Skip to content

Commit

Permalink
Merge pull request #440 from JoelMarcey/rust-november2024
Browse files Browse the repository at this point in the history
Rust Foundation: November 2024 Update
  • Loading branch information
micmarti85 authored Dec 3, 2024
2 parents 36e244b + 966ef9c commit a8c2929
Showing 1 changed file with 57 additions and 0 deletions.
57 changes: 57 additions & 0 deletions alpha/engagements/2024/Rust Foundation/update-2024-11.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
This was a prolific engineering month, particularly on the crates.io side, with improvements to the codebase by moving to `async/await`, additional checks for crate spam and name-squatting, as well as the approach of the finish-line on crates deletion.

## Engineering

### async/await now in crates.io

Tobias and another member of the crates.io team finished the `async/await` migration of the crates.io codebase this month. All API endpoints and background worker tasks are now using asynchronous database queries, and email sending network calls, among other things. This unlocked future performance improvements by now being able to take advantage of the pipelining feature of Postgres database connections.

### Crate deletions

Tobias worked on implementing the "Crate deletion" [RFC](https://github.com/rust-lang/rfcs/pull/3660). He opened a pull request implementing the required API endpoint, and another pull request that introduced a new database table to track previously deleted crates. The latter also allows the crates.io team to delay making crate names available again for re-registration after they were deleted. Tobias also created a [supplemental RFC](https://github.com/rust-lang/rfcs/pull/3731) to just focus on deleting whole crates instead of versions.

### Fighting spam and name-squatting in crates

In an attempt to make reserved package names available again, Tobias worked on a number of SQL scripts to detect common cases of spam or name-squatting. These scripts helped him discover over 500 crates that had been reserved years ago, but never saw any content. After careful individual assessments of these crates, the majority of them were deleted from the registry. Also, a number of crates have been caught to be spam and were reported as well.

### TAP-16 Implementation for TUF

Work has begun on the implementation of [TAP-16](https://github.com/theupdateframework/taps/blob/master/tap16.md) for utilizing [TUF](https://theupdateframework.io) for crates.io index signing. Recall, this is work allows us to ensure that the size of the rate payload metadata is only minimally increased with the addition of TUF.

### Rust Edition tracking

A long standing issue for crates.io was that users could not see which "Rust Edition" package is required. Tobias added the necessary database column and processing code this month, and adjusted the user interface to show these values. The "Rust Edition" is now also used to infer the "Minimum Supported Rust Version" (MSRV), if it is not set explicitly.

### crates.io RSS feeds

In June/July the crates.io team introduced RSS feeds for publishes on the package registry. This month, Tobias discovered that crate descriptions were not escaped properly. He fixed the issue in the upstream `quick-xml` and `rss` packages and then removed the temporary workaround within the crates.io codebase.

### Build.rs security

Work has begun on MVP test cases for unified build framework. Recall, Walter and Adam are spinning up an effort to see whether a safer framework can be built that will allow build.rs scripts to be replaced by a unified framework, meaning that build.rs scripts become more standardized in practice and easier to flag for review in the same manner as many organizations currently review all unsafe blocks in their dependency graphs.

### Backup Accounts

Work is progressing on creating and implementing official backup accounts for all of Rust and crates.io.

## Announcements and Community

### C++/Rust Interop Problem Statement and Strategy Published

Jon's work on the [C++/Rust Interop problem statement and strategy](https://github.com/rustfoundation/interop-initiative/blob/main/problem-statement.md) was [published to the world](https://foundation.rust-lang.org/news/rust-foundation-releases-problem-statement-on-c-rust-interoperability/) in November. It has generally received positive feedback, including calls from people to help, and Jon will begin working on the implementation of that strategy as we head into 2025.

### TUF RFC

Walter and other [TUF RFC](https://github.com/rust-lang/rfcs/pull/3724) authors continue to manage the discussion and comments. The Final Comment Period should begin in the next couple of weeks, at which point, the RFC could be accepted and approved.

### Quantifying Nebraska in Melbourne

Adam attended PyConAU and gave his [Quantifying Nebraska](https://2024.pycon.org.au/program/LYLY7H/) talk.

### Safety Critical Rust Consortium Progress

The [Safety Critical Rust Consortium](https://github.com/rustfoundation/safety-critical-rust-consortium) continues to progress, with meetings of the two [subcommittees](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee) - [Coding Guidelines](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/coding-guidelines) and [Tooling](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/tooling). A full meeting of the consortium is scheduled for February 2025.

## Threat Modeling

Moved the links to these to the [README](./README.md) for persistent access.

0 comments on commit a8c2929

Please sign in to comment.