Rust's Annual Tech Report: Trusted Publishing for Packages and a C++/Rust Interop Strategy (rustfoundation.org) 5
Thursday saw the release of Rust 1.89.0
But this week the Rust Foundation also released its second comprehensive annual technology report.
A Rust Foundation announcement shares some highlights: - Trusted Publishing [GitHub Actions authentication using cryptographically signed tokens] fully launched on crates.io, enhancing supply chain security and streamlining workflows for maintainers.
- Major progress on crate signing infrastructure using The Update Framework (TUF), including three full repository implementations and stakeholder consensus.
- Integration of the Ferrocene Language Specification (FLS) into the Rust Project, marking a critical step toward a formal Rust language specification [and "laying the groundwork for broader safety certification and formal tooling."]
- 75% reduction in CI infrastructure costs while maintaining contributor workflow stability. ["All Rust repositories are now managed through Infrastructure-as-Code, improving maintainability and security."]
- Expansion of the Safety-Critical Rust Consortium, with multiple international meetings and advances on coding guidelines aligned with safety standards like MISRA. ["The consortium is developing practical coding guidelines, aligned tooling, and reference materials to support regulated industries — including automotive, aerospace, and medical devices — adopting Rust."]
- Direct engagement with ISO C++ standards bodies and collaborative Rust-C++ exploration... The Foundation finalized its strategic roadmap, participated in ISO WG21 meetings, and initiated cross-language tooling and documentation planning. These efforts aim to unlock Rust adoption across legacy C++ environments without sacrificing safety.
The Rust Foundation also acknowledges continued funding from OpenSSF's Alpha-Omega Project and "generous infrastructure donations from organizations like AWS, GitHub, and Mullvad VPN" to the Foundation's Security Initiative, which enabled advances like including GitHub Secret Scanning and automated incident response to "Trusted Publishing" and the integration of vulnerability-surfacing capabilities into crates.io.
There was another announcement this week. In November AWS and the Rust Foundation crowdsourced "an effort to verify the Rust standard library" — and it's now resulted in a new formal verification tool called "Efficient SMT-based Context-Bounded Model Checker" (or ESBMCESBMC) This winning contribution adds ESBMC — a state-of-the-art bounded model checker — to the suite of tools used to analyze and verify Rust's standard library. By integrating through Goto-Transcoder, they enabled ESBMC to operate seamlessly in the Rust verification workflow, significantly expanding the scope and flexibility of verification efforts...
This achievement builds on years of ongoing collaboration across the Rust and formal verification communities... The collaboration has since expanded. In addition to verifying the Rust standard library, the team is exploring the use of formal methods to validate automated C-to-Rust translations, with support from AWS. This direction, highlighted by AWS Senior Principal Scientist Baris Coskun and celebrated by the ESBMC team in a recent LinkedIn post, represents an exciting new frontier for Rust safety and verification tooling.
A Rust Foundation announcement shares some highlights: - Trusted Publishing [GitHub Actions authentication using cryptographically signed tokens] fully launched on crates.io, enhancing supply chain security and streamlining workflows for maintainers.
- Major progress on crate signing infrastructure using The Update Framework (TUF), including three full repository implementations and stakeholder consensus.
- Integration of the Ferrocene Language Specification (FLS) into the Rust Project, marking a critical step toward a formal Rust language specification [and "laying the groundwork for broader safety certification and formal tooling."]
- 75% reduction in CI infrastructure costs while maintaining contributor workflow stability. ["All Rust repositories are now managed through Infrastructure-as-Code, improving maintainability and security."]
- Expansion of the Safety-Critical Rust Consortium, with multiple international meetings and advances on coding guidelines aligned with safety standards like MISRA. ["The consortium is developing practical coding guidelines, aligned tooling, and reference materials to support regulated industries — including automotive, aerospace, and medical devices — adopting Rust."]
- Direct engagement with ISO C++ standards bodies and collaborative Rust-C++ exploration... The Foundation finalized its strategic roadmap, participated in ISO WG21 meetings, and initiated cross-language tooling and documentation planning. These efforts aim to unlock Rust adoption across legacy C++ environments without sacrificing safety.
The Rust Foundation also acknowledges continued funding from OpenSSF's Alpha-Omega Project and "generous infrastructure donations from organizations like AWS, GitHub, and Mullvad VPN" to the Foundation's Security Initiative, which enabled advances like including GitHub Secret Scanning and automated incident response to "Trusted Publishing" and the integration of vulnerability-surfacing capabilities into crates.io.
There was another announcement this week. In November AWS and the Rust Foundation crowdsourced "an effort to verify the Rust standard library" — and it's now resulted in a new formal verification tool called "Efficient SMT-based Context-Bounded Model Checker" (or ESBMCESBMC) This winning contribution adds ESBMC — a state-of-the-art bounded model checker — to the suite of tools used to analyze and verify Rust's standard library. By integrating through Goto-Transcoder, they enabled ESBMC to operate seamlessly in the Rust verification workflow, significantly expanding the scope and flexibility of verification efforts...
This achievement builds on years of ongoing collaboration across the Rust and formal verification communities... The collaboration has since expanded. In addition to verifying the Rust standard library, the team is exploring the use of formal methods to validate automated C-to-Rust translations, with support from AWS. This direction, highlighted by AWS Senior Principal Scientist Baris Coskun and celebrated by the ESBMC team in a recent LinkedIn post, represents an exciting new frontier for Rust safety and verification tooling.
Another reminder (Score:2)
Instead they threw their money away on who knows what.
Re: (Score:2)
We know exactly what they spent their money on. Not on software, but on various social programs that having to do with their core mission.
Re: (Score:2)
A list of side projects that were killed. https://killedbymozilla.com/ [killedbymozilla.com]
Re: (Score:2)
Re: (Score:2)