From 6133d78c4064fe6c6d318f176ac9fbb2a9541f40 Mon Sep 17 00:00:00 2001 From: Joel Marcey Date: Wed, 27 Nov 2024 12:44:40 -0800 Subject: [PATCH 1/4] Rust Foundation: November 2024 --- .../2024/Rust Foundation/update-2024-11.md | 53 +++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 alpha/engagements/2024/Rust Foundation/update-2024-11.md diff --git a/alpha/engagements/2024/Rust Foundation/update-2024-11.md b/alpha/engagements/2024/Rust Foundation/update-2024-11.md new file mode 100644 index 00000000..7b02c385 --- /dev/null +++ b/alpha/engagements/2024/Rust Foundation/update-2024-11.md @@ -0,0 +1,53 @@ +This was a prolific engineering month, particularly on the crates.io side, with improvements to the codebase by moving to `async/await`, additional checks for crate spam and name-squatting, as well as the approach of the finish-line on crates deletion. + +## Engineering + +### async/await now in crates.io + +Tobias and another member of the crates.io team finished the `async/await` migration of the crates.io codebase this month. All API endpoints and background worker tasks are now using asynchronous database queries, and email sending network calls, among other things. This unlocked future performance improvements by now being able to take advantage of the pipelining feature of Postgres database connections. + +### Crate deletions + +Tobias worked on implementing the "Crate deletion" [RFC](https://github.com/rust-lang/rfcs/pull/3660). He opened a pull request implementing the required API endpoint, and other pull request that introduced a new database table to track previously deleted crates. The latter also allows the crates.io team to delay making crate names available again for re-registration after they were deleted. Tobias also created a [supplemental RFC](https://github.com/rust-lang/rfcs/pull/3731) to just focus on deleting whole crates instead of versions. + +### Fighting spam and name-squatting in crates + +In an attempt to make reserved package names available again, Tobias worked on a number of SQL scripts to detect common cases of spam or name-squatting. These scripts helped him discover over 500 crates that had been reserved years ago, but never saw any content. After careful individual assessments of these crates, the majority of them were deleted from the registry. Also, a number of crates have been caught to be spam and were reported as well. + +### TAP-16 Implementation for TUF + +Work has begun on the implementation of [TAP-16](https://github.com/theupdateframework/taps/blob/master/tap16.md) for utilizing [TUF](https://theupdateframework.io) for crates.io index signing. Recall, this is work allows us to ensure that the size of the rate payload metadata is only minimally increased with the addition of TUF. + +### Rust Edition tracking + +A long standing issue for crates.io was that users could not see which "Rust Edition" package is required. Tobias added the necessary database column and processing code this month, and adjusted the user interface to show these values. The "Rust Edition" is now also used to infer the "Minimum Supported Rust Version" (MSRV), if it is not set explicitly. + +### crates.io RSS feeds + +In June/July the crates.io team introduced RSS feeds for publishes on the package registry. This month, Tobias discovered that crate descriptions were not escaped properly. He fixed the issue in the upstream `quick-xml` and `rss` packages and then removed the temporary workaround within the crates.io codebase. + +### Backup Accounts + +Work is progressing on creating and implementing official backup accounts for all of Rust and crates.io. + +## Announcements and Community + +### C++/Rust Interop Problem Statement and Strategy Published + +Jon's work on the [C++/Rust Interop problem statement and strategy](https://github.com/rustfoundation/interop-initiative/blob/main/problem-statement.md) was [published to the world](https://foundation.rust-lang.org/news/rust-foundation-releases-problem-statement-on-c-rust-interoperability/) in November. It has generally received positive feedback, including calls from people to help, and Jon will begin working on the implementation of that strategy as we head into 2025. + +### TUF RFC + +Walter and other [TUF RFC](https://github.com/rust-lang/rfcs/pull/3724) authors continue to manage the discussion and comments. The Final Comment Period should begin in the next couple of weeks, at which point, the RFC could be accepted and approved. + +### Quantifying Nebraska in Melbourne + +Adam attended PyConAU and gave his [quantifying Nebraska](https://2024.pycon.org.au/program/LYLY7H/) talk. + +### Safety Critical Rust Consortium Progress + +The [Safety Critical Rust Consortium](https://github.com/rustfoundation/safety-critical-rust-consortium) continues to progress, with meetings of the two [subcommittees](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee) - [Coding Guidelines](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/coding-guidelines) and [Tooling](https://github.com/rustfoundation/safety-critical-rust-consortium/tree/main/subcommittee/tooling). A