A bunch of cool engineering feats this month. Walter found nine exposed crates.io tokens and through a security incident process, they were removed with authors notified. We are able to verify that crates actually belong to the repo they say they do. And we have an RFC for crate deletion.
Using a local copy of crates.io, Walter has a process running gitleaks regex scripts to detect exposed credentials. Nine exposed tokens were found and working with Adam through a security incident process, the tokens were removed and the authors associated with those tokens have been notified.
Walter is leading the porting of our security initiative infrastructure from basically local machines into the cloud, specifically Google Cloud Platform (GCP). There is now an active crates mirror where security scans are regularly run with tools like Painter and Typomania. The results of these scans are stored in a neo4J database and elastic search can be used to find specific results.
Tobias wrote and published a crate deletion RFC. This RFC provides crate owners with a mechanism to delete crates from crates.io under certain conditions. The RFC is in discussion, but has a general positive response so far.
After the XZ backdoor vulnerability, we shifted our security initiative focus a bit to focus more on the supply chain side. Adam is working on provenance tracking, verifying that a given crate is actually associated with the repository it claims to be. In addition to catching innocuous mistakes in the crate metadata, this will limit fraudulent crate creators trying to hide their malicious crates behind seemingly valid repos, when, in fact, the code for these crates are actually in unknown repos. Once caught, these crates can be quarantined and deleted using recently implemented admin functionality.
Walter also added a RustSec CVE categorization to Painter to allow the tool to output which CVE types are the most prevalent in the Rust community and to aid future vulnerability response efforts.
The crates.io database was migrated from Heroku Postgres to Crunchy Data Postgres for both cost reduction and efficiency purposes.
An RSS feed is being added to crates.io. The PR creates an RSS feed published at https://static.crates.io/rss/updates.xml. The feed is synced with the database in a background job after every successful publish of a new version. It includes the latest 100 published versions with the crate name, version number, crate description, URL and publish date. The feed is created via https://github.com/rust-syndication/rss.
The Foundation announced a Rust Safety Critical Consortium with nine founding members to focus on encouraging Rust in safety critical applications. Interest in the consortium is abundant and overwhelming, with over twenty more wanting to join or collaborate, and more coming every day. At RustConf, the consortium plans to define a charter and goals, along with a mechanism and process to efficiently add new members to the consortium.
Jon Bauman is our new software engineer lead helping manage our all-important, Google funded Rust/C++ interop initiative. In his first month in the role, Jon has met with more than a dozen people with a vested interest or expertise in interop, and is starting to plan a proposed interop strategy.
Walter has joined the RustSec Advisory team to help review advisories.