Tauri 2.0
===

~Test. Test. Test.~

~Test, test, test.~

~Welcome back to pod rocket for those who missed the last episode wet. Wait, hang on. What this, this, this doesn't have an intro. Well, that's so weird. Okay. Um, sorry, Kate, can, can we, uh, start again? Yeah. Do you not care about log office or is that yes, the control C control V. I love it. I follow these outlines. Um, so reflexively that I, I went with it and then felt weird when there was no mention of, I think we have memorized it log rocket. Is a developer tool that helps you with set and replay, error tracking and something else. Try LogRocket for free. God damn. Are you going to clap, Kate, before we start? Or is that not necessary? Thanks. Wild. I didn't even notice until I settled. All right. Yeah. It's all right. I, I, I pasted it in here. We can, we can. No problem. We ready?~ [00:00:00] Hi, and welcome to PodRocket, a web development podcast brought to you by LogRocket. LogRocket helps software teams improve user experience with session replay, error tracking, and product analytics. Try it free at logrocket. com. Welcome to the podcast. I'm Tejas Kumar, and it's my pleasure to introduce you, or rather reintroduce you, ~um, to~ Daniel Thompson.

The founder of Crab Nebula and the Tauri project. And today we're going to talk about all things Tauri. ~Um,~ given there was a new announcement, Tauri 2. 0, we're going to cover that. And we're going to cover Crab Nebula, the company behind Tauri, with first class support for Tauri based solutions. With that, Daniel, welcome to the podcast.

Thanks for having me back.

It's so good to have you back, ~um, and you know,~ there's a lot happening in the Tau'ri ecosystem, ~um,~ before we get into it, I'd love to hear from you if you could, ~um,~ unload for our listeners a little bit about what Tau'ri is, where it's useful, it's strengths, it's weaknesses, ~maybe, um,~ and, ~um,~ so on,

~Sure. Well,~ Tauri sits in that sweet spot of application development where you have a user interface and you have some code that people interact with. ~Um,~ could be a [00:01:00] database locally. It could be, ~uh,~ an API remotely. ~Uh,~ and what Tauri does is it allows developers with, for example, web skills like HTML, CSS.

JavaScript to build these engaging fluid 60 FPS user interfaces and ship native apps. ~Uh,~ you probably heard of similar types of technology like Electron, which is a desktop system based on Node. js and Chromium or even Capacitor for,~ you know,~ the old timers around here, what used to be called Cordova and had another name before that.

And these all sort of work under the premise that Different operating systems provide a thing called a web view, which is basically like a stripped down web browser. And, ~you know,~ there's no search bar, ~uh,~ there's no back button, but it does render HTML in a pretty compliant way. And I [00:02:00] think for a lot of, ~uh,~ a lot of users of the Tauri framework, ~they've,~ they've entered the ecosystem from this perspective.

I have these skills as a web dev and I want to make some apps and. There's always been these discussions about, ~well,~ isn't a PWA, a progressive web app, basically the same thing? Why do I even need to do this kind of calisthenics? And what you find out once you start looking into the architecture of what makes an app, there are a lot of things that Browsers do differently than what you might expect, and the browser specifications are changing all the time.

~So,~ one recent example is, there is no guarantee on the web if you're using, for example, Safari, that data that is stored inside of the cookies or local storage or, ~uh,~ IndexedDB persists for more than two weeks. So you're going ~to have~ to have a remote service that somehow rehydrates that [00:03:00] data, which means that I mean ~it's~ it's clear why they made these decisions and I'm not.

~You know,~ angry~ with,~ with the Safari team or the Blink team or whoever's behind WebKit. I know that they make their decisions for ~very,~ very important reasons. Usually it's security. Sometimes it's business, but with Taure, we let you decide, Hey, I want to have a database. I want to use SQLite in the backend and I want it to be locally on my users.

So we try to give ~this,~ this flexibility to leverage what you know, and the superpowers of ~the,~ the Rust programming language and ecosystem to really accelerate performance. If you do end up eating that.

right? ~So,~ Tau'ri,~ um,~ you mentioned... Allows us to create native applications similar to tools like Electron, Capacitor, or FoamGap. ~Um,~ and it does that by using a WebView. ~Um,~ and Rust, the Rust programming language on the backend side. ~Um,~ is that why then, ~um, ~Tauri projects are... Considerably smaller and [00:04:00] faster.

~Is it,~ is it because it's so lean? So what I'm hearing is it doesn't ship a web view. It uses the web view that's built into the OS. This is counter to other projects like Electron. And ~this is not,~ this is not a judgment statement at all. It's just a fact that Electron does ship with, um, I believe it's Chromium, ~um,~ to render the HTML, CSS, JavaScript, whereas Tauri does not.

Is that an accurate statement?