full meeting of the consortium is scheduled for February 2025. + +## Threat Modeling + +Moved the links to these to the [README](./README.md) for persistent access. \ No newline at end of file From b8fca0b3249d756ccff45f43db65528076094ed9 Mon Sep 17 00:00:00 2001 From: Joel Marcey Date: Fri, 29 Nov 2024 08:27:57 -0800 Subject: [PATCH 2/4] Update alpha/engagements/2024/Rust Foundation/update-2024-11.md Co-authored-by: Marco Ieni <11428655+MarcoIeni@users.noreply.github.com> Signed-off-by: Joel Marcey --- alpha/engagements/2024/Rust Foundation/update-2024-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alpha/engagements/2024/Rust Foundation/update-2024-11.md b/alpha/engagements/2024/Rust Foundation/update-2024-11.md index 7b02c385..d84407cb 100644 --- a/alpha/engagements/2024/Rust Foundation/update-2024-11.md +++ b/alpha/engagements/2024/Rust Foundation/update-2024-11.md @@ -8,7 +8,7 @@ Tobias and another member of the crates.io team finished the `async/await` migra ### Crate deletions -Tobias worked on implementing the "Crate deletion" [RFC](https://github.com/rust-lang/rfcs/pull/3660). He opened a pull request implementing the required API endpoint, and other pull request that introduced a new database table to track previously deleted crates. The latter also allows the crates.io team to delay making crate names available again for re-registration after they were deleted. Tobias also created a [supplemental RFC](https://github.com/rust-lang/rfcs/pull/3731) to just focus on deleting whole crates instead of versions. +Tobias worked on implementing the "Crate deletion" [RFC](https://github.com/rust-lang/rfcs/pull/3660). He opened a pull request implementing the required API endpoint, and another pull request that introduced a new database table to track previously deleted crates. The latter also allows the crates.io team to delay making crate names available again for re-registration after they were deleted. Tobias also created a [supplemental RFC](https://github.com/rust-lang/rfcs/pull/3731) to just focus on deleting whole crates instead of versions. ### Fighting spam and name-squatting in crates From 45ea607f2ae995fc2e025150564ac8e1e60d4354 Mon Sep 17 00:00:00 2001 From: Joel Marcey Date: Fri, 29 Nov 2024 08:28:03 -0800 Subject: [PATCH 3/4] Update alpha/engagements/2024/Rust Foundation/update-2024-11.md Co-authored-by: Adam Harvey Signed-off-by: Joel Marcey --- alpha/engagements/2024/Rust Foundation/update-2024-11.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alpha/engagements/2024/Rust Foundation/update-2024-11.md b/alpha/engagements/2024/Rust Foundation/update-2024-11.md index d84407cb..55243e92 100644 --- a/alpha/engagements/2024/Rust Foundation/update-2024-11.md +++ b/alpha/engagements/2024/Rust Foundation/update-2024-11.md @@ -42,7 +42,7 @@ Walter and other [TUF RFC](https://github.com/rust-lang/rfcs/pull/3724) authors ### Quantifying Nebraska in Melbourne -Adam attended PyConAU and gave his [quantifying Nebraska](https://2024.pycon.org.au/program/LYLY7H/) talk. +Adam attended PyConAU and gave his [Quantifying Nebraska](https://2024.pycon.org.au/program/LYLY7H/) talk. ### Safety Critical Rust Consortium Progress From 966ef9c098f25795c2aa03d5dd479f66e9b145d5 Mon Sep 17 00:00:00 2001 From: Joel Marcey Date: Fri, 29 Nov 2024 12:21:49 -0800 Subject: [PATCH 4/4] Update update-2024-11.md Signed-off-by: Joel Marcey --- alpha/engagements/2024/Rust Foundation/update-2024-11.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/alpha/engagements/2024/Rust Foundation/update-2024-11.md b/alpha/engagements/2024/Rust Foundation/update-2024-11.md index 55243e92..e1e57b44 100644 --- a/alpha/engagements/2024/Rust Foundation/update-2024-11.md +++ b/alpha/engagements/2024/Rust Foundation/update-2024-11.md @@ -26,6 +26,10 @@ A long standing issue for crates.io was that users could not see which "Rust Edi In June/July the crates.io team introduced RSS feeds for publishes on the package registry. This month, Tobias discovered that crate descriptions were not escaped properly. He fixed the issue in the upstream `quick-xml` and `rss` packages and then removed the temporary workaround within the crates.io codebase. +### Build.rs security + +Work has begun on MVP test cases for unified build framework. Recall, Walter and Adam are spinning up an effort to see whether a safer framework can be built that will allow build.rs scripts to be replaced by a unified framework, meaning that build.rs scripts become more standardized in practice and easier to flag for review in the same manner as many organizations currently review all unsafe blocks in their dependency graphs. + ### Backup Accounts Work is progressing on creating and implementing official backup accounts for all of Rust and crates.io. @@ -50,4 +54,4 @@ The [Safety Critical Rust Consortium](https://github.com/rustfoundation/safety-c ## Threat Modeling -Moved the links to these to the [README](./README.md) for persistent access. \ No newline at end of file +Moved the links to these to the [README](./README.md) for persistent access.