobby, and it turned into something that changed both of our lives. And he wanted me to tell you thank you. And I'm breaking down, sorry. I'm not even going to be able to remember all of the names. We have hundreds of contributors. You've got a massive team. We want the team to grow. We want to grow with you. And we really look forward to what's next, to the next years of this project. And yeah.
I'm just going to say thank you there and leave some more space for questions. Yeah. There's a reminder up here on the slides to please ask your questions. There aren't many yet, so I can ask all my questions, which is great. That's a great privilege of being an emcee.
So first question. Did you actually take the bike or did you take the taxi? We took the taxi. You thought I was not going to remember right? No, it's a good point. I'm scared of the bikes in Amsterdam. Well that's a fair point, I think. I had another question. So what kind of license does Tower use? Tower uses the MIT Apache 2 license, so it's up to you to use whichever you want. I always like to use that opportunity to talk about the militarization of open-source and how I personally don't believe in it. I think that as engineers we chose a license to enable people instead of to prevent them from doing things. I know there's been situations recently where people have decided to change their code or change their license, and it risks the health of the ecosystem. Community is the right place for that. Our guidelines, our expectations of behaviour, I think, are the morality, the backbone of open-source, and the license itself is just a legal agreement. It's not how we feel. Yeah, I think it's an interesting discussion anyway, but, yeah, I did notice that there is a couple of atmosphere licenses that I thought you — you probably considered all of that. Cool, very cool.
Tauri Web View Support and Future
Tauri web views use different engines on different platforms, but we are working on retrofitting Servo to ensure consistency. The lack of standards for web views makes them challenging to work with, but the operating systems usually handle updates. Our research project aims to create a dedicated web view for Tauri using Servo, ensuring the same CSS and JavaScript engine across platforms.
Let's see if there's any other questions. I did see something come in. Is the JavaScript support the same in the Tauri web view as in a browser? We support ES 2021. I think the complicated part is that we use WK WebKit on Mac-type devices, we use WebKit GTK on Linux-type devices, and we use WebView2 on Windows-type devices. And as much as we love the web views, they're kind of like the unloved children of the browser ecosystem. Because what happens is there's no real standards for them. And so, they just kind of work or they don't work. And how do you get them updated? And I think that the actual operating systems do a pretty good job of keeping them up-to-date. But one of our research projects is, in fact, focusing on retrofitting Servo to become a proper web view for, specifically for Tauri. Because then we can guarantee that it's the same CSS. It's the same JavaScript engine on all platforms. Cool. I hope the person's question is answered.
Comments