Correct. ~I mean,~ I think what we've seen and what we're going to talk about later today, I hope, with the evolution of Tauri is that, ~um,~ The original model, mental model for a TELRI app, like ~this,~ this first thing that we put together was, yeah, we're just going to leverage the system WebView, which is a WebView2 on Windows these days.

It's WK WebView on Mac OS, and it's a WebKit GTK on Linux. And by doing that, we don't have to ship the, ~uh,~ the entire universe as it were. And we're just shipping the code that you need. ~Uh,~ we're not shipping an entire runtime. We're shipping compiled code and then we're leveraging system resources. So [00:05:00] generally speaking, most modern or modern, ~most,~ most contemporary Tauri apps in 2013 end up being about eight megabytes in size, ~uh,~ for a feature complete.

Application. ~It can,~ it can be more if you're not careful with your visual assets or you're writing a lot of code in javascript. ~Um,~ but ~I,~ I guess ~the,~ the starting point for my contemporary electron apps haven't checked recently, but I think it's around 50 to 80 ~for,~ for a hello world. And then once they get fleshed out, they.

Get considerably bigger,

~Right.~ And that's because again, Electron ships the Node. js runtime and the ~Electron, oh, sorry, the, um,~ Chromium based web

right? But it also sends JavaScript, right? So the entire application that you download when you download an electron application includes a semi compressed version of all of your JavaScript, including all of its comments. And, ~um, you know, the. ~The bundle size isn't just ~the, the, the,~ the runtime and ~the,~ the Chromium.

~It's,~ it's also your code. [00:06:00] And

~It's it's the~ it's the node modules with this diagram of ~the~ the math of node modules being more than the universe. ~Um, right. Okay. So, wow, that that does.~ That seems really compelling. ~Um, to~ to use it to build native apps. I'm curious if you could speak to _the_ the. The usage and adoption of Tauri. I recently saw that it surpassed Webpack and GitHub stars.

~Um, what,~ what does that look like? And, ~um, I guess,~ so I'm asking because I'm really selfish, right? ~Like,~ as a developer, I like using VS Code. I know VS Code is an electron app. And it does lock up on me sometimes. I'm curious if... It would perform better as a Tauri app, and it seems like it would. ~So, um, how,~ how's that going?

~well, I mean,~ there was actually an interesting discussion on Twitter. Is there an X platform formerly known as Twitter, ~uh,~ today? Where, ~uh,~ someone was saying, yeah, Electron and Tauri, they're very comparable from the perspective of performance. When you look at kind of neutral benchmarks and somebody left a comment and it was just like, no matter what you're doing, if you write bad code, it's going to be slow and buggy.

And I think ~that~ that's the real takeaway. There's great reasons to stick [00:07:00] with, ~uh, you know,~ systems like Electron for VS code, they've invested a lot of time into it and having. An isomorphic system that's JavaScript all the way down is really useful for example, ~with,~ with velocity when you're developing, but to answer your question, we have seen some bigger projects lately, ~um,~ using Tauri and the Tauri.

Libraries, ~uh,~ for example, I think just this week, ~uh,~ that we're recording this, ~uh,~ space drive released it's alpha and that's a Tauri project. Space drive is a way to really unify all of your storage devices on the device in the cloud, USBs and so on. ~Uh,~ this month, I think ~the,~ the beginning of the month fig IO, which is a tool that developers ~on,~ on Mac, I believe only, ~um,~ Use to accelerate their command line interface.

~Uh,~ they were just acquired by Amazon web services. And what that [00:08:00] actually did, ~I mean,~ I'm super happy for the team because they've been like around the Tauri discord for years since they started. ~Um, well,~ while it's great for the team and I'm happy ~for,~ for Amazon web services and making a smart acquisition, what it does for the greater Tauri economy is it qualifies.

Applications as having technological readiness level nine in the European Commission, as well as with NASA. These are You know, qualifications for use in specific fields and having that acquisition through a company with standing like AWS really makes the point that Tauri is the, ~you know,~ absolutely ready for.

Fantastic. Fantastic. I'd love to hear it. I have one more question about Tauri, and then I'd love to talk about some of the newer announcements, ~um, that,~ that, that were made. ~Um,~ the question about Tauri is this. You mentioned, since [00:09:00] it's so lean, and it uses the built in web view to most OSs, ~um,~ how then do you, or can you, enforce a specific...

WebView. What I mean by that is, ~um, this,~ this comes out of a question actually we received at EuroRest last week where, ~um,~ there's a person building apps, desktop apps with Electron, ~um,~ and by doing it with Electron, they get the guarantee that something like WebRTC is going to work deterministically ~because,~ because Chromium implements that interface consistently across OSes.

~Um,~ but if you're using, ~you know,~ a different WebView per OS, Is there a way then to ensure consistency in some of these web APIs or how does Tauri account for that?

