This is a joint effort between folks in the Rust Project and Rust Foundation, to enable signing of Rust releases for rustup to verify, and signing of crates.io indexes for Cargo to verify. This will make it possible for us to have mirrors of both, which helps us in many different ways:
- People behind restrictive firewalls (including country-wide firewalls) will be able to have verified mirrors that are fast and reliable.
- CI systems and other build infrastructure can have mirrors that are fast and local, and save huge amounts of bandwidth for Rust infrastructure.
Supply chain security is essential to allow Rust to be used for critical infrastructure and replace legacy code.
Just as Rust has been a game changer in producing memory-safe and concurrecy-safe software, securing the Rust supply chain and ecosystem will also be a game changer for Rust adoption.
- People behind restrictive firewalls (including country-wide firewalls) will be able to have verified mirrors that are fast and reliable.
- CI systems and other build infrastructure can have mirrors that are fast and local, and save huge amounts of bandwidth for Rust infrastructure.