Is it safe to use an open source language not directly supported by a vendor?
Whenever I use a new product, service, programming language, or other piece of technology, I look at two things first and foremost. I look at who created it and who maintains it.
I’ve written about this before in relation to supply chain attacks and added a variation of this information to the lab content when I updated the SANS materials for a course on security cloud that I used to teach (originally written by IANS faculty member Dave Shackleford). NOW.)
Before using open source software, I look at who wrote the software and who maintains it.
If you look at the GitHub repository for any open source software, you can see who created it, who does it belong to, And who actively contributes to the software. I also like to review the software update and review process and think about the potential long-term risks if things change.
I was wondering recently if I wanted to migrate some of what I do to Rust.
So of course the first thing I did was look at who created it.
In 2006, software developer Graydon Hoare started Rust as a personal project while working at Mozilla.
It’s an interesting story and sounds good as far as I’m concerned. Rust was created as a side project by someone working at Mozilla who later worked on Swift at Apple. He is no longer involved in the project.
Who supports the software now? Well, Mozilla continued to support the software after his departure until 2020. During the covid outbreak, they laid off most of the Rust employees. So unhappy.
Then a foundation was created to support Rust.