seanmonstar

Jan 15 2025

2024 in review

I want to go through some highlights of the year. Thanks for coming along for the ride!1

A year of being independent

This was my first entire year of my being an independent open source maintainer. I’m very happy with how it turned out!

I highly appreciate all who sponsor some amount each month, thank you all! It adds up. <3

I’ve found setting up advisor retainers to be very effective: I get to help engineers with private code, the higher context helps prioritize features or fixes that are needed, and the maintenance work that people don’t always want to think about is funded.

I’m hopeful about this next year, and I’ll need your help to continue.

hyper

One of the things I’m most excited about is that in the beginning of the year, we added 3 new collaborators to hyper: @Noah-Kennedy, @dswij, and @tottoto.

More collaborators improve the health of the project, reduces review load, increase diversity of thought, etc. Some ask how they can be become one, so I spent some time writing what a collaborator is in hyper’s contrib docs.

There were 12 releases of hyper, not to mention explorations in hyper-util, and maintenance in dependencies like http, h2, h3, and httparse.

A few of the new features we got this year include support for sending and receiving HTTP/1.1 Trailers, improved connection selection with try_send_request, and a server connection helper with GracefulShutdown.

Wrapping up the year, I updated the roadmap, highlighting our focus after stabilizing v1. One area that’s already started to see improvements are the hyper docs and guides.

reqwest

A lot of cool work was done in reqwest.

v0.12 was the big one, upgrading to hyper v1.0, back in March. But it didn’t end there, reqwest kept getting better and better throughout the year.

An improved timeout option was added, read_timeout, which better matches how many want to detect a broken connection, instead of an entire request deadline.

HTTP/3 support returned, unstable but better, with IPv6 and content-length fixes.

Integration with rustls gained support for the new aws-lc backend, and reqwest gained several cargo feature options to combine it with the various sources of certificate roots.

To go along with that, reqwest also gained support for certificate revocation lists. I’m glad to hear that building rustls with aws-lc is getting easier, I hope to make that the default in reqwest this year.

Near the end of the year, reqwest gained support to inject connector layers, which allow users to customize connection establishment much more than hard coded options.

That last one is actually a taste of what is coming to reqwest. I’ve often mentioned a desire for making reqwest work even more as a stack of middleware, and I have much more of a plan now. Details in another blog post soon!

Security

Maintaining these libraries means keeping them secure. Over the past year, I dealt with various security reports, which are always quite expensive. They require dropping what I am doing, digging in with research, and testing to fully understand the report quickly. Some were determined not an issue, others were bugs that we fixed but not worth yelling about.

One of the more consuming reports was HTTP/2 Continuation Flood. It wasn’t limited to hyper, instead affecting many implementations. hyper was somewhat affected, and we coordinated and got updates out on the coordinated disclosure date. Thanks to the sponsors I was able to do this work.

Podcast

I got to join Allen Wyma on the Rustacean Station again, and we talked about hyper reaching v1, access to advising from a maintainer, middleware, retry storms, and more.

bye curl

Back in 2020, we added support for hyper to be an HTTP backed in curl. It languished at “nearly complete”, and in November I put out a call for a champion to keep it alive.

It seems we as an industry didn’t really want it, so it has now been removed as an option in curl.

But that’s ok. Both projects were improved by the process. I appreciated being able to work with Daniel; he is an excellent maintainer that truly cares about quality.

My focus is more on the audience that wants to write software in Rust. More and more services and tools are popping up everyday that must be fast and secure as they talk to other computers. Teams pick Rust and hyper and its ecosystem to deliver their experiences. I’ll continue to empower them.

Questions to ponder in 2025

I wanted to share a few questions that I’m pondering as I head into 2025. It feels better than pretending to know more definite plans.

  • How can I encourage more collaborators? It’s normal for some to change focus, so we always need more.
  • What would a generic configuration builder look like? I imagine a zero-cost, injectable HList of properties to configure possibly unknown stacks of things. But how?
  • Can std::error ever be good? E: Error, Box<dyn Error>, and anyhow have too many sharp edges exposed.

  1. See some previous yearly reviews: 2023, 2022, 2021

  • #yearly
  • #rust
  • #hyper
  • #open-source
  • #reqwest
  • #curl