The primary highlight of March is the continued discussion around the PKI RFC. There are a lot of varied and passionate opinions and we are trying to decide the best path forward to ensure that we can meet the necessary security needs of the ecosystem while taking into account valuable feedback.
The PKI RFC is the first of a series for a PKI model for Rust. It includes the design and implementation for a PKI CA and a resilient Quorum model for the project to implement, and next steps for signing across the project. Crate and release signing will follow in a subsequent separate RFC.
The discussion on this RFC has been active for about a month now, and there is not yet a consensus forward. The key sticking point seems to be whether a PKI is the right way to go, but maybe with a better problem statement, we can answer that question.
Walter, in coordination with members of the Rust Project, is working on an ancillary RFC around signing. This should be published in the next month.
CDN, log-based crates download counting running in production for weeks now. Just some minor tweaks needed, but generally this is allowing cargo to download crates directly from static.crates.io, which means if crates.io has issues the downloads will keep working and the whole system will scale a lot better than before.
A blog post was published describing the changes.
Adam continues to work on adding crates.io admin functionality. A recent PR adds a concept of "sudo mode" for admins logged into crates.io. Actions that require admin privileges will be disabled by default unless the admin explicitly turns on admin actions from the user menu, at which point they will be given privileges for six hours or until they disable admin actions again from the user menu.
With the user functionality and the ability to delete crates, that is about 95% of the rapid response scenarios covered.
- Crates ecosystem: Published
- Rust Infrastructure: Published
- crates.io: Published
- Rust Project: Published
Most of the Rust Foundation staff went to Rust Nation in London the last week of March. Jan David (JD) Nose gave a presentation entitled "Rust Infrastructure: What it takes to keep Rust running", which basically describes how the Foundation and Project work together to ensure we can keep the lights on given Rust's massive growth.
Some of the Rust Foundation staff will be attending Open Source Summit North America in Seattle in April, along with the co-located SOSS Community Day. Joel will be doing a TTX session around security scenarios.