It's time for the third installment of 2023 in my Rust Foundation Quarterly Update series!
The details in the post below cover the Rust Foundation staff team's activities in July, August, and September of 2023. I hope this series continues to give the Rust community and our collaborators insight into our operations, and paints a picture of the Rust Foundation's goals and accomplishments for the entire year.
HR & Administration
During Q3, we began identifying how we would work with the Rust Specification Working Group and how we would collaborate to develop the forthcoming Rust language specification -- an upcoming workstream made possible through funding from Huawei and AWS. The Rust Foundation's Director of Technology, Joel Marcey, will be leading on that from our side.
The Foundation worked with the Rust Project’s Leadership Council as they developed their process for electing new Project Directors. We provided input to the Leadership Council draft process plans and provided legal and governance advice as needed. This process ultimately resulted in the election of three excellent new Project Directors, which we will report on soon.
With the end of 2023 quickly approaching, we dedicated time in Q3 to reviewing our current internal structure, our capacity, and our needs for 2024. In the Q4 recap, we will share a general overview of relevant takeaways from these reviews, primarily related to our goal-setting work for the next 12 months.
Finance & Legal
In Q3, we completed several important tasks required by the Internal Revenue Service. We collated data for our Form 990 submission — a document that serves as the IRS' primary tool for gathering information about tax-exempt organisations such as ours. We also formally filed Form 1024 after initial provisional acceptance by the IRS. This form is used by organisations seeking tax-exempt status under the IRS and focuses on organisations' structure, governance, and operations.
We were pleased to welcome the following new Silver Members to the Foundation in Q3: Filecoin Foundation, Helsing, JetBrains, and TurboFish. Due to schedule conflicts, we have not yet been able to formally announce Filecoin Foundation or JetBrains via our blog, but we look forward to doing so in Q4. We are in the process of changing our announcement protocol for new members and look forward to entering 2024 with an announcement style that's fit for our current cadence.
Unfortunately, we received non-renewal notifications from Platinum Member JFrog, and Silver Members Matter Labs, and Toyota in Q3. We know times are tough financially, and we are grateful to these former members for their contributions to the Rust Foundation during their time with us.
We continued developing our membership acquisition programme in July, August, and September — a project that includes identifying high-priority membership targets/connections to those targets through our networks, and conducting outreach. We hope that forthcoming Rust Foundation Members will be interested in joining for the 2024 budget year, so Q4 is a critical period to pursue high-potential targets. We are hard at work on this!
As I have expressed in previous updates, the Rust Foundation relies on membership fees to support the infrastructure costs of the Rust programming language, to provide on-call support, to fund our security and critical engineering work, and to keep the Foundation operational as the legal steward and guardian of Rust. If you know of any organisations that may like to join, we would love to hear from you!
Technology & Infrastructure
Q3 was a banner quarter on both of our two primary strategic initiatives - Rust ecosystem security and infrastructure efficiency.
We released our first Security Initiative Progress Report in July, which details the work and accomplishments that occurred over the first six months of the initiative. Highlights from this report include the release of the Foundation’s first technical open source project, Painter, which provides a comprehensive call graph database of dependencies and invocations amongst and between all crates in the crates.io ecosystem, such that if there is a vulnerability in one crate, we can know what other crates may be affected. The crates ecosystem threat model (also developed under our Security Initiative) was made public. This threat model details potential ways crates could be attacked, along with mitigation strategies. The latest updates on much of the security initiative work can be found in the monthly updates provided to OpenSSF’s Alpha-Omega, who are generously helping fund the Foundation’s Security Initiative.
In Q3, the Rust Foundation, the Rust Project, and Phylum (a software supply chain security company) worked together to respond to a typo-squatting attack, where the malicious crate sent tokens and keys to a Telegram channel. There were blog posts from both the Rust Project and Phylum detailing the situation and response. The Foundation, through the Security Initiative, is exploring some potential engineering efforts to help with malware detection. We look forward to sharing more when we have an update.
In Q3 Rust infrastructure news, our joint usage of Fastly and AWS (for both Rust releases and crates from crates.io) worked well. We saw 95% of crates and 50% of the Rust release requests being delivered via Fastly infrastructure via their Fast Forward program. We continued to see a relative downward trend of AWS bandwidth usage because of the addition of Fastly to our infrastructure repertoire. Despite these positive developments, given Rust's rapid growth, the Foundation anticipates bandwidth needs in aggregate to continue to increase into 2024 and beyond. Fastly, AWS, and Azure have all kindly and generously committed in-kind infrastructure into 2024 to help us try to meet this growth demand and continue initiatives like our Cloud Compute Program.
The Rust Foundation Technology Team also added two new platforms to help with analyzing both our infrastructure usage and our security health. After a three-month proof of concept period, we signed an agreement with DataDog to use their platform to monitor services across our diverse set of providers. In the end, this should be close to cost-neutral for us while also providing a rich set of capabilities as we try to understand where we can be more efficient. Wiz graciously provided us with an in-kind contribution to their platform so that we can monitor and analyze potential security risks in our infrastructure.
