Crate provenance tracking continues with repo verification now being run across the entirety of the crates.io corpus, and a mechanism to delete crates has been approved and is now being implemented.
Crate provenance tracking, verifying that a given crate is actually associated with the repository it claims to be, is now running across the entirety of the crates.io corpus.
The engineering to get this working across all of crates.io has surfaced various issues in underlying Rust libraries, most notably gitoxide, but these are being worked out and results of the entire corpus work should be available soon.
The crate deletion RFC has been approved and merged. Implementation of the RFC details are now beginning. Recall, the purpose of the RFC is to provide crate owners with a mechanism to delete crates from crates.io under certain conditions.
The infra and crates.io teams worked together on https://static.crates.io/archive/version-downloads/, which contains statistics of historic version downloads.
There are two benefits to this:
- Moving this info from the crates.io db to a CSV makes the actual crates database faster.
- People can download this data and analyze crates.io download statistics. (One caveat is that currently the last 90 days are not in CSV, but rather they are in the database)
An effort is spinning up to examine how the Rust ecosystem uses build.rs in practice.
Rust build.rs scripts are used for many different tasks — many of which require duplicated effort between crates, and all of which take place in an unsandboxed environment with full access to the build host. This effort is investigating whether a safer framework can be built that will allow build.rs scripts to be replaced by a unified framework, meaning that build.rs scripts become more standardized in practice and easier to flag for review in the same manner as many organizations currently review all unsafe blocks in their dependency graphs.
The initial C++/Rust Interop problem statement and high-level strategy has been written and has completed an internal review. There are three (3) high-level, concurrent strategies defined, which will serve as a basis for recruiting interested parties for both input and participation. We are striving for a top-down problem-space approach to drive strategic goals into tactical work.
The next step underway is soliciting feedback and revision with key individuals outside the Foundation in preparation for a public release.
RustConf 2024 is taking place from 10 September - 13 September in Montreal, Quebec, Canada.
Some event highlights include:
- Opening remarks from the Foundation Executive Director, Bec Rumbul
- A presentation from Walter Pearce called "Dude, Where's My C?" which discusses statistics of externally-linked code across the crates ecosystem and more.
- The first meeting of the Safety Critical Consortium
You can see what else in store here.