We are sort of held prisoner to the whims and whimsy ~of the, I'm just going to come out and say it, the bastard child in web development, the child without a father. I lost my father so I can call myself a bastard. ~Of Browsers, browsers are king, right? ~And, ~and what the electron team has done is they've done a really fantastic job of downstream shipping Chromium.

They adapt Chromium for their own purposes. They are really living the open source dream. ~And I'm,~ I'm in awe and inspired of what they do. [00:10:00] Nevertheless, ~um,~ the windows team over at WebView2, they do things their way. I think they have a great distribution model on windows. You can't actually, ~um.~ Specify a very specific version of historical releases for the web view to, ~um,~ on Mac, you're pretty much held hostage by the version of the operating system that you currently have installed on your device, ~uh,~ because it's using safari.

Maybe there's an updated safari, but that tends to bring an updated web view to the system and. On Linux, WebKit GTK is, ~um,~ a little bit slow on certain things like exactly WebRTC. ~Uh,~ that's why projects, some projects are actually implementing their own WebRTC stack in the backend, ~like~ nor. to, they're doing that.

I totally sympathize. And it's why we're actively working on, and I'll get to this later, ~I guess. ~So we're working on other types of windows that are absolutely compliant [00:11:00] across the platforms, including doing novel research.

~Fantastic. I'm excited for the future discussion that will answer this question in more detail. Um, awesome. ~Thank you for that. Let's talk about Tauri 1. 5. This was announced recently, ~um,~ and it seems to be a big milestone for the Tauri ecosystem. Can you walk us through some of the features 5 that make it such a marked release?

Yes. The first feature is actually an unfeature. And that is, it's a learning that we got from the, ~uh,~ the process around the audit of the 1. 0. Basically what happened is we froze all development. ~Like~ if you look at ~the, the,~ the contribution. Report for towery, there was a big dip in contributions for about six months while we were working on the audit and we decided this time that even if we're working on an audit, even if we're working toward 2.

0, we still have to maintain the one point X line. And that's why we are. ~Why,~ why we released 1.5 and there might even be a 1.6, ~uh,~ before we get 2.0 out the door. Finally. ~Um,~ so a couple of the changes that ~are,~ are notable with, ~uh,~ 1.5 are, and ~it,~ [00:12:00] it somehow made ~the~ , the headlines BUN support. Oh my gosh.

Like you have BUN now. And ultimately what that ~is,~ is yes, we have provided a way. to recognize that you're using bun instead of PNPM or NPM ~or,~ or yarn as a package manager, as ~a,~ a CLI interface. ~Uh,~ that's pretty trivial. ~Uh, I mean,~ it was also ~kind of like~ mentioned on line 40 of the release announcements, but a lot of people picked up on it and ultimately all we're trying to do there is, ~uh,~ support people no matter what their choice is, whether it's, ~you know,~ React.

Or you or a PNP or bun, we want people to use the framework. And so ~the,~ the bun availability is really just a, ~uh,~ a way of staying in touch with people's requests. ~Um,~ will there be a bun runtime, a bun time? ~Uh,~ maybe if someone contributes it, ~uh,~ can talk about other language paradigms, other than Rust backend JavaScript.

Based [00:13:00] front end later. ~Um,~ another big thing is the way in which apple changed the notarization process for desktop applications. ~Um,~ it shouldn't have surprised us, but it did. We're not a huge team of people working on this, but One of our customers at Crab Nebula, ~uh,~ reported to us that suddenly with the new updated version of Mac iOS and iOS.

They couldn't sign anymore. Something was breaking and that has to do with a revised approach for team management, ~uh,~ that Apple has chosen. ~I mean,~ of course it's easy to speculate, ~uh,~ but, ~um,~ I think this was done in advance of changes to European legislation next year, similar to how the U S B C. ~Um,~ charging port on the iPhone was brought into case ~and,~ and again, 1.

5 is a [00:14:00] maintenance release. We're just making sure that everything that we've built continues to keep working and there's probably going to be a couple of patches because it seems like with so many moving parts, it gets ~harder and~ harder and harder to do testing and. I think the saving grace here is our ~amazing,~ amazing discord community.

Not just the people who are helping out, but the people coming and asking questions and saying, I don't understand this. And that leads us to writing better documentation, ~uh,~ building new tests. And sometimes even triage discovers, ~uh,~ a logic error the 1. 5 is about,

~Interesting. We'll,~ we'll add a link ~to the,~ to the discord in the, ~um,~ show notes so that people can join in this community and learn a little bit more about towering. ~Um,~ I want to talk a little bit more about this notary or, ~um,~ notary tool, ~uh,~ because you mentioned. There was, ~so,~ a customer of Crab Nebula, we'll get to Crab Nebula soon, ~um,~ reached out and said, hey, we're having trouble signing our applications, and of course, Apple operating systems will only run signed applications, that is, applications verified with Apple Developer Certificates.

