Open Sourcing Ferrocene
ferrous-systems.comConsidering that Ferrocene has been open sourced (or at least, will be) and Adacore announced the (seemingly) closed source GNAT Pro for Rust, it looks to me that maybe the two organizations couldn't agree on a path forward regarding source availability and parted ways. Even this post mentions that the current version of Ferrocene needs to have some "proprietary partner work" scrubbed before a proper open source release can occur.
> Adacore announced the (seemingly) closed source GNAT Pro for Rust
I just wanted to clarify all AdaCore products are open source. Including of course GNAT Pro for Rust.
Ken Thompson talked about compilers potentially injecting code in final programs in his Turing Award lecture [1]. That's why compilers need to be certified in order for the software built by these compilers also receive certification.
It's a great step for Rust!
[1]: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
Reflections on trusting trust is a great paper, but it's not the reason to have certified compilers. There are better steps to build a trust-root for your compiler, for example bootstrapping the rust compiler from source, by either starting out from the early versions or by using mrustc.
Certification aims to solve a different, but maybe related, problem. Essentially "how do we verify that the compiler does what it's supposed to do." At its very basic level, it could be described as formalized qualitiy management. So certifying the rust compiler first involved deriving a sufficiently complete spec from the existing RFCs, deriving the requirements for the compiler from that and then verifying that the compiler upholds that. It also requires describing the verification process, issue managegment handling, etc. We have another blog post describing the qualification process in a little more detail https://ferrous-systems.com/blog/qualifying-rust-without-for...
Disclosure: I'm one of the founders and managing directors at Ferrous Systems
Also, a really cool find in Ferrocene public docs is their "Traceability Matrix" [1].
For every bit in the Ferrocene language specification [2] there's a link to a set of tests that actually confirm the compiler's behavior. Just shows you how much work has been done here.
[1]: https://public-docs.ferrocene.dev/main/qualification/traceab... [2]: https://public-docs.ferrocene.dev/main/specification/index.h...
Automating the generation of this beast from the test runnners output was fun. It's an essential part of the qualification documents.
The best defense against a trusting-trust-attack that I am aware of is Diverse Double-Compilation: https://dwheeler.com/trusting-trust/ It's a simple idea, but can be surprisingly tricky to get exactly the right. Basically, you bootstrap from multiple disconnected and diverse systems and then do pairwise binary comparisons of the bootstrapped program on each of those systems. (This only matters after you've checked the source code itself for Trojans, though)
There's an issue open on the rustc issue tracker that describes what's missing https://github.com/rust-lang/rust/issues/48707 (reproducible builds is the big one)
Big congrats to all the team at Ferrous Systems :D
Disclosure:
My colleagues rock :)
Hopefully the work on Ferrocene can contribute to the standardization of the Rust language.
Tracking issue: https://github.com/rust-lang/rust/issues/113527
This is explicitly a non-goal. Ferrocene considers itself a certified downstream of the rust project and as such we certified the rust compiler as it was at 1.68. There's no effort or push to standardize the language from our side.
As part of the certification efforts, we had to write a spec since some description of the language is required. But this spec is a descriptive spec, describing the intended behavior of the language at that point in time - it's mostly distilled from other forms of documenting rustcs behavior, such as the RFCs etc. If there's a divergence between the spec and the compiler, we'll need to investigate whether we uncovered a bug in the spec or in the compiler.
It's not a complete spec, nor does it intend to be. The format it's written is is useful for the certification and documentation effort, but it doesn't cover large chunks that you'd for example need to write second rust compiler implementation. The spec is likely usefor for others, but its Raison d'Être is to serve as a basis for the certification and as such, it will remain limited in scope.
Is there any high-level description of the downstream changes in ferrocene and a roadmap of which changes could be upstreamed and which would probably "never" be acceptable upstream?
> Is there any high-level description of the downstream changes in ferrocene:
The list of relevant changes to the compiler is the empty set. We wanted to certify the compiler without forking it or restricting the supported language features.
We do build and test some targets to a higher tier level than upstream rust and do have support for custom proprietary targets which the rust project will never support (1), but that makes for a tiny change set. (Measured in literally tens of lines).
Most of Ferrocene is the LTS support and the qualification documentation, both of which upstream has no interest in providing. The documentation also describes our QA process and unless you’ll adopt our procedures, you’ll have to adjust the documentation and then re-certify.
(1) to a large extend because the rust project cannot sign an NDA and support proprietary hardware in its CI.
This is really cool. A really big step forward for the Rust ecosystem. Being able to use Rust in safety critical systems is a big win.
Congrats to everyone involved!
Kudos to the team! I'm almost sad that I'm not working anymore on a Battery Management System, requiring functional safety, as I was considering transitioning from C to Rust and that's how I came to learn about Ferrocene :)
Interesting that they only support x86-64 and aarch64/ARM64.
I would have thought the majority of safety critical systems are on bare-metal ARM32.
On Lobsters, Pietro says
> For the first iteration we wanted to keep the set of supported targets small and focus on obtaining qualification, so 23.06 will include only support for ARMv8-A. Now that we achieved qualification though, we will work to expand support for other architectures and operative systems (including QNX).
and
> The current target is “bare metal” (aka without libstd) ARMv8-A.
Should i use this instead of the normal Rust compiler?
If you don't know that you need this, you don't need this. It's a bit pithy but it's true.