Linux Dev on Rust, OSS and Rewriting SQLite

TL;DR

Rust-for-Linux conflict is driven by unclear expectations about Rust’s scope in the kernel, patch/build requirements, and acceptable development churn.

Briefing Cornell Notes

Briefing

Rust’s future in the Linux kernel hinges less on a generational “attrition” plan and more on whether Rust can prove itself in the hardest, most failure-prone parts of the system—especially drivers—while the community figures out what “good Rust-in-kernel” looks like. Globber, CEO of Turso and a longtime Linux core contributor, describes the current Rust-for-Linux friction as a lack of shared expectations: whether Rust should live inside core kernel modules or act as a boundary layer, whether patches must keep Rust builds green, and how much churn is acceptable. That ambiguity has fueled confusion, harsh mailing-list debates, and resignations—yet he argues the chaos is also familiar to Linux, where organic evolution often beats top-down planning.

In his view, Linux’s culture is both the problem and the reason Rust can succeed. The kernel community runs on intense scrutiny: patches get hammered by thousands of eyes, and maintainers often demand sweeping changes rather than accepting “small” submissions. That directness can be exhausting and drives some contributors away, but it also functions like a brutal continuous integration system—bugs get found quickly, and ideas that survive the conflict tend to be genuinely useful. He compares the current Rust debate to past “viscerally opposed” directions in Linux that later became mainstream, citing virtualization and async system calls as examples of ideas that looked unacceptable at first but eventually won acceptance once they demonstrated value.

Rust’s strategic opening, he says, is not to rewrite everything immediately, but to improve the margins where C code quality is weakest: device drivers. Drivers often lack the kind of real-world testing that core subsystems receive, because only small numbers of people run those hardware paths. That environment can leave “substandard” code to persist. Rust-for-Linux contributors, in his telling, are aiming to use Rust’s safety properties to raise the baseline in those areas—starting where memory safety matters most and where incremental wins can accumulate.

The conversation then pivots to Turso’s work rewriting SQLite into Rust (Limbo) and how that effort mirrors the Linux community’s creative model. Globber criticizes SQLite’s development model as “open source but not open contribution,” maintained by a small group with a proprietary test suite that limits external verification. Turso forked SQLite (LibSQL) to enable community contributions, but the fork’s architecture and testing constraints made deeper changes hard. By December 2024, the rewrite could read SQLite databases correctly, and the project’s public momentum accelerated sharply: thousands of GitHub stars and dozens of contributors, with people joining specifically for the “blank canvas” of a full rewrite.

Quality is the central requirement, and the rewrite’s differentiator is deterministic simulation testing. Instead of relying on a traditional monolithic test suite, the approach uses a simulator plus fuzzing to control nondeterminism (timing, IO, interrupts) and reproduce failures exactly. Property testing checks invariants like database integrity; when corruption appears, the simulator’s determinism lets developers trace the precise sequence of faulty IO interactions that caused it. He argues this can replace the “mythical” SQLite test suite by making rare, timing-dependent bugs reproducible and fixable quickly.

Finally, he connects this engineering philosophy to LLMs: LLMs can accelerate boring or laborious coding tasks and help with ideation, but maintainers must still scrutinize outputs. The best use is asking an LLM to generate code for a specific task while humans remain responsible for correctness, architecture, and testing—much like Linux maintainers do when reviewing contributions from the broader world.

Cornell Notes

Rust’s kernel prospects depend on resolving unclear expectations about how Rust should integrate with Linux’s C-heavy development process, and on proving Rust in the areas where C code is most fragile—especially drivers. Globber argues Linux’s harsh, organic review culture is a feature: intense scrutiny acts like continuous integration, and past “impossible” ideas (like virtualization and async system calls) eventually became mainstream once they delivered results. Turso’s Limbo rewrite of SQLite aims to recreate SQLite’s reliability while enabling open contribution, moving beyond a fork when proprietary testing and architectural entanglement made foundational changes difficult. The rewrite’s quality strategy centers on deterministic simulation testing with fuzzing and property checks, so failures caused by nondeterministic IO/timing can be reproduced exactly. LLMs are framed as accelerators for code generation and ideation, but humans must remain in the driver’s seat for review and correctness.

Why is Rust-for-Linux facing so much conflict, and what does that conflict look like in practice?

The friction comes from no shared, definitive expectations about Rust’s role in the kernel. Contributors debate whether Rust should be allowed inside core modules or used only as a proxy outside, whether Rust builds must succeed for patches to land, and whether Rust builds are allowed to break while development continues. That ambiguity shows up in mailing-list threads as confusion and fighting, contributing to resignations.