[00:15:00] especially mobile. Devices

~right, and so,~ and so they came to Crab Nebula and said, we're having trouble signing, and then Crab Nebula's response was what?

within 24 hours, fix was resolved and, ~uh,~ reviewed and

~And,~ and the fix was to create what we're calling Notary Tool. What does that do?

upstreamed.~ I mean,~ basically it just, ~uh, well,~ before we had one system and now we have two systems, depending on what you're using. So basically it meant ripping out the hard coded making a kind of middleware detection system that figured out what you're on, what you're targeting. And ~Um,~ then applies ~the,~ the logic based on the CLI tooling, ~um,~ that is used under the hood and fun fact.

~Um,~ we are, ~uh,~ downloading a GPL three licensed binary in that process to the user's device, but we're only instrumenting it. We're not shipping it. And~ it's,~ it's one of those interesting places where [00:16:00] in depth knowledge of license compliance ~really helped. Excuse me,~ really helped us out here because you might say, Oh my gosh, that's GPL poisoning, but it's not because we're not shipping the tool.

We're just leveraging the copy left ecosystem. ~Uh,~ and ~it was,~ it was ~kind of ~a, an ~interesting,~ interesting discussion I had with Lucas while we were working.

That's tremendous. And so because of this now, Tauri 1. 5 users get access to this seamless signing for free basically just because the fix has been made in the open

We had to backport it because of the way that the latest Mac OS, ~uh,~ system is working, if you're on an older version, you'd never know. ~Uh, but everyone who's like, uh, who was either, ~we had a policy not to use beta. So we weren't checking ~the,~ the OS beta release, but then we got the reports of people who finally moved over.

And obviously then we had to,

That's amazing. And it sounds like, ~um,~ Crab Nebula is, That's quite the domain expert in these topics that I think don't get enough love, so I appreciate that. And again, we will talk more about Crab Nebula in a few minutes, ~um,~ but before we do that, we would be remiss if we [00:17:00] didn't address, ~um,~ Tauri 2. 0, right?

This big overhaul of Tauri that, as far as I know, ~um,~ adds support not just for desktop systems, but mobile. Apps as well. So edging into the arena of the likes of React Native, ~um,~ Expo, even Ionic to some degree. I'd love to talk more about that. And let's start by talking about actually more of the conceptual side of it before we get into the hands on side of it.

~Um,~ in an earlier discussion we talked about agnosis. ~Um,~ this idea of building in an in a platform agnostic way. I'd love it if you could expand that a little bit, ~um,~ and share some of the learnings from creating Tauri 2. 0.

yeah, I have to go back a little bit in time. And that is when we started Towery, we didn't expect it to blow up like this. We're now like number 97, most starred project on GitHub. There's literally a million downloads of the CLI. From NPM, which you can count however you want that's still in active, ~heavy,~ heavy CI use, which means it's in production, which makes me happy.

And for a [00:18:00] while, we thought that just being able to let anybody use any front end that they wanted inside of a Tauria was great. I think it brought us a lot of attention, but it wasn't super innovative. ~You know, I mean,~ this has been in around as long as people have been churning out desktop apps. that use web technologies, right?

~It's a,~ it's a matter of compliance, if you will. And that's great. ~Um,~ we also started to realize, ~well,~ some people come from the Rust ecosystem. I'm getting to your point. Don't worry. Some people come from the Rust ecosystem and they don't care about JavaScript. They'll. Bundle out their WASM and then interact with that.

So that's fine. So ~we're, we're, we're,~ we're expanding the notion of what this framework can do. And then at some point last year, ~we,~ we released, ~uh,~ the eGUI plugin. ~Well, the,~ the tower eGUI system, which actually replaces the web view. So now you can just have a web, like a, have a GL context, immediate mode, GL context by those amazing people around email, ~uh,~ instead of a web view.[00:19:00] 

Sorry, can I interrupt you for a second? What is an immediate mode GL context?

~Um, well, so you know what,~ you know what, ~uh,~ GL or like WebGL, for example, it's like a video accelerated screen that uses the GPU to produce the thing that you're seeing instead of ~like~ the processor to

~So it's like,~ it's like a canvas for video that uses the GPU.

Yeah. That's a great way to look at it. And immediate mode means it just ~like.~ It flips everything when it changes instead of retaining everything else. So it's, ~um, it, it, it,~ it's a much more nuanced than that. And I would really recommend going over to rerun. io and checking out what they're doing with eGui.

~Um,~ so we made a way for people to interact now when they didn't even need any HTML and JavaScript and CSS. And it got us thinking, ~okay, can.~ People don't make apps just for desktop anymore. They're making for mobile. So how do we have to adapt our system to be agnostic to the device that people are on?

