|
| 1 | +## General Security Vulnerability Research |
| 2 | + |
| 3 | +Thanks to the Alpha-Omega (Linux Foundation) and Anthropic partnership in [Glasswing](https://www.anthropic.com/glasswing), Adam and Walter are working through using Mythos results to research vulnerabilities in the Rust ecosystem. |
| 4 | + |
| 5 | +## crates.io on Svelte |
| 6 | + |
| 7 | +The port of crates.io from Ember.js to Svelte is nearly complete. Tobias [announced](https://blog.rust-lang.org/inside-rust/2026/04/17/crates-io-svelte-public-testing/) the public user testing phase in April and has been ironing out any remaining small issues. |
| 8 | + |
| 9 | +## Trivy Vulnerability |
| 10 | + |
| 11 | +Aqua Security's Trivy, a very popular open-source vulnerability scanner, was [compromised](https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack) in a large scale supply chain attack. Adam did a scan of the repos for the top 5000 crates (as measured by downloads in the last 90 days), and there was only one that used the compromised Trivy GitHub Actions, and they had excellent hygiene and pinned to specific commits. Consider this a generally good outcome under the circumstances. |
| 12 | + |
| 13 | +## Mirroring Rust Project Goal |
| 14 | + |
| 15 | +There has been [progress](https://rust-lang.zulipchat.com/#narrow/channel/417663-tbd-signing/topic/Project.20Goal.20Status.20-.20March.2C.202026/near/583832601) in the Rust Project [goal](https://rust-lang.github.io/rust-project-goals/2026/mirroring.html) associated with implementing a verifiable mirroring prototype, from `tuf-on-ci` experimentation to Merkle tree research on GCP. |
| 16 | + |
| 17 | +## Infrastructure Security |
| 18 | + |
| 19 | +The Rust Infrastructure Team has [posted](https://blog.rust-lang.org/inside-rust/2026/04/14/infrastructure-team-q1-recap-and-q2-plan/) their Q1 recap and plans for Q2. |
| 20 | + |
| 21 | +We are moving ever closer to major improvements to MFA over Rust Infrastructure. Ubi is working to require hardware security keys to access critical infrastructure and we are planning to pass out the hardware keys in May. |
| 22 | + |
| 23 | +Renovate is the tool that the Rust Project infra team suggests to the Project to keep dependencies and GitHub Actions up-to-date. Marco and Ubi created Renovate [presets](https://github.com/rust-lang/renovate) to simplify the Renovate configurations of the Rust Project repositories. They also [documented](https://forge.rust-lang.org/infra/docs/renovate.html) how to adopt Renovate in repositories. They hope these changes will drive more adoption of Renovate in the organization, with the result of more dependencies being up-to-date, which ensures that the latest security patches are applied in our projects. |
| 24 | + |
| 25 | +Until now, GitHub [merge queues](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/configuring-pull-request-merges/managing-a-merge-queue) were configured manually because you couldn’t configure them via API using branch protections. Ubi and Marco migrated all branch protections using merge queues to rulesets and set up our team API integration to manage the queues based on IaC. |
| 26 | + |
| 27 | +Rust Project members can [now](https://github.com/rust-lang/team/pull/2255) install GitHub Apps in their repositories via the [team](https://github.com/rust-lang/team) repo. This will increase the developer experience of contributors and help the Infrastructure Team detect drifts more easily. |
| 28 | + |
| 29 | +## crates.io sustainability |
| 30 | + |
| 31 | +The Rust Foundation is reviewing ideas for crates.io sustainability with the Rust Project. The ideas are meant to have minimal impact to the individual Rust developer and focus more on enterprise-type features. We hope to have a full review of these ideas complete in the next month or so. |
| 32 | + |
| 33 | +Joel is working with the joint package repository working group to help craft a followup to the [letter](https://openssf.org/blog/2025/09/23/open-infrastructure-is-not-free-a-joint-statement-on-sustainable-stewardship/) around sustainability. |
| 34 | + |
| 35 | +## GDPR Takedown request |
| 36 | + |
| 37 | +The Rust Foundation received its first official GDPR takedown request in April, where a crate publisher wanted all data, including the crate removed in compliance with GDPR. The crate is a dependency for many other crates, so we are working to come up with an amenable policy and response. |
0 commit comments