|
1 |
+ |
# Credits
|
|
2 |
+ |
|
|
3 |
+ |
Makenotwork is built on top of decades of other people's work — most of it given away free. This page tries to be honest about that.
|
|
4 |
+ |
|
|
5 |
+ |
The platform itself ships under PolyForm Noncommercial 1.0.0. The list below is the visible top of a much larger iceberg: hundreds of transitive dependencies, every one of them maintained by someone, most of them unpaid. We are not going to pretend we wrote any of this from scratch.
|
|
6 |
+ |
|
|
7 |
+ |
---
|
|
8 |
+ |
|
|
9 |
+ |
## The load-bearing pieces
|
|
10 |
+ |
|
|
11 |
+ |
These are the projects without which there would not be a Makenotwork. They earn their own paragraph.
|
|
12 |
+ |
|
|
13 |
+ |
### Tokio
|
|
14 |
+ |
|
|
15 |
+ |
Tokio is the asynchronous runtime that every other Rust dependency on this list assumes exists. When a request arrives, when a scan job is claimed, when a Stripe webhook fires, when an email is queued — that's Tokio scheduling the work onto a small pool of OS threads instead of blocking one per connection. The original design was largely the work of Carl Lerche, and the maintainers have held the core stable for years while everything around it evolved. MIT.
|
|
16 |
+ |
|
|
17 |
+ |
### Axum
|
|
18 |
+ |
|
|
19 |
+ |
Axum is the HTTP framework. Routes, extractors, middleware, the typed request/response pipeline — all axum. It's a thin layer over `tower`, `hyper`, and `tokio`, which means everything composes with the rest of the ecosystem and we never had to invent our own router. Maintained as part of the Tokio project. MIT.
|
|
20 |
+ |
|
|
21 |
+ |
### sqlx
|
|
22 |
+ |
|
|
23 |
+ |
sqlx is the database driver. Every query in this codebase is a `sqlx::query` or `sqlx::query_as`, executed against PostgreSQL with compile-time type checking when we ask for it and runtime checking when we don't. The transaction API is what lets us keep the data model honest under concurrent load. MIT or Apache-2.0.
|
|
24 |
+ |
|
|
25 |
+ |
### PostgreSQL
|
|
26 |
+ |
|
|
27 |
+ |
Not a Rust crate, but the database every sqlx call lands in. PostgreSQL is the single biggest piece of infrastructure we depend on, and it remains free, open-source, and operated by the same global community for almost thirty years. Every uniqueness invariant, every advisory lock, every `ON CONFLICT` clause in this codebase is a small bet that the PostgreSQL team got it right. They have. PostgreSQL License (a permissive variant).
|
|
28 |
+ |
|
|
29 |
+ |
### aws-sdk-s3
|
|
30 |
+ |
|
|
31 |
+ |
Object storage isn't AWS's — we use [Hetzner Object Storage](https://www.hetzner.com/storage/object-storage/) as the actual bucket — but the AWS SDK is the S3 protocol's reference client and works against any S3-compatible endpoint. Presigned URLs, multipart uploads, streaming downloads for scanning. Maintained by AWS. Apache-2.0.
|
|
32 |
+ |
|
|
33 |
+ |
### async-stripe
|
|
34 |
+ |
|
|
35 |
+ |
`async-stripe` is the Rust wrapper around Stripe's API. Checkout sessions, webhooks, Connect onboarding, subscriptions, refunds — all of it. The project is maintained by [Alex Whiting](https://github.com/arlyon) and an active community; the API surface is huge and they keep up with Stripe's release cadence. MIT or Apache-2.0.
|
|
36 |
+ |
|
|
37 |
+ |
### YARA-X (`yara-x`)
|
|
38 |
+ |
|
|
39 |
+ |
YARA-X is the malware-pattern scanner. Every file uploaded to a creator's account passes through a YARA pipeline that runs rules against the file's bytes — defense against EICAR, MZ headers in archives, ELF binaries pretending to be audio, and a long tail of other signatures we'd otherwise have to write from scratch. YARA-X is the Rust rewrite of the classic YARA project; both came out of the VirusTotal team. BSD-3-Clause.
|
|
40 |
+ |
|
|
41 |
+ |
### ClamAV
|
|
42 |
+ |
|
|
43 |
+ |
ClamAV is the second half of the malware scan. We talk to it over its INSTREAM protocol so the file never has to land on disk twice. Open source since 2002, maintained by Cisco Talos. The signature database is updated daily and is the single best reason a small platform can offer creators virus scanning at all. GPL-2.0.
|
|
44 |
+ |
|
|
45 |
+ |
### Askama
|
|
46 |
+ |
|
|
47 |
+ |
Askama compiles templates at build time into Rust code, which means every `{% if %}`, every field name, every helper call is type-checked by the compiler. A typo in a template is a compile error, not a 500. MIT or Apache-2.0.