Yes. Okay. There's always user interface constraints. It's if it's touchy, it's touchy. And if it's clicky, it's clicky. ~You know, they,~ they're different, ~uh,~ hardware modalities, but. If [00:20:00] we're going to be doubling down ~on,~ on agnostic systems, then what would it look like if we were going to do things ~for,~ for mobile?

And very early on, we identified that what we'd built in Tauri was a monolith. And I'm not going to go down the microservices pathway to hell, but I am going to say that~ the, the,~ the monolithic idea was great for towering as a desktop application service framework thing, but as more and more edge cases started to define the breadth of the system.

It got us thinking, ~well,~ does that need to be in core? And we started pulling things out of core and looking at them. ~Like,~ do you need to be there? If you don't, can we make a plugin? And so I think the biggest innovation that you alluded to with the 2. 0 is ~the,~ the pluginification of everything. Now this has a couple.

One of them is that you're declaratively enhancing the capabilities of your [00:21:00] application, ~um,~ instead of shipping, ~uh,~ giant node JS runtime. Now, if all, if you, if all your app ever needs is file system access, read, write, you don't need to have. All of the code that lets you perform isomorphic fetch or whatever, right?

All you need is file system access. And with this declarative approach of introducing the various features of this underlying system that you want to communicate with and empower your users with, you are reducing attack surface. Again, you're reducing binary size. And all of that means that you are getting better performance, no matter what the haters out there are saying, the fewer code points you have, the faster it loads into memory, the more.

Active reactive, your applications are going to be so ~by~ by pulling these A. P. I. S. Out. It also gave us a chance to revisit how some of them can work in the context of mobile because Multi window applications that make sense in the desktop context. If you've got three [00:22:00] screens tend to lose the relevance.

If you're on a galaxy smartphone tend to, ~um, I mean, we can~ we can talk about what it means to have notifications pop up. Is that a mini screen? But that's more a philosophical issue, I think. And So by challenging ourselves to think about the requirements for mobile devices, we discovered an opportunity to even streamline the core even more ~so.~

My expectation is that generally Tauri apps, ~uh,~ are going to shrink by another three or four megabytes. So instead of eight megabytes, you're going to be shipping four, three, two megabyte size applications. If you're very judicious in the feature set that you ship. ~Um,~ yeah, what you were saying before about that, the client of ours that is working on an iOS and Android app, they're on.

~Uh,~ minified app for iOS is already five megabytes. ~So I think that the opportunities are there for developing even smaller apps for any, any platform. And yeah, I'll stop there. Maybe have a different question.~

~no,~ I have so much respect for this because like I remember, ~um,~ growing up when the iPhone was new, I'm dating [00:23:00] myself, but every year on year the iPhone ~would~ would be branded as, oh this year It's lighter and smaller and as a consumer of tech I didn't really care about that until I did care about it because I'd hold it in my hand and go ~like~ oh my gosh There's so much power here, but it's it costs not that much energy to move ~And,~ and I, as a result, I wanted to be on it more and today I'm addicted to it, unfortunately, but I think that level of care with binaries and applications where, ~you know,~ you're shipping these absurdly small, frankly, two megabytes, one megabyte type of applications for mobile and desktop. I think it can lead to so many benefits. Also, probably in terms of environmental impact, I have to think, ~um,~ heat generation at compile time with distribution, ~um,~ and so on. ~Um,~ I think this is something that not a lot of people are paying attention to, but I think we should. And~ I'm~ I'm happy to see, ~um,~ Tauri leading the way here.

~Um,~ so you mentioned in Tauri 2. 0. A lot of the core APIs from Tari 1.0. ~Um,~ if that can be considered ~a,~ a monolith, find themselves more decentralized by way of plugins, ~um, in,~ in Tari 2.0. ~Um,~ and ~I, I,~ I like that it gives developers fine-grained [00:24:00] control over what parts of ~the,~ the host system they use.

~Right. Um,~ which as you mentioned so eloquently reduces attack surface and so on. ~Um,~ I'm assuming all of this is lives this declarative. These declarations of plugins, et cetera, live in the Tauri configuration as a single source of truth that can then be even, ~um,~ linted. For example, if you're not using an API, but you declare intent to use an API or a plugin, ~um,~ in the Tauri config, then there's probably going to be some type of tool that tells you, hey, wait, you're not using this.

Maybe you should remove it or something like that. Is that? Accurate. Is that a fair expectation or am I too far in the future?

~Well,~ one of the changes that is currently, ~uh,~ blocking the release of the code base of Tauri to the auditors is a reinvestigation of what we'd always been using as the allow list, ~um,~ to be clear, the allow list Was really always intended for the JavaScript side of the ecosystem. These are the things that [00:25:00] we permit you to do.

If you don't have those permissions, they're not going to happen. And as a side effect of that, we often found ourselves rewriting the cargo, ~uh,~ Tomo file that describes the application, which is a kind of really weird side effect. And our, ~uh,~ director of security at crab Nebula has presented a. security enhancement that puts this more in line with the, ~uh,~ feature declarations common to the way people actually write modern Rust code.

