Open Sourcing Ferrocene (opens in new tab)

(ferrous-systems.com)

77 pointspietroalbini2y ago19 comments

19 comments

Considering that Ferrocene has been open sourced (or at least, will be) and Adacore announced the (seemingly) closed source GNAT Pro for Rust, it looks to me that maybe the two organizations couldn't agree on a path forward regarding source availability and parted ways. Even this post mentions that the current version of Ferrocene needs to have some "proprietary partner work" scrubbed before a proper open source release can occur.

brobecke2y ago

> Adacore announced the (seemingly) closed source GNAT Pro for Rust

I just wanted to clarify all AdaCore products are open source. Including of course GNAT Pro for Rust.

andrewl-hn2y ago

Ken Thompson talked about compilers potentially injecting code in final programs in his Turing Award lecture [1]. That's why compilers need to be certified in order for the software built by these compilers also receive certification.

It's a great step for Rust!

[1]: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...

Xylakant2y ago

Reflections on trusting trust is a great paper, but it's not the reason to have certified compilers. There are better steps to build a trust-root for your compiler, for example bootstrapping the rust compiler from source, by either starting out from the early versions or by using mrustc.

Certification aims to solve a different, but maybe related, problem. Essentially "how do we verify that the compiler does what it's supposed to do." At its very basic level, it could be described as formalized qualitiy management. So certifying the rust compiler first involved deriving a sufficiently complete spec from the existing RFCs, deriving the requirements for the compiler from that and then verifying that the compiler upholds that. It also requires describing the verification process, issue managegment handling, etc. We have another blog post describing the qualification process in a little more detail https://ferrous-systems.com/blog/qualifying-rust-without-for...

Disclosure: I'm one of the founders and managing directors at Ferrous Systems

andrewl-hn2y ago

Also, a really cool find in Ferrocene public docs is their "Traceability Matrix" [1].

For every bit in the Ferrocene language specification [2] there's a link to a set of tests that actually confirm the compiler's behavior. Just shows you how much work has been done here.

[1]: https://public-docs.ferrocene.dev/main/qualification/traceab... [2]: https://public-docs.ferrocene.dev/main/specification/index.h...

Xylakant2y ago

Automating the generation of this beast from the test runnners output was fun. It's an essential part of the qualification documents.

miloignis2y ago

The best defense against a trusting-trust-attack that I am aware of is Diverse Double-Compilation: https://dwheeler.com/trusting-trust/ It's a simple idea, but can be surprisingly tricky to get exactly the right. Basically, you bootstrap from multiple disconnected and diverse systems and then do pairwise binary comparisons of the bootstrapped program on each of those systems. (This only matters after you've checked the source code itself for Trojans, though)

Xylakant2y ago

There's an issue open on the rustc issue tracker that describes what's missing https://github.com/rust-lang/rust/issues/48707 (reproducible builds is the big one)

miguelraz2y ago

Big congrats to all the team at Ferrous Systems :D

Disclosure:

My colleagues rock :)

thesuperbigfrog2y ago

Hopefully the work on Ferrocene can contribute to the standardization of the Rust language.

Tracking issue: https://github.com/rust-lang/rust/issues/113527

Xylakant2y ago

This is explicitly a non-goal. Ferrocene considers itself a certified downstream of the rust project and as such we certified the rust compiler as it was at 1.68. There's no effort or push to standardize the language from our side.

As part of the certification efforts, we had to write a spec since some description of the language is required. But this spec is a descriptive spec, describing the intended behavior of the language at that point in time - it's mostly distilled from other forms of documenting rustcs behavior, such as the RFCs etc. If there's a divergence between the spec and the compiler, we'll need to investigate whether we uncovered a bug in the spec or in the compiler.

It's not a complete spec, nor does it intend to be. The format it's written is is useful for the certification and documentation effort, but it doesn't cover large chunks that you'd for example need to write second rust compiler implementation. The spec is likely usefor for others, but its Raison d'Être is to serve as a basis for the certification and as such, it will remain limited in scope.

wyldfire2y ago

Is there any high-level description of the downstream changes in ferrocene and a roadmap of which changes could be upstreamed and which would probably "never" be acceptable upstream?

1 more reply

blakesmith2y ago

This is really cool. A really big step forward for the Rust ecosystem. Being able to use Rust in safety critical systems is a big win.

Congrats to everyone involved!

ngrilly2y ago

Kudos to the team! I'm almost sad that I'm not working anymore on a Battery Management System, requiring functional safety, as I was considering transitioning from C to Rust and that's how I came to learn about Ferrocene :)

0xDEF2y ago

Interesting that they only support x86-64 and aarch64/ARM64.

I would have thought the majority of safety critical systems are on bare-metal ARM32.

steveklabnik2y ago

On Lobsters, Pietro says

> For the first iteration we wanted to keep the set of supported targets small and focus on obtaining qualification, so 23.06 will include only support for ARMv8-A. Now that we achieved qualification though, we will work to expand support for other architectures and operative systems (including QNX).

and

> The current target is “bare metal” (aka without libstd) ARMv8-A.

https://lobste.rs/s/pcbjzj/open_sourcing_ferrocene#c_h4fmyo

gorenb2y ago

Should i use this instead of the normal Rust compiler?

steveklabnik2y ago

If you don't know that you need this, you don't need this. It's a bit pithy but it's true.

j / k navigate · click thread line to collapse

19 comments

mbStavola2y ago

brobecke2y ago

> Adacore announced the (seemingly) closed source GNAT Pro for Rust

I just wanted to clarify all AdaCore products are open source. Including of course GNAT Pro for Rust.

andrewl-hn2y ago

It's a great step for Rust!

[1]: https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...

Xylakant2y ago

Disclosure: I'm one of the founders and managing directors at Ferrous Systems

andrewl-hn2y ago

Also, a really cool find in Ferrocene public docs is their "Traceability Matrix" [1].

For every bit in the Ferrocene language specification [2] there's a link to a set of tests that actually confirm the compiler's behavior. Just shows you how much work has been done here.

[1]: https://public-docs.ferrocene.dev/main/qualification/traceab... [2]: https://public-docs.ferrocene.dev/main/specification/index.h...

Xylakant2y ago

Automating the generation of this beast from the test runnners output was fun. It's an essential part of the qualification documents.

miloignis2y ago

Xylakant2y ago

There's an issue open on the rustc issue tracker that describes what's missing https://github.com/rust-lang/rust/issues/48707 (reproducible builds is the big one)

miguelraz2y ago

Big congrats to all the team at Ferrous Systems :D

Disclosure:

My colleagues rock :)

thesuperbigfrog2y ago

Hopefully the work on Ferrocene can contribute to the standardization of the Rust language.

Tracking issue: https://github.com/rust-lang/rust/issues/113527

Xylakant2y ago

wyldfire2y ago

Is there any high-level description of the downstream changes in ferrocene and a roadmap of which changes could be upstreamed and which would probably "never" be acceptable upstream?

1 more reply

blakesmith2y ago

This is really cool. A really big step forward for the Rust ecosystem. Being able to use Rust in safety critical systems is a big win.

Congrats to everyone involved!

ngrilly2y ago

0xDEF2y ago

Interesting that they only support x86-64 and aarch64/ARM64.

I would have thought the majority of safety critical systems are on bare-metal ARM32.

steveklabnik2y ago

On Lobsters, Pietro says

and

> The current target is “bare metal” (aka without libstd) ARMv8-A.