|
|
48 |
+ |
|
|
49 |
+ |
### git2 / libgit2
|
|
50 |
+ |
|
|
51 |
+ |
Every creator project can be pushed to via SSH, browsed in the dashboard, and served via the smart-HTTP protocol — that's all `git2`, the Rust bindings to libgit2. libgit2 itself is a from-scratch reimplementation of Git's internals maintained as part of the GitHub-led libgit2 project. GPL-2.0 with linking exception.
|
|
52 |
+ |
|
|
53 |
+ |
### Argon2 / webauthn-rs
|
|
54 |
+ |
|
|
55 |
+ |
Passwords are hashed with the Rust `argon2` crate (the OWASP-recommended algorithm and parameters); passkeys go through `webauthn-rs`. The latter is maintained by William Brown of SUSE and tracks the WebAuthn Level 3 spec. Both crates are why we don't have to write our own crypto. MIT or Apache-2.0.
|
|
56 |
+ |
|
|
57 |
+ |
---
|
|
58 |
+ |
|
|
59 |
+ |
## By category
|
|
60 |
+ |
|
|
61 |
+ |
The full direct-dependency tree, grouped by what each one does for us. Licenses noted in parentheses where they're not the standard MIT/Apache-2.0 dual.
|
|
62 |
+ |
|
|
63 |
+ |
**HTTP and middleware**: `axum`, `axum-extra`, `tower`, `tower-http`, `tower-sessions`, `tower-sessions-sqlx-store`, `tower_governor`, `http-body-util`, `utoipa`, `utoipa-axum`.
|
|
64 |
+ |
|
|
65 |
+ |
**Database**: `sqlx` (PostgreSQL driver), `chrono` (timestamps).
|
|
66 |
+ |
|
|
67 |
+ |
**Storage**: `aws-sdk-s3`, `aws-config`, `fs2` (filesystem free-space), `memmap2` (zero-copy file reads), `tempfile`, `bytes`.
|
|
68 |
+ |
|
|
69 |
+ |
**Scanning and binary analysis**: `yara-x`, `infer` (magic-byte sniffing), `object` (executable parsing), `goblin` (PE/ELF/Mach-O), `authenticode` (Authenticode signatures), `apple-codesign` (Mach-O code signatures, MPL-2.0), `zip`, `x509-cert`, `x509-parser`, `asn1-rs`, `const-oid`.
|
|
70 |
+ |
|
|
71 |
+ |
**Payments**: the `async-stripe` family (`async-stripe`, `async-stripe-billing`, `async-stripe-checkout`, `async-stripe-connect`, `async-stripe-core`, `async-stripe-payment`, `async-stripe-product`, `async-stripe-shared`, `async-stripe-types`).
|
|
72 |
+ |
|
|
73 |
+ |
**Auth and crypto**: `argon2`, `webauthn-rs`, `webauthn-rs-proto`, `webauthn-authenticator-rs`, `jsonwebtoken`, `hmac`, `sha1`, `sha2`, `totp-rs`, `chacha20poly1305`, `subtle` (constant-time comparison), `rand`, `zeroize`, `aes`.
|
|
74 |
+ |
|
|
75 |
+ |
**Templating and markup**: `askama`, `pulldown-cmark` (Markdown), `syntect` (syntax highlighting), `ammonia` (HTML sanitization), `regex`, `regex-lite`, `unicode-normalization`.
|
|
76 |
+ |
|
|
77 |
+ |
**HTTP client / outbound**: `reqwest`, `hickory-resolver` (DNS), `webpki-roots`, `rustls-pki-types`, `tokio-rustls`.
|
|
78 |
+ |
|
|
79 |
+ |
**Serialization**: `serde`, `serde_json`, `toml`, `base64`, `hex`, `url`, `urlencoding`, `email_address`, `semver`, `uuid`.
|
|
80 |
+ |
|
|
81 |
+ |
**Async primitives**: `tokio`, `tokio-stream`, `tokio-util`, `async-trait`, `dashmap`, `parking_lot`, `governor` (rate limiting).
|
|
82 |
+ |
|
|
83 |
+ |
**Git**: `git2` (and through it, libgit2).
|
|
84 |
+ |
|
|
85 |
+ |
**Observability**: `tracing`, `tracing-subscriber`, `metrics`, `metrics-exporter-prometheus`, `log`.
|
|
86 |
+ |
|
|
87 |
+ |
**Errors**: `anyhow`, `thiserror`.
|
|
88 |
+ |
|
|
89 |
+ |
**CLI and TUI** (mnw-cli, sando-tui, wam): `clap`, `ratatui`, `crossterm`, `russh`, `russh-sftp`, `dirs`.
|
|
90 |
+ |
|
|
91 |
+ |
**MCP / protocol**: `rmcp` (Model Context Protocol server bindings for the harness tool).
|
|
92 |
+ |
|
|
93 |
+ |
**Testing**: `proptest`, `wiremock`, `tempfile`, `criterion`, `fast-tests`.
|
|
94 |
+ |
|
|
95 |
+ |
---
|
|
96 |
+ |
|
|
97 |
+ |
## Vendors and services
|
|
98 |
+ |
|
|
99 |
+ |
The platform doesn't run on Rust alone.
