Rust Dora Metrics: High Demand, Smooth Deployments, But Can They Handle the Pressure?
6 min read
For years, cyber attackers have taken advantage of vulnerabilities caused by a lack of “memory safety” in software. To tackle this issue at its core, major players like Google and Microsoft are turning to Rust in droves.
Google, in particular, has made great strides in eliminating these vulnerabilities, thanks in large part to code written in Rust, which is designed to be memory-safe. However, as Rust continues to gain traction, its maintainers are facing burnout and overwhelming workloads. This raises a pressing question: how long can this momentum last before it all comes crashing down?
To understand how the Rust repo is handling the pressure from this large number of influx from top businesses, we had to analyze their engineering pipeline’s Dora Metrics using Middleware Open Source.
Make sure to subscribe to our newsletter for exclusive case studies and more!
Our Key Findings
Rust Hits a Home Run in Deployment Frequency.
Rust maintained a solid deployment frequency score with 94, 51, and 124 releases in the months of June, July, and August 2024. However, some of these PRs, around 72, 37, 77 requests respectively in the past three months were merged and deployed without proper review. So, is Rust sacrificing quality to push new releases under the pressure of ongoing demands?
Let’s dig deeper…
Also read: Deno Dora Metrics: Setting the Standard for Deployment Frequency and Lead Time
Rust Repo Struggles with Cycle Time
The Open-Source - Rust repo struggles with Cycle Time.
In June, it was 242 hours,
In July, it was 213 hours
In September, it was 173
The cycle time did show a declining trend over the three months, still, it was way above the mark set by the 2023 State of DevOps Report. The breach in the cycle time is because of issues in their first response, rework, and merge times.
First Response Time: In June, it was 82 hours which fell to 63 hours in July which further fell to 35 hours in August.
Merge Time: Similarly, the merge times were 12 hours, 25 hours, and 19 hours in June, July, and August.
Rework Time: Their rework time was 22 hours in June, 47 hours in July, and 32 hours in August 2024. The rework time points to the need for iterative bug fixes and improvements.
Also read: React Native's CI/CD Unveiled: The Truth Behind Its Cycle Time Triumphs and Stumbles
Issues That Are Slowing Down Rust Repo
1. Pressure to Push New Features and Constant Bug Fixes
The OpenSource - Rust repo mainly deals with feature development and bug fixes. The contributions are driven by both core team members and a vibrant community of external contributors. The hustle to push significant features and bug fixes on time affected their cycle time.
2. High Demand from Private & Government Sectors
Rust is riding a huge wave of popularity in the tech world, and it’s not just the big-name companies getting in on the action. The U.S. government is also making some serious moves to adopt Rust, thanks to its solid reputation for memory safety and security.
Take DARPA, for instance—the Defense Department’s advanced research wing just kicked off a project called TRACTOR (Translating All C TO Rust).
The aim?
To speed up the modernization of old software by converting legacy C code—known for its memory safety headaches—into Rust.
Even the White House Office of the National Cyber Director is on board, pushing for Rust to help build a more secure IT future. With support from different branches of the government, Rust is solidifying its place as the go-to language for cybersecurity and safe coding practices, making it a key player in updating and securing critical systems.
3. Pressures and Burnouts
That being said, it really ramps up the pressure on the community to keep churning out new features and squashing bugs to meet the sky-high expectations of these big players. Sure, it’s nice to have all that attention, but it can also create a ton of stress, and that pressure might just lead to some hiccups in their engineering pipeline.
Also the expectation to meet these high demands comes at the expense of burnouts of experienced maintainers, says Senior Engineer, Jynn Nelson, former Rust Contributor.
He pointed out that those who take on more tasks are rewarded by the community with even more work, leading to a vicious cycle. Nelson warns, experience maintainers are stuck in the loop of “it won’t get done if i don’t do it” and “i need to review everything or stuff will slip through” which causes burnout from Rust. Back in April, the "BatBadBut" vulnerability sent shockwaves through the project, putting Windows users at risk. But what happens if an unexpected issue compromises entire kernel components? And if the Rust community is burned out, who will be there to fix it?
Finding answers to these questions is key to solving the slowdown in their engineering pipeline.
Game Plan for Getting Through This
Thorough Documentation: One key recommendation for the Rust team is to create comprehensive documentation, not just for technical issues, but also for managing burnout. Having resources in place to address mental well-being can be as important as solving coding problems.
Leverage the Large Community: With a community of over 5,000 contributors, Rust has a huge pool of talent to tap into. The team should expand mentorship programs, create more training guides, and actively encourage the community to get involved in the build and review processes. This can help distribute the workload and prevent burnout.
Automate and Streamline CI/CD: Automation is critical for maintaining efficiency. By optimizing CI/CD pipelines, the team can speed up testing, deployment, and feedback loops, leading to faster releases and fewer manual bottlenecks.
Collaborative Development: A more collaborative development process should be fostered, allowing the community to provide diverse insights and participate in rapid iteration cycles. More minds on the problem means faster solutions and better quality code.
Improve Merge Efficiency: Lastly, focusing on reducing merge delays can greatly improve the overall cycle time, ensuring that code moves from development to production without unnecessary holdups.
Rust Dora Metrics: High Demand, Smooth Deployments, But Can They Handle the Pressure?
As Rust continues to dominate critical software systems, particularly in areas like cybersecurity and infrastructure, tackling internal challenges becomes increasingly important. With major players like Google and Microsoft adopting Rust, the language's role in modern software development is only set to expand.
However, this rising demand puts a lot of pressure on the core team and maintainers, leading to issues like burnout, overwhelming workloads, and potential delays in updates and bug fixes.
For Rust to remain a reliable tool, it’s essential to address these challenges proactively. That means finding ways to ease the burden on maintainers, scaling up the community's involvement, and ensuring robust processes for development and support.
If these internal hurdles aren't handled, Rust's growth could stall, or worse, it could risk stability issues in the very systems it was designed to secure. In a world where technology moves at lightning speed, a programming language’s long-term success hinges on not just its technical advantages but also the health and sustainability of its development ecosystem.
If you're also facing challenges in your engineering productivity then we’d really encourage you to give a shot at Dora metrics using Middleware Open Source.
You could follow this guide to analyze your team or write to our team at productivity@middlewarehq.com with your questions and we’ll be happy to generate a suggestion study for your repo — free!
Make sure to subscribe to the newsletter for exclusive case studies and more!
Trivia
In 2021, the Rust Foundation was established to support the ongoing development and maintenance of the language, as well as to foster a vibrant community around it.