~Um,~ an analyzer is a great idea. ~Um,~ I think we'll have to wait until 2. 0 comes out to see exactly ~how,~ how that~ could be,~ could be built in an efficient way.

~Let's continue about 2. 0 because this is really exciting. Um,~ previously as or I guess currently with Tauri 1. 5, ~um,~ Tauri bridges the gap between native system and front end. Through this inter [00:26:00] process communication bridge, right? So you write Rust to interface with the OS, the file system, the database, ~um,~ and then JavaScript, HTML, CSS for your front end.

With Tauri 2. 0, it's our understanding that you can now also write code with Swift and or Kotlin, ~um,~ to integrate more closely with the host systems. Of iOS and Android, ~um,~ can you speak to why ~that that~ that's why that was added and how people can get started with that?

~Well, for the, uh,~ for the mobile platforms, it was absolutely essential, right? ~Like~ if you're not speaking some flavor of Java, you're not, ~uh,~ you're not on Android, right? And ~for,~ for, ~uh,~ for iOS, ~it's a,~ it's a very similar equation, right? Like the interfaces to these subsystems are really only available in that language, right?

~Um,~ it was a hard decision, but we felt that, ~you know, it's a,~ it's a practice that, ~um,~ that other. People before us ~have,~ have undertaken,~ like,~ if you look at Ionic, if you look at native script, they've react native,~ they've,~ they've been solving similar, ~uh,~ the problem in similar ways. ~Um,~ [00:27:00] but it's actually a really interesting point that you bring up.

And I think a lot of people miss out if they, ~uh,~ are new to the Rust ecosystem and that is, yeah, we have an accept list, but really you can do anything with Rust. Like really literally anything you, you can import ~the, the,~ the file system crate and do all of your crazy file system stuff and just use ~the,~ the invoke, ~uh,~ event handler to cross the message passing boundary between the web view and the backend and it will do the same thing.

~Uh, we,~ we provide these kinds of helpers. And ultimately the idea behind the plugins is that the plugin provides a JavaScript type interface to the code and the messaging system that is then reflected in the Rust backend. So if you want to read from the file system, you select the file you want to read or the folder you want to read from.

In the user interface, that message gets passed back through to the Rust side of things that does [00:28:00] the reading and passes the results back to you, either the file size or when it was created. ~I mean, uh,~ I really recommend if any of our listeners are interested, check out the space drive repo, cause you will see some space age ninja stuff going on there.

I'm serious. That's it's impressive. ~Um,~

Space age ninja stuff. I love it ~All right last question about query two and then I really do want to dive into um crab nebula~ towery two With its support for ios and android do I understand correctly that architecturally it's similar where? Towery two applications that ship to these mobile platforms would spin up the native web view of the mobile platforms and then through languages like Swift and Kotlin interface with the underlying OS.

~And,~ and in asking that question, one, is it accurate? But two, how, ~um,~ close or far is it from Similar solutions like react native, ~um,~ or ionic, et cetera.

I think if you want to follow the paradigm of having ~a,~ a web based user interface, ~um,~ it's going to stay very similar to [00:29:00] react native and to ionic, but. Like I said before, ~we,~ we started identifying opportunities to expand the notion of what Tari itself really is. And one of the ways that we did that is we were looking into other alternative windows like iy.

~So this,~ this GL accelerated context will run on mobile, right? ~Um,~ we're working on a project right now, a research project to ship W G P U. Type window contexts and

sorry to interrupt. What's WGP?

web GPU. It's ~the, the, the,~ the new thing. ~Um,~ but up until now, it's been hard to leverage inside of the tower ecosystem. We fixed that and are working on being able to layer.

Webviews on top of WGPUs and you're like, why would anybody do that? And all of the games people in the background are like, hello. And, and then, ~you know, on this, on this,~ on this [00:30:00] track, we discovered a huge failing on our part. Maybe the biggest piece of innovation ~that,~ that Towery really had in the early days, and that's the updater, the bundler and the updater. And it was so ~tightly,~ tightly coupled to Towery that you couldn't really use it without like hard forking and you wouldn't get the updates ~and,~ and no one really used it like that.

~So, uh,~ at Crab Nebula, we decided, ~well,~ people told us at conferences, they want to use this updater from Towery. ~So.~ We're like, fine. ~Um,~ now we built a new cargo sub command called cargo packager. That will work for Dino apps. It works for tellery apps. It works for slant works for rye apps. ~Uh,~ if you're listening and you know what that means, ~um,~ it'll work for Bevy apps and it'll work in the future for electron apps.

So that you can start using this packaging system to ship, deliver, bundle, update your current Electron app. And then if your team decides it's time to make the move to Tauri. All you have to do is create the next [00:31:00] version in Tauri. And since you're already using the, ~uh, the,~ the bundler and updater, your users will never know

Wow. Wow.

unless they're checking the download size.

