This was a prolific engineering month, particularly on the crates.io side, with improvements to the codebase by moving to async/await, additional checks for crate spam and name-squatting, as well as the approach of the finish-line on crates deletion.
Tobias and another member of the crates.io team finished the async/await migration of the crates.io codebase this month. All API endpoints and background worker tasks are now using asynchronous database queries, and email sending network calls, among other things. This unlocked future performance improvements by now being able to take advantage of the pipelining feature of Postgres database connections.
Tobias worked on implementing the "Crate deletion" RFC. He opened a pull request implementing the required API endpoint, and another pull request that introduced a new database table to track previously deleted crates. The latter also allows the crates.io team to delay making crate names available again for re-registration after they were deleted. Tobias also created a supplemental RFC to just focus on deleting whole crates instead of versions.
In an attempt to make reserved package names available again, Tobias worked on a number of SQL scripts to detect common cases of spam or name-squatting. These scripts helped him discover over 500 crates that had been reserved years ago, but never saw any content. After careful individual assessments of these crates, the majority of them were deleted from the registry. Also, a number of crates have been caught to be spam and were reported as well.
Work has begun on the implementation of TAP-16 for utilizing TUF for crates.io index signing. Recall, this is work allows us to ensure that the size of the rate payload metadata is only minimally increased with the addition of TUF.
A long standing issue for crates.io was that users could not see which "Rust Edition" package is required. Tobias added the necessary database column and processing code this month, and adjusted the user interface to show these values. The "Rust Edition" is now also used to infer the "Minimum Supported Rust Version" (MSRV), if it is not set explicitly.
In June/July the crates.io team introduced RSS feeds for publishes on the package registry. This month, Tobias discovered that crate descriptions were not escaped properly. He fixed the issue in the upstream quick-xml and rss packages and then removed the temporary workaround within the crates.io codebase.
Work has begun on MVP test cases for unified build framework. Recall, Walter and Adam are spinning up an effort to see whether a safer framework can be built that will allow build.rs scripts to be replaced by a unified framework, meaning that build.rs scripts become more standardized in practice and easier to flag for review in the same manner as many organizations currently review all unsafe blocks in their dependency graphs.
Work is progressing on creating and implementing official backup accounts for all of Rust and crates.io.
Jon's work on the C++/Rust Interop problem statement and strategy was published to the world in November. It has generally received positive feedback, including calls from people to help, and Jon will begin working on the implementation of that strategy as we head into 2025.
Walter and other TUF RFC authors continue to manage the discussion and comments. The Final Comment Period should begin in the next couple of weeks, at which point, the RFC could be accepted and approved.
Adam attended PyConAU and gave his Quantifying Nebraska talk.
The Safety Critical Rust Consortium continues to progress, with meetings of the two subcommittees - Coding Guidelines and Tooling. A full meeting of the consortium is scheduled for February 2025.
Moved the links to these to the README for persistent access.