Rust Foundation Update: August 2024

alpha/engagements/2024/Rust Foundation/update-2024-08.md

@@ -0,0 +1,55 @@
+Crate provenance tracking continues with repo verification now being run across the entirety of the crates.io corpus, and a mechanism to delete crates has been approved and is now being implemented.
+
+## Engineering
+
+### Crate repo verification
+
+[Crate provenance](https://lawngno.me/blog/2024/06/10/divine-provenance.html) tracking, verifying that a given crate is actually associated with the repository it claims to be, is now running across the *entirety of the crates.io corpus*.
+
+The engineering to get this working across all of crates.io has surfaced various issues in underlying Rust libraries, most notably `gitoxide`, but these are being worked out and results of the entire corpus work should be available soon.
+
+### Deleting crates approved
+
+The crate deletion [RFC](https://github.com/rust-lang/rfcs/pull/3660) has been approved and merged. Implementation of the RFC details are now beginning. Recall, the purpose of the RFC is to provide crate owners with a mechanism to delete crates from crates.io under certain [conditions](https://github.com/Turbo87/rust-rfcs/blob/crates-io/crate-deletions/text/3660-crates-io-crate-deletions.md#proposal).
+
+### Crate version downloads
+
+The infra and crates.io teams worked together on https://static.crates.io/archive/version-downloads/, which contains statistics of historic version downloads. 
+
+There are two benefits to this:
+
+1. Moving this info from the crates.io db to a CSV makes the actual crates database faster.
+2. People can download this data and analyze crates.io download statistics. (One caveat is that currently the last 90 days are not in CSV, but rather they are in the database)
+
+### Build.rs security
+
+An effort is spinning up to examine how the Rust ecosystem uses build.rs in practice.
+
+Rust build.rs scripts are used for many different tasks — many of which require duplicated effort between crates, and all of which take place in an unsandboxed environment with full access to the build host. This effort is investigating whether a safer framework can be built that will allow build.rs scripts to be replaced by a unified framework, meaning that build.rs scripts become more standardized in practice and easier to flag for review in the same manner as many organizations currently review all `unsafe` blocks in their dependency graphs.
+
+## Announcements and Community
+
+### C++/Rust Interop Progress
+
+The initial C++/Rust Interop problem statement and high-level strategy has been written and has completed an internal review. There are three (3) high-level, concurrent strategies defined, which will serve as a basis for recruiting interested parties for both input and participation. We are striving for a top-down problem-space approach to drive strategic goals into tactical work.
+
+The next step underway is soliciting feedback and revision with key individuals outside the Foundation in preparation for a public release.
+
+### RustConf 2024
+
+[RustConf 2024](https://rustconf.com/) is taking place from 10 September - 13 September in Montreal, Quebec, Canada.
+
+Some event highlights include:
+
+- Opening remarks from the Foundation Executive Director, Bec Rumbul
+- A presentation from Walter Pearce called "Dude, Where's My C?" which discusses statistics of externally-linked code across the crates ecosystem and more.
+- The first meeting of the [Safety Critical Consortium](https://foundation.rust-lang.org/news/announcing-the-safety-critical-rust-consortium/)
+
+You can see what else in store [here](https://foundation.rust-lang.org/news/what-s-in-store-at-rustconf-2024/).
+
+## Threat Modeling
+
+1. **Crates ecosystem**: [Published](https://drive.google.com/file/d/1YxpJ0W5eqat2Y3ZfbdwKm_AoNhX3hIj_/)
+2. **Rust Infrastructure**: [Published](https://docs.google.com/document/d/10Qlf8lk7VbpWhA0wHqJj4syYuUVr8rkGVM-k2qkb0QE/)
+3. **crates.io**: [Published](https://docs.google.com/document/d/1krEL8zccid44ojS2vqxH4HRCD-bPzC7tLfcDhc5QekI/)
+4. **Rust Project**: [Published](https://docs.google.com/document/d/1kpUUYekiiZRARk_EDQ7merBLmwp301yCE28MkQH-x8k/)