And they're like, why is this four megabytes? Have I been hacked? ~We got that actually somebody, somebody would complain the other day about the binary being too small. He's like, that's not possible. And I was like,~

~Fantastic. All right. Let's,~ let's talk about crab nebula. I'm really excited about crab nebula. I've been working with crab nebula since February. So I personally need absolutely no introduction to crab nebula, but I think the listeners ~would,~ would enjoy, ~um,~ hearing about crab nebula. Let's start with. the thesis statement that Crab Nebula is the company behind Tau'ri.

~Um,~ can you tell us a little bit about how it was formed and the structure and where Tau'ri fits in?

sure. A lot of us from the early days of Crab Nebula were OGs from Tauri. And. What we discovered along the way is there's a lot of things that an open source community can do well, and there's a lot of things that it can't. ~I mean,~ for example, how do you write an invoice? ~I'm saying,~ I'm saying that from the perspective of an open source community that is made of volunteers who did the work, how can you ask a [00:32:00] volunteer to do work?

How can you tell a customer that it's going to be done at a certain point? And if you start helping companies as open source, aren't you being, ~um,~ Instrumentalized. So ~it was,~ it was getting into this weird place, but people were asking the same questions. They're like, is Tau rewrite for me? Does the thing that I built secure, ~um, how,~ how the heck does signing work?

~And, and, and,~ and this whole like bundler updater thing. And, ~you know,~ by the way, there's this plugin that we ~kind of~ need. And so these questions were coming ~over and ~over and over again. And meanwhile, ~um,~ we'd all been working at other companies. Some of us had paid time to work on Tau'ri, most of us didn't, and we started to recognize that with the release of the 1.

0, the community needed, ~uh,~ some kind of entity behind this group to make sure that it continued to evolve, and I think that was ~kind of the,~ the inception moment ~of,~ of Crab Nebula, and where we're at now is [00:33:00] it's a pretty clear future. Roadmap. ~We,~ we build tools to empower developers. We create a platform to enable them to ship their apps across the planet, ~uh,~ without extorting them and doing so in an open and caring way.

And we teach people how all this stuff works, how it fits together. ~We,~ we make them better developers and along the way we provide. consulting to ~very,~ very choice clients and we'll do a security audit if, ~uh, if,~ if it's appropriate, we'll, ~um,~ we'll see you at conferences and we'll talk to you ~and,~ and help you understand what it is we do.

Fantastic. Wow. So it sounds like ~there's,~ there's really three arms here of consulting in and around the Tower ecosystem. As far as I can tell. ~Right.~ With teams trying to evaluate is towery right for me. ~Um,~ the security audits. ~Uh,~ I'd like to talk more about that actually in a minute and ~the,~ the platform that [00:34:00] distributes your app.

~How,~ how did you put it across the world without extorting you? ~Um, I, I,~ I'd love to dive into all of these. Perhaps we can start with the. The security side of the world. ~Um,~ I know that Tauri has a quite rigorous audit process before a release is made, before 1. 5, before 2. 0, et cetera. What is that? Could you speak a little bit more to the details of that?

Because if I think of other open source projects like Lodash or React or Solid, I don't know that they have these audit processes. So I'm curious for Tauri what that looks like and maybe there's things other open source projects can learn in this area.

Security is in Tari's DNA. It's something that was always important to us and it's something we've always worked on providing to the devs building with Tauri. And today, the way that this looks is that two of our security engineers at Crab Nebula review every PR before it gets merged into a minor release branch.

~Uh,~ what that means is, ~and,~ and ~we've,~ we've caught some mistakes that, ~uh,~ we wouldn't have [00:35:00] seen otherwise and would have gotten shipped out. So what we're doing with this minor release, it's an. It's ~kind of~ like an internal audit because they're also members of the working group over at TAURI. So they're employees of Crab Nebula, but they're also members of the working group.

~And this,~ this proximity of these two organizations to each other is a little bit what you were speaking to about how ~Um,~ we support Towery. I think ~that~ that in and of itself is ~sort of~ proven with the audit process. With the greater audit process, though, the, ~uh,~ the security engineers at Crab Nebula will be guiding the external audits, making sure that things not only get reviewed appropriately, that they're scoped, that the results are then, ~um,~ understood and that findings are resolved and that the resolutions are accepted and that everything gets documented.

~I mean, that's a,~ that's a huge process in and of itself. What I think other, ~um,~ other communities can do about this, read your own code. Like ~that,~ that's ultimately what we're [00:36:00] doing and get other people to read your code. That's the other thing, ~you know, like~ there's this old saying, you don't QA your own project.

