generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 52
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #440 from JoelMarcey/rust-november2024
Rust Foundation: November 2024 Update
- Loading branch information
Showing
1 changed file
with
57 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
This was a prolific engineering month, particularly on the crates.io side, with improvements to the codebase by moving to `async/await`, additional checks for crate spam and name-squatting, as well as the approach of the finish-line on crates deletion. | ||
|
||
## Engineering | ||
|
||
### async/await now in crates.io | ||
|
||
Tobias and another member of the crates.io team finished the `async/await` migration of the crates.io codebase this month. All API endpoints and background worker tasks are now using asynchronous database queries, and email sending network calls, among other things. This unlocked future performance improvements by now being able to take advantage of the pipelining feature of Postgres database connections. | ||
|
||
### Crate deletions | ||
|
||
Tobias worked on implementing the "Crate deletion" [RFC](https://github.com/rust-lang/rfcs/pull/3660). He opened a pull request implementing the required API endpoint, and another pull request that introduced a new database table to track previously deleted crates. The latter also allows the crates.io team to delay making crate names available again for re-registration after they were deleted. Tobias also created a [supplemental RFC](https://github.com/rust-lang/rfcs/pull/3731) to just focus on deleting whole crates instead of versions. | ||
|
||
### Fighting spam and name-squatting in crates | ||
|
||
In an attempt to make reserved package names available again, Tobias worked on a number of SQL scripts to detect common cases of spam or name-squatting. These scripts helped him discover over 500 crates that had been reserved years ago, but never saw any content. After careful individual assessments of these crates, the majority of them were deleted from the registry. Also, a number of crates have been caught to be spam and were reported as well. | ||
|
||
### TAP-16 Implementation for TUF | ||
|
||
Work has begun on the implementation of [TAP-16](https://github.com/theupdateframework/taps/blob/master/tap16.md) for utilizing [TUF](https://theupdateframework.io) for crates.io index signing. Recall, this is work allows us to ensure that the size of the rate payload metadata is only minimally increased with the addition of TUF. | ||
|
||
### Rust Edition tracking | ||
|
||
A long standing issue for crates.io was that users could not see which "Rust Edition" package is required. Tobias added the necessary database column and processing code this month, and adjusted the user interface to show these values. The "Rust Edition" is now also used to infer the "Minimum Supported Rust Version" (MSRV), if it is not set explicitly. | ||
|
||
### crates.io RSS feeds | ||
|
||
In June/July the crates.io team introduced RSS feeds for publishes on the package registry. This month, Tobias discovered that crate descriptions were not escaped properly. He fixed the issue in the upstream `quick-xml` and `rss` packages and then removed the temporary workaround within the crates.io codebase. | ||
|
||
### Build.rs security | ||
|
||
Work has begun on MVP test cases for unified build framework. Recall, Walter and Adam are spinning up an effort to see whether a safer framework can be built that will allow build.rs scripts to be replaced by a unified framework, meaning that build.rs scripts become more standardized in practice and easier to flag for review in the same manner as many organizations currently review all unsafe blocks in their dependency graphs. | ||
|
||
### Backup Accounts | ||
|
||
Work is progressing on creating and implementing official backup accounts for all of Rust and crates.io. | ||
|
||
## Announcements and Community | ||
|
||
### C++/Rust Interop Problem Statement and Strategy Published | ||
|
||
Jon's work on the [C++/Rust Interop problem statement and strategy](https://github.com/rustfoundation/interop-initiative/blob/main/problem-statement.md) was [published to the world](https://foundation.rust-lang.org/news/rust-foundation-releases-problem-statement-on-c-rust-interoperability/) in November. It has generally received positive feedback, including calls from people to help, and Jon will begin working on the implementation of that strategy as we head into 2025. | ||
|
||
### TUF RFC | ||
|
||
Walter and other [TUF RFC](https://github.com/rust-lang/rfcs/pull/3724) authors continue to manage the discussion and comments. The Final Comment Period should begin in the next couple of weeks, at which point, the RFC could be accepted and approved. | ||
|
||
### Quantifying Nebraska in Melbourne | ||
|
||
Adam attended PyConAU and gave his [Quantifying Nebraska](https://2024.pycon.org.au/program/LYLY7H/) talk. | ||
|
||
### Safety Critical Rust Consortium Progress | ||
|
||
The [Safety Critical Rust Consortium](https://github.com/rustfoundation/safety-critical-rust-consortium) continues to progress, with meetings of the two [subcommittees](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee) - [Coding Guidelines](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/coding-guidelines) and [Tooling](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/tooling). A full meeting of the consortium is scheduled for February 2025. | ||
|
||
## Threat Modeling | ||
|
||
Moved the links to these to the [README](./README.md) for persistent access. |