The Tor Browser, a heavily modified version of the Firefox browser with many privacy-enhancing features, will include more code written in the Rust programming language.
Tor Project developers have first proposed featuring more Rust code in 2014, but the proposal never got anywhere.
Rust, which is a programming language developed by Mozilla, is a safer version of C++ that makes it more difficult for developers to accidentally introduce memory corruption errors in their code.
Mozilla started shipping its first Rust-based components in Firefox in the summer of 2016, and the programming language is expected to take a dominant role in Firefox development, eventually replacing most of its ancient C and C++ code.
Since Firefox versions featuring more and more Rust code started coming out of Mozilla's HQ, it was only a matter of time since the Tor Project had to address the issue.
In a meeting held last week in Amsterdam, Tor developers got together and decided what would happen to the Tor Browser in the future.
The decision was to slowly start using Rust to replace the C++ code they used on top of the Firefox codebase.
"We didn't fight about Rust or Go or modern C++. Instead, we focused on identifying goals for migrating Tor to a memory-safe language, and how to get there," said Sebastian Hahn, Tor developer. "With that frame of reference, Rust emerged as a extremely strong candidate for the incremental improvement style that we considered necessary."
As Tor developers get acquainted and learn to use Rust, the percentage of Rust code in the Tor Browser will also grow. Other plans include:
Define conventions for the API boundary between Rust and C
Add a non-trivial Rust API and deploy with a flag to optionally use (to test support with a safe fallback)
Learn from similar projects
Add automated tooling for Rust, such as linting and testing
"Part of our interest in using safer languages like [Rust] in Tor is [because] a tiny mistake in C could have real consequences for real people," said Tor developer Isis Agora Lovecruft on Twitter, regarding the Project's decision to choose Rust.
"A tipping point in our conversation around 'which safe language' is the Tor Browser team needs Rust because more & more Firefox is in Rust," she added. "Also the barrier to entry for contributing to large OSS projects written in C is insanely high."
Go, which is also another memory-safe language, was briefly considered as an alternative during the meeting. A modern version of the C++ programming language, C++11, was also discussed.