Regarding using Rust on the web

If I have a lib.rs file and I'm using a function from a module in the mod.rs file, and that function uses another function within the mod.rs file but isn't made public to lib.rs. Thus is inaccessible to the lib.rs.
What happens if I publish my project to the web? Which files are made public? I'm assuming the whole mod.rs is still accessible since the website still needs to use function from the mod.rs, or will it only load in the public functions from mod.rs?

I'm using WASM to compile certain functions.

What do you mean by publishing to the web? Do you mean uploading your code to crates.io, or do you mean e.g. compiling to WebAssembly and running in a browser?

Anyway, when you publish your project to crates.io, it uploads everything – there is no way the compiler on another machine could come up with the contents of the private modules by itself, the code has to be there in order for others to compile the code.

Rust's "privacy" is not a security mechanism. It's an abstraction for enforcing safety and good coding practice, it's not at all related to data security, privacy, cryptography, or anything similar.

2 Likes

I'm using WASM and JS. So maybe only the functions being compiled to WASM will be released to the web I'm guessing?
Although if that were the case I wouldn't really understand where the Rust files would be, since it'll still need some other stuff from that.

I am not at all familiar with releasing projects to the actual web. So it also plays a big role in not seeing how it all works.

I don't really follow with that statement. At least for smaller projects I am working on, making everything public wouldn't make my code better, what am I missing?

The Rust files are no more after compilation. What the compiler does is translate the human-readable Rust text (all of it) into something the CPU or the browser can directly execute (i.e., machine code or WASM, respectively). The Rust files can't be run directly, and so when you release your project as an actually running program, they stop being useful. So you have to compile everything, private modules included, and all of the result of the compilation will be published to wherever your app is running.

I'm not saying that you should make everything public; you shouldn't. I'm not sure where you are getting at. What I was saying is if you are trying to hide something secret (e.g. a password or a private key), then "private" modules aren't suitable for that at all, since private modules only affect how the programmer can interact with the module system. If you upload your code somewhere, then "private" modules are perfectly readable too.

2 Likes

So technically my Rust code is exposed, but it's going to be quite harder to read machine code/WASM than a plain JS. I assume there's probably some other nifty stuff you can also do to obstruct reverse engineering the code etc.

I meant worse. But again, I don't see it. But that's another question I'll probably get an answer to myself.

Thanks for the reply!

The public or not does not make your code public or not.
The public just means that you can call that function from outside.
You only put public on functions you want to call from outside.
You do not put public on all the little functions in your library, only the functions you want to call from outside.

Reason...
You write documentation for your library, an API.
The API / documentation should have the info for all the public functions only. Then in you library as you do code changes the functions that are not public, you can change those functions how ever you want. Change the signature, delete them or whatever. As long as the public functions, the ones documented, do not change their signature, you do not have to change your documentation or api.
But if everything in you library is public then it makes a very large API documentation and difficult to modify your code.

You are not going to be able to hide what your code does. Wasm can be turned in to a text format. If it is loaded into a browser then it can be seen. There are developer tools available for all the major browsers.

You can run the algorithms on your server and have the server do the work and just give the result back to the browser if you want to hide what your code does.

2 Likes

Another explanation for you:

Visibility mechanisms in programming languages are only tools to exercise discipline while writing code. Once the program is compiled and running, it's all just bytes*.

2 Likes

The question that you need to consider is: what are you trying to protect?

  • "I don't want other people to use my code" — that's a matter for copyright law and licensing.

  • "I have a secret key/token/password that must not be extracted" — that key needs to stay on servers you control, not be in wasm (or JS) sent to the browser.

  • "I don't want people to know all the rules of the game they're playing" — again, gotta put the rules on the server. Even if you somehow “perfectly obfuscate” your code, if you make the wasm file available at all, people can always run it lots of times in a controlled environment. Obfuscation only stops casual viewers.

If none of those is the thing, tell us what you are trying to protect, and we might have a better suggestion.

5 Likes

Just curious for now ^^

Extend the now and stay curious forever.

1 Like

:white_check_mark: Solution