Lita 조원경

I thought I provide a counterpoint of what Tauri provides, as we migrated our Electron app to Tauri. As with any technology, everything is just full of tradeoffs. Since Tauri has a rust core, locks, threads, shared runtime memory, and os calls are much more performant than javascript/typescript. We heavily leverage concurreny, as we read and write to files on disk. Using a system language is going to be far more performant when manipliating a filesystem. Tauri is also inherently secure out of the box. Tauri explicitly requires you to grant permissions for the filesystem, network, etc., and lets you scope resources. With Electron, you do have to open a port to communicate with the Node.js runtime, which might be a feature for some people. Tauri uses native bridges and function closures between the webview and Rust core, which is inherently safer than local-network IPC (you can encrypt data between the network calls, but you pay for that in performance) as the data never leaves the runtime. Also, using the OS webview, your app benefits when users update their OS, and the binary is smaller because you do not have to package Chromium separately. But the real reason we migrated: native libraries. Using libgit2 via FFI and jj-lib natively is worth the tradeoff of WebKit bugs. We pass an OAuth2 token at runtime and run git push / git clone under the user's own credentials. Yes, we do face painful WebKit bugs, especially around rendering the text cursor. But we thought that the cross-platform bugs were worth the trade-off of the security benefits. I do believe that you can make an Electron app just as secure by using service workers and iframes. It is more work, and you do give up performance for it. But you can do it. If you want to go deeper, I gave a talk at Git Merge: https://t.co/LrgUJlLNM3 that covers our migration in more detail.