ossf · kj-powell · Apr 1, 2026 · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -0,0 +1,66 @@
+The Rust Project goal for implementing an verifiable mirroring prototype has been accepted. There are two Alpha-Omega blog posts now live, one on vulnerability surfacing and the other on Capslock. And there are infra, interop and other updates.
+
+## Vulnerability Surfacing
+
+The vulnerability surfacing [blog post](https://alpha-omega.dev/blog/surfacing-security-advisories-on-crates-io-bringing-vulnerability-data-to-the-point-of-discovery/) for Alpha-Omega was published, detailing all the work that occurred to enable the security tab on crates.io for exposing crate security advisories.
+
+Related work is starting on ensuring the [RustSec Advisory Database](https://rustsec.org) continues to be maintained and updated.
+
+## Capslock
+
+The `cargo capslock` [blog post](https://alpha-omega.dev/blog/measuring-least-privilege-introducing-cargo-capslock/) for Alpha-Omega was published, detailing the progress of implementing Capslock for Rust.
+
+## Other Engineering
+
+### Mirroring Rust Project Goal
+
+After a number of discussions and meetings, the Rust Project [goal](https://rust-lang.github.io/rust-project-goals/2026/mirroring.html) associated with implementing a verifiable mirroring prototype.
+
+The aim is to ship a Minimum Viable Product that provides cryptographically verified mirrors for Rustup and Cargo, specifically targeting high-traffic environments like GitHub Actions (GHA) runners on Azure. By utilizing [The Update Framework (TUF)](https://theupdateframework.io), a secure, multi-key distribution model will be established that reduces infrastructure costs while providing for utilizing TUF as a validating mechanism on the backend transfers for mirroring, while integrating the needed unstable features into Rustup and Cargo for implementation. The goal is to implement a first trial pass of [RFC#3724](https://github.com/rust-lang/rfcs/pull/3724), with modifications, allowing for mirrors of Rust releases and crates to be configurable or automatically utilized by the Rustup toolchain.
+
+### `tar` security incident
+
+Adam, Walter and Tobias worked with members of the Rust Project Security Response Working group to help resolve a security incident in the third-party [`tar` crate](https://crates.io/crates/tar).
+
+The vulnerability, tracked as [CVE-2026-33056](https://www.cve.org/CVERecord?id=CVE-2026-33056), allows a malicious crate to change the permissions on arbitrary directories on the filesystem when Cargo extracts it during a build.
+
+For users of the public crates.io registry, a change was deployed on March 13th to prevent uploading crates exploiting this vulnerability, and all crates ever published were audited, confirming that no crates on crates.io are exploiting this.
+
+### RustSec malware takedown advisory updates
+
+We added a new `malicious` category to RustSec advisories for malware takedowns. This allows downstream users of RustSec advisories to handle the advisories they are interested in more precisely, and also allowed for better rendering of takedown advisories on rustsec.org by making them look less like vulnerability advisories.
+
+We also backfilled three years of malware takedown advisories based on Adam's private notes, and RustSec should now have a complete record back to the start of 2023.
+
+### Infrastructure Updates
+
+The Rust Foundation and Rust Project infrastructure team worked on plenty of security-related items this month.
+
+- Using Google Workspace SSO, centralized access management for critical infrastructure access has been introduced.
+- `compiler-builtins` security was improved by (1) enabling renovate to keep the dependencies up to date and (2) resolving security audits detected by zizmor. This was done in preparation for running the RISC-V self-hosted runner in CI in a more secure way.
+- All GitHub Actions and Rust dependencies in the `team` repo were updated. This repo is critical because its CI has write access to many GitHub settings across Rust organizations. `renovate` was also enabled, to keep these dependencies up-to-date.
+- The websites for RustConf 2024 and 2025 that were being hosted on wpengine have been turned into static websites, deployed via GitHub Pages. This increases performance and security.
+
+### Rust/C++ Interop
+
+There is measurable progress on defining [problem statements](https://github.com/rustfoundation/interop-initiative/tree/main/problem-space) affecting efficient and ergonomic Rust/C++ interop, as part of an official Rust Project [goal](https://rust-lang.github.io/rust-project-goals/2025h2/interop-problem-map.html).
+
+One specific experiment to try to help solve the overloading problem is being [developed](https://github.com/rust-lang/rust/pull/153697).
+
+## Community and Events
+
+### Open Source SecurityCon Europe
+
+Lori Lorusso, Rust Foundation Director of Outreach, gave a case study [talk](https://www.youtube.com/watch?v=PKDqE1REAao) in Cross-Ecosystem Security Response at Open Source SecurityCon Europe
+
+### Talent Arena
+
+Bec Rumbul, Rust Foundation Executive Director, delivered a [talk](https://talentarena.tech/agenda-2026/?e-filter-5cf5700-cpt_type=talk&e-filter-5cf5700-stage=xpro-talks) at Talent Arena on Building the Future in Rust.
+
+### Outreachy
+
+The Rust Foundation is participating in [Outreachy](https://rust-lang.github.io/rust-project-goals/2025h2/interop-problem-map.html), a program that provides internships in open source. We are mentoring projects associated with Rust/C++ interop.
+
+### Rust Project AI Policy Discussion
+
+The Rust Project is trying to work out an appropriate AI policy. Over the past month there has been a lot of discussion and debate on the role AI should play in pull requests, documentation, etc. Walter, Joel and others have weighed in with suggestions and feedback. Stay tuned to see how this all shakes out.