If you wrote the code, you're not going to, because you'll oversee it. It's~ like, ~you don't edit your own text if you're writing a blog article, because~ you'll, ~you'll oversee the mistakes that you always oversee,

~And, and,~ and the, before Crab Nebula engineers get involved, ~the,~ the Tau'ri audit process, that's mostly, that's entirely what I understand to be a community effort, right? It's the open source ecosystem working to make sure everything's copacetic.

~Right.~ We also get, ~uh,~ security reports, ~uh, uh,~ and we always get them via the security report method. If people report issues, it's no longer a vulnerability because it's exposed. So if you think you've found something, Relevant to the security of an open source project. Don't file an issue, file a security report, like that's the biggest advice I have.

And yeah,

Do I understand correctly also that, ~um,~ Crab Nebula security audits, ~um,~ Crab Nebula, given [00:37:00] that you offer consulting and then audit services, ~Is it, is it,~ is it accurate to say that when you do a security audit and then find maybe some issues, then the consulting arm shows up and says, Hey, we can also just fix the security issues we found for you.

Is that a service that you'll offer? And

I think we might. ~Um,~ but generally speaking, our security audits are so thorough that they provide solutions to the problems that they discover. Usually with two or three, ~uh,~ opportunities. And then once the audited code base has been updated, a review will happen. At the end,

that's amazing. ~Finally, let's, um, as, as we near our conclusion, I can't, we'd be remiss if we didn't talk about this platform, this way of distributing applications globally, um, without extortion. I like that. I like that Um, let's talk about that. What, so what I hear when I. What I see in my mind's eye when I hear something like that is, um, you know, I come from the web world, so I hear web distribution styled, right?~

~And if I think of web distribution, I think of Cloudflare, Vercel, Netlify, where it's deeply integrated with my website or web app such that I make a commit, I merge a pull request, and instantly My site's deployed everywhere to either an edge network or content delivery network or something like that.~

~Um, this sounds like a harder problem with native desktop and mobile applications. Um, because there's a signing process involved, there's regulated app stores, etc. It's not as wild west as the web can be. Um, so do I understand correctly then that the Crab Nebula platform... Aims to solve that problem specifically.~

~And if yes, how,~

~you, I, I mean, I've known you for a while, Tejas, you don't just like merge to main, make a PR and then you get someone to review it and then like somebody else review the thing that somebody reviewed and there's a process there to get something released. And in my experience, the human factor is a really important one.~

~So through the definition of teams. You are able to make, uh, asset deliverables that can be reviewed based on PR state. And ultimately signed off on for global release. So as a, here's a common example, I've seen this does literally dozens of times. The team has one Mac iOS developer, one windows developer, one Linux developer, one backend developer, one remote database dev and a project manager.~

~So there's six people involved and you know, they do a bi weekly cadence. So, uh, every second Thursday they're releasing to the public. And, um, on Monday, they kick off the QA process of during, within release week, and they build for Mac, they build for Linux, they build for Windows, and there's a whole test QA suite of things you have to check off to make sure that you got right.~

~And then. You know, the, the project manager is going to want to check it on, on, on their device to, to make sure that like, they can show it to the boss and be like, yeah, it works boss, you know, and till now you're kind of stuck with either. Um. Building your own cloud environment, which for startups is, come on, you don't have time, you just don't have time.~

~Uh, a lot of other people are just using GitHub, which is okay in the development process, but you start to get really chunky assets when you're making debug versions and GitHub is not a CDN. Like you don't have an SLA that's going to say, yes, it's always on. Um, it might go down for a little while it's happened.~

~It's pretty stable, but it's not a CDN. And you know, how do you even begin to make sure that your assets are, for example, being delivered to India? Like there's, there's so much that, um, I think GitHub does really well. It learned a lot from NPM. It's learning a lot from Azure. And I think that these platforms are great in and of themselves, but we want to offer this, this, this process that's streamlined for application developers and their users.~

~Um, and. We, I think we've already achieved planet scale and early, early tests. So, you know, when our customers start lining up in quarter one next year, they're going to be lining up behind the open source community, because we know where we come from and we're looking forward to letting the open source app developers out there.~

~Test it out, use it for a while, use it forever, use, you know, and what that does is that really helps us get this, this ecosystem of, um, giving back to the community, getting feedback from the community and building a product that people just want to pay for, but not in an extortionist way. That's the plan.~

~I love hearing that open source developers can just show up and use this platform for distributing native mobile applications, um, without any friction. That's, that's really great. And I love that they're, they get first. priority in the queue. Um, let's, let's call it here. ~Listen, Daniel, ~it's,~ it's just an absolute pleasure and honor privilege to have you, ~um,~ come on this podcast and share these things with us, ~um,~ to share with us ~the,~ the roadmap to Tower 2.

0, how Tower even works, the exciting work with eGui and WGPU and all the, ~um,~ alternative UI styles,~ um,~ from me and the rest of the podcast. Thank you so much.

Thanks for having me again.[00:38:00]