Finally, here is a quick look at some of the other fantastic achievements of our Technology Team in Q3:
- Our second technical open source project was just published. Typomania attempts to mitigate the practice of typo-squatting. This project was announced shortly after our first technical open source project, Painter.
- Crate signing is an important part of a holistic security strategy for the Rust ecosystem. A crate signing public key infrastructure (PKI) RFC is being drafted.
- Smoke testing automation was implemented in response to broken crates.io downloads.
- Jan David Nose, lead infrastructure engineer at the Rust Foundation, is now a Rust Project infrastructure team lead. Congratulations, JD!
Communications & Marketing
July, August, and September were as busy as ever for communications and marketing at the Foundation!
As mentioned in the Technology & Infrastructure update above, we reached a notable content and news milestone of publishing our first Security Initiative Report which details the first six months of Rust ecosystem security progress and innovation being carried out by our team. We intend to publish a new installment in the Security Initiative Report series every six months in which we will catalogue the efforts and contributions to security in the Rust language ecosystem, carried out by the Rust Foundation Technology Team (in collaboration with leaders in the Rust Project). This report was published on July 27 while Rebecca was attending the Open Source Congress event in Geneva and was well-received by a number of her fellow open source governance leaders attending the event.
The Security Initiative Report also resulted in five positive earned and organic media stories (listed below). We are grateful to Joel Marcey, Walter Pearce, Adam Harvey, Jan David Nose, and Tobias Bieniek for their leadership and contributions to the work outlined in this publication.
In addition to the Security Initiative Report and several new member announcements (linked in "Membership" above,) other publication highlights include:
- The 2023 Rust Foundation Fellow announcement
- Our speakers and schedule for our inaugural Rust Global event with the Linux Foundation,
- A three-month update on the excellent work carried out by crates.io engineer Tobias Bieniek
- A short interview with Lars Bergstrom (Director of Engineering at Google for Android Platform Programming Languages and Chair of the Rust Foundation Board of Directors) about Google’s adoption journey with Rust
- The announcement of our Associate Membership with OpenSSF. This news was also shared onstage at OpenSSF Day Europe just before I took the stage to deliver a keynote on collaboratively developing security in the open.
In Q2, we were invited by the Linux Foundation to host a Rust-focused event co-located with WasmCon in Bellevue, Washington. In Q3, we used this opportunity to pilot our new event brand, “Rust Global” which aims to gather business and government leaders with Rust advocates and enthusiasts for productive conversations about the future of the Rust programming language.The initial feedback we have received about Rust Global has been positive and we look forward to delivering future events under this umbrella to communities across the world that are often underserved by the larger Rust ecosystem.
Nearly our entire staff team attended RustConf in Albuquerque, New Mexico in September, which the Foundation sponsored. We had productive conversations with community members at our booth and met with several promising member prospects in attendance. In addition to our financial support as the Diamond Sponsor, the Rust Foundation donated Gracie Gregory’s time to RustConf to assist with social media duties and Sage Griffin’s time in their role as Communities Advocate. Infrastructure Engineer Jan David Nose delivered a talk on Rust infrastructure and community scaling and Communities Advocate Sage Griffin shared a talk about the purpose and value of the Rust Foundation. Congratulations to Sage for their significant role in organising another successful RustConf!
Finally, we made a great deal of progress on the Rust Foundation’s forthcoming website relaunch in July, August, and September. While this project is ongoing and takes a significant amount of time to execute properly, we are confident in the trajectory of the rebuild and saw meaningful progress in Q3 after months of preparatory work. The basic site design is now complete, as is a full component library with which to build the pages of our new website. We can't wait to share it with you!
Foundation, Language, & Member Media Highlights:
- Rust programming language progress report: New threat modeling, tools bolster supply chain security - ReversingLabs
- Rust Foundation outlines many improvements to the language’s security structure - SDTimes
- Google, Microsoft Take Refuge in Rust Language's Better Security - DarkReading
- Rust Takes Its Place At Work - i-programmer
- The Rust programming language is growing in popularity - TechSpot
- Rust Foundation leads security enhancement drive in programming ecosystem - SiliconANGLE
- Open Source Needs Maintainers. But How Can They Get Paid? - The New Stack
- Threat modeling and the supply chain: An essential tool for managing risk across the SDLC - Security Boulevard
- Rust fact vs. fiction: 5 Insights from Google's Rust journey in 2022 - Google Open Source blog (with joint promotion on our blog)
Community Grants Program
As mentioned, we were thrilled to welcome our latest round of Rust Foundation Fellows in August. These grantees have since been on-boarded and we look forward to amplifying their fantastic work in the months ahead.
In Q3, we also began conducting a review of the grants program to date. We will broadcast any substantive changes to the program based on this review soon.
We look forward to bringing you the final quarterly update of 2023 in December. You can find past Rust Foundation Quarterly Updates here.
If you have any questions about the contents of this report, don’t hesitate to contact us at email@example.com. If you are interested in joining the Rust Foundation as a member, please email us at firstname.lastname@example.org.