What does Globber think is the best “entry point” for Rust in the kernel?

He points to drivers. Drivers often have weaker real-world testing because only a small subset of hardware is widely exercised, and maintainers may not fully understand every device’s behavior. That environment can leave memory-unsafe or lower-quality C code to persist. Rust’s safety properties can improve those margins without needing an immediate rewrite of core subsystems.

How does Linux’s review culture both harm and help engineering outcomes?

It can be harsh enough to burn people out, but it also functions like an extreme CI pipeline. Thousands of maintainers and reviewers scrutinize patches, often responding quickly with targeted criticism—sometimes demanding broader rewrites than the original patch scope. Globber argues that ideas that survive this process tend to be valuable, and that opposition often fades once results are demonstrated.

Why did Turso move from a LibSQL fork toward a full SQLite rewrite?

The fork (LibSQL) made foundational changes difficult because SQLite’s architecture has cross-boundary coupling and because the original SQLite test suite is proprietary, limiting external verification. As the team tried to add features and adjust core behavior, the rewrite became attractive as a “blank canvas” where they could design for maintainability and community contribution from the start.

What is deterministic simulation testing, and how does it help find bugs that normal testing misses?

The method pairs a simulator with fuzzing and property testing. The simulator abstracts nondeterministic elements—IO timing, interrupts, event ordering—so that when a bug triggers, the exact sequence of steps can be reproduced deterministically. Property tests encode invariants (e.g., database integrity checks), and when they fail, the simulator provides a precise trace to diagnose whether corruption came from partial writes, OS behavior, or off-by-one/pointer issues.

How should LLMs be used in database development according to Globber?

Use LLMs to generate code or accelerate laborious tasks, but don’t blindly import the output. The maintainer role still matters: humans must scrutinize correctness, architecture, and testing. He compares the risk to copying lecture material without understanding; the value comes when humans direct the task and then engage with the results.

Review Questions

What specific uncertainties about Rust’s integration into the Linux kernel are described as fueling conflict, and why do they matter for patch acceptance?
How does deterministic simulation testing differ from traditional unit testing, and what role do property checks and fuzzing play in making failures reproducible?
Why does Globber argue that drivers are a particularly promising starting point for Rust in the kernel?

Key Points

1
Rust-for-Linux conflict is driven by unclear expectations about Rust’s scope in the kernel, patch/build requirements, and acceptable development churn.
2
Drivers are viewed as the highest-leverage entry point for Rust because they often receive less real-world testing and can contain lower-quality C code.
3
Linux’s harsh, highly scrutinized review culture can burn out contributors but also acts like continuous integration that quickly surfaces bugs and forces useful improvements.
4
Turso’s SQLite rewrite (Limbo) aims to preserve SQLite-grade reliability while enabling open contribution, moving beyond a fork when proprietary testing and architectural coupling limited deeper change.
5
Deterministic simulation testing uses a simulator to control nondeterminism (IO/timing/interrupts) so fuzz-found failures can be reproduced exactly and fixed faster.
6
Property testing plus simulator determinism helps diagnose integrity failures by tracing the precise IO interactions that lead to corruption.
7
LLMs can speed up code generation and ideation, but maintainers must remain responsible for review, correctness, and test strategy rather than copying output blindly.

Highlights

Rust’s kernel integration is stuck on practical questions—where Rust should live, how strictly Rust builds gate patches, and how much churn is acceptable—rather than on a single technical blocker.

Drivers are singled out as the most promising Rust target because limited hardware access can leave unsafe or low-quality C code unchallenged.

Turso’s Limbo rewrite grows a community by offering a “blank canvas,” but quality is enforced through deterministic simulation testing with fuzzing and property checks.

Deterministic simulation testing targets the hardest bugs: those caused by nondeterministic IO and timing, making failures reproducible step-by-step.

LLMs are framed as accelerators for maintainer-directed work—useful for generating code and exploring ideas, but not a substitute for human scrutiny.

Topics

Rust for Linux
Deterministic Simulation Testing
SQLite Rewrite
LibSQL Fork
LLMs in Databases

Mentioned

Turso
LibSQL
SQLite
Sila
Data Dog
GCC
Claude
Neoim
Tiger Beetle
Tokyo
S3
Limbo
Globber
Linus Torvalds
Andrew Morton
Pekka
Peter ZustrA
Yens Expo
Greg Kroah-Hartman
Justin
Mitchie Richie
Eric
TJ
Code Girl
Brian
OSS
CI
LLMs
IO
S3
CRUD