generated from ossf/project-template
-
Notifications
You must be signed in to change notification settings - Fork 49
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #399 from JoelMarcey/rust-july2024
Rust Foundation: July 2024 Update
- Loading branch information
Showing
1 changed file
with
48 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,48 @@ | ||
| There has been continued progress on verifying the repos that crates say they are associated with. We are also nearly complete on moving our security to the cloud in order to have more consistent runs, analysis and data. | ||
|
|
||
| ## Engineering | ||
|
|
||
| ### Crate repo verification progress | ||
|
|
||
| Adam has continued working on [provenance](https://lawngno.me/blog/2024/06/10/divine-provenance.html) tracking, verifying that a given crate is actually associated with the repository it claims to be. He has now analyzed the top 5000 crates by download count and has found no obvious red flags. Verification now infers commits based on tag data if the crate file was packaged without VCS info. This finds more mismatches as a result, but they’re all innocent — build artifacts, swap files, etc. Up next is to analyze the entire crates.io corpus. | ||
|
|
||
| ### Crate deletion RFC | ||
|
|
||
| The crate deletion [RFC](https://github.com/rust-lang/rfcs/pull/3660) is close to moving into FCP now. Recall, Tobias wrote this RFC to provide crate owners with a mechanism to delete crates from crates.io under certain [conditions](https://github.com/Turbo87/rust-rfcs/blob/crates-io/crate-deletions/text/3660-crates-io-crate-deletions.md#proposal). | ||
|
|
||
| ### crates.io lib/bin detection | ||
|
|
||
| Tobias backfilled `lib/bin` information for existing crate releases. The `has_lib` and `bin_names` columns in the crates.io database have been backfilled (see [conversation](https://rust-lang.zulipchat.com/#narrow/stream/318791-t-crates-io/topic/lib.2Fbin.20detection)). For example, https://crates.io/crates/ripgrep finally shows `cargo install` now. | ||
|
|
||
| ### Crate specific RSS feed | ||
|
|
||
| Thanks to Tobias, there are now [crate-specific RSS feeds](https://github.com/rust-lang/crates.io/pull/9064). You can subscribe to get all the details on the specific crates you are interested in. RSS feeds per crate are published at https://static.crates.io/rss/crates/{name}.xml. The feeds are synced with the database in a background job after every successful publish of the corresponding crate. It includes the latest 10 releases of the crate, but at least all releases within the last 24 hours. | ||
|
|
||
| ### Signing RFC Update | ||
|
|
||
| Walter, along with other Rust Project members, are nearly complete in drafting the wording to convert the existing [Public Key Infrastructure (PKI) RFC](https://github.com/rust-lang/rfcs/pull/3579) to use TUF, which should alleviate many of the commented concerns. | ||
|
|
||
| ## Announcements and Community | ||
|
|
||
| ### New Infrastructure Engineer on Staff | ||
|
|
||
| We are pleased to [announce](https://foundation.rust-lang.org/news/welcoming-infrastructure-engineer-marco-ieni-to-the-rust-foundation-team/) that Marco Ieni has joined the Rust Foundation as the newest member of our engineering team! Marco joins the Rust Foundation as its second Infrastructure Engineer, providing much-needed support to the Rust project and its infrastructure. As a member of the engineering team, Marco will ensure that the infrastructure supporting Rust and related projects is reliable, efficient, productive, and secure. He will be responsible for the operations of all current and future infrastructure, managing existing tools and new developments while working directly with the Rust Project Infrastructure team in their daily activities. | ||
|
|
||
| ### Sustainability Efforts | ||
|
|
||
| Adam continues to focus on project sustainability, focusing on repo and maintainer information. Adam gave a Python specific version of his [Quantifying Nebraska talk](https://www.youtube.com/watch?v=QMHpy_mcx0Q) at [North Bay Python](https://pretalx.northbaypython.org/nbpy-2024/talk/9EXJ7T/). He is developing tooling around this. | ||
|
|
||
| ### Development of crates.io update | ||
|
|
||
| Tobias [published](https://blog.rust-lang.org/2024/07/29/crates-io-development-update.html) an update of the development progress of crates.io. | ||
|
|
||
| ### RustConf in September | ||
|
|
||
| [RustConf](https://rustconf.com/) is approaching. 10-13 September in Montreal. There is still time to register. | ||
|
|
||
| ## Threat Modeling | ||
|
|
||
| 1. **Crates ecosystem**: [Published](https://drive.google.com/file/d/1YxpJ0W5eqat2Y3ZfbdwKm_AoNhX3hIj_/) | ||
| 2. **Rust Infrastructure**: [Published](https://docs.google.com/document/d/10Qlf8lk7VbpWhA0wHqJj4syYuUVr8rkGVM-k2qkb0QE/) | ||
| 3. **crates.io**: [Published](https://docs.google.com/document/d/1krEL8zccid44ojS2vqxH4HRCD-bPzC7tLfcDhc5QekI/) | ||
| 4. **Rust Project**: [Published](https://docs.google.com/document/d/1kpUUYekiiZRARk_EDQ7merBLmwp301yCE28MkQH-x8k/) |