|
|
100 |
+ |
|
|
101 |
+ |
- **[Hetzner](https://www.hetzner.com/)** — primary cloud provider. The production app server, the backup machine, and the object storage bucket all live in their Falkenstein and Helsinki datacenters. Fair pricing, no egress fees, no surprise lock-in.
|
|
102 |
+ |
- **[Cloudflare](https://www.cloudflare.com/)** — DNS, DDoS protection, and the CDN in front of `makenot.work`. The `CF-Connecting-IP` header is the only header our origin trusts to identify the client.
|
|
103 |
+ |
- **[Caddy](https://caddyserver.com/)** — reverse proxy and automatic TLS at the origin. Every certificate the platform serves is issued and renewed by Caddy talking to Let's Encrypt. Apache-2.0.
|
|
104 |
+ |
- **[PostgreSQL](https://www.postgresql.org/)** — see above.
|
|
105 |
+ |
- **[Stripe](https://stripe.com/)** — payment processing. We do not see card numbers; Stripe does. We do see the 2.9% + $0.30 that comes out of every transaction, which is the only fee a creator pays.
|
|
106 |
+ |
- **[Postmark](https://postmarkapp.com/)** — transactional email. Login notifications, password resets, broadcasts, lockout warnings — Postmark delivers all of them.
|
|
107 |
+ |
- **[Let's Encrypt](https://letsencrypt.org/)** — every TLS certificate. Free, automated, and run as a public benefit by ISRG.
|
|
108 |
+ |
- **[Tailscale](https://tailscale.com/)** — the private network the build machines, the production server, and the developer machines all share. The dev-machine list includes them by name.
|
|
109 |
+ |
|
|
110 |
+ |
---
|
|
111 |
+ |
|
|
112 |
+ |
## Fonts
|
|
113 |
+ |
|
|
114 |
+ |
Three typefaces, all served from Google Fonts.
|
|
115 |
+ |
|
|
116 |
+ |
- **Young Serif** (Bunny Studio) — the brand display face, and the source of the diamond period glyph that doubles as the brand mark. Open Font License.
|
|
117 |
+ |
- **IBM Plex Mono** (IBM) — every code block, every key code, every monospaced UI label. Open Font License.
|
|
118 |
+ |
- **Lato** (Łukasz Dziedzic) — the body face, used for everything that isn't a heading or code. Open Font License.
|
|
119 |
+ |
|
|
120 |
+ |
---
|
|
121 |
+ |
|
|
122 |
+ |
## Standards and specifications
|
|
123 |
+ |
|
|
124 |
+ |
Standards aren't software you can `cargo add`, but they're load-bearing all the same.
|
|
125 |
+ |
|
|
126 |
+ |
- **HTTP/1.1, HTTP/2** (IETF) — every request to the platform.
|
|
127 |
+ |
- **WebAuthn Level 3** (W3C / FIDO Alliance) — passkey login.
|
|
128 |
+ |
- **TOTP** (RFC 6238) — the second factor for accounts that enable 2FA.
|
|
129 |
+ |
- **OAuth 2.0 + PKCE** (IETF) — third-party SyncKit app authorization.
|
|
130 |
+ |
- **S3 API** (AWS) — object storage protocol.
|
|
131 |
+ |
- **YARA rule syntax** (VirusTotal) — the language our malware rules are written in.
|
|
132 |
+ |
|
|
133 |
+ |
---
|
|
134 |
+ |
|
|
135 |
+ |
## A note on transitive dependencies
|
|
136 |
+ |
|
|
137 |
+ |
The list above is the visible top. Every direct dependency drags in more, and those bring in more again, all the way down. The full tree, last time we counted, runs into the high hundreds. We are not going to list them all on this page — that's what `cargo tree` is for — but every single one of those crates was somebody's work, and most of the people who wrote them will never be paid for it. The whole modern software ecosystem rests on people choosing to give away what they've built. That is the deal we benefit from, and it's the deal we try to honor by keeping the platform's own infrastructure tooling open and source-available too.
|
|
138 |
+ |
|
|
139 |
+ |
---
|
|
140 |
+ |
|
|
141 |
+ |
## Did we miss you?
|
|
142 |
+ |
|
|
143 |
+ |
If your project or service is in the list above and we got the description wrong, or if you maintain something we depend on and don't see your name here, email us at `hi@makenot.work` and we'll fix it. The page is regenerated by hand, not scraped, which means we'll occasionally fall behind — sorry in advance.
|