> Ferrocene goes beyond the compiler in keeping all aspects of the software being built in mind, particularly the distribution, traceability and use of own or foreign libraries. We’re committed to providing secure, auditable distribution channels for these toolchain updates. Active communication of issues to clients and helping with fixes rounds up the package.
Does this mean they're going to have a curated subset of crates they'll be willing to vouch for? Cool if true, but sounds like a very significant amount of work.
Undoubtedly, and having a compliant compiler without being able to use any external crates would certainly be a major downer, so I'm sure they've thought this through and done their market research.
I imagine they will want to provide/audit all the dependencies of rust toolchain which is already hundreds(?) of crates. It probably isn't much extra work to offer the same crates as some sort of platform.
I guess some sectors care about having a compiler that conforms to some sort of ISO standards. This doesn't really tell me what that means but I know that I'm not the target.
I'd like to clarify a little here: There's an ISO certifiation in here - but it's not an ISO standard for the language.
Essentially, the ISO 26262 certification mostly verifies that the compiler release process conforms to a certain standard. It does not create an ISO standard for rust, not does it aim to. At part of the certification process we had to write a spec for the rust language, but it is a descriptive spec of how certain aspects of the rust language behave for one specific release of the compiler.
The certification builds on this to ensure that tests catch deviations between spec and implementation, known problems are documented etc. So rust as a language is unaffected, as is the rust project. The spec is open source and might be useful to others, you can find it at https://spec.ferrocene.dev/
The target sectors for ISO 26262 and related industrial certification are clearly sectors that require such certification: automotive, medical, etc.
Ferrocene itself however, is not only the ISO certified downstream of the rust compiler, it also offers for example long term support and tracking of known issues which the rust project does not provide. This is also important for certain applications that do not strictly require certifications.
Disclosure: I'm one of the founders of Ferrous Systems, but I'm only involved in the Ferrocene project on a moderately high level, so forgive minor technical inaccuracies :)
> Essentially, the ISO 26262 certification mostly verifies that the compiler release process conforms to a certain standard. It does not create an ISO standard for rust, not does it aim to.
Sorry for a stupid question, but what does this mean?
Is it only that Rust itself (the language) is no use
in a certification, but rather a specific compiler version? I.e. basically leading to the same outcome in the end.
Or does this mean to not get the hopes up (right now) for using Rust in a ISO26262 certified project?
Not your parent, and haven't worked directly in these areas, but this is my understanding.
"certification" is something that is done to a process that produces a software artifact.
So yes, in some sense it is "particular compiler version." The result of certification says "this compiler will do this when given this, and here is how we ensure that that is true, and here's the process for when that's not true, etc etc etc." Users can then use that specific compiler.
> I.e. basically leading to the same outcome in the end.
The difference is pretty important. Getting this certification does not require that the abstract concept of the Rust language is being specified in any specific way. It does require that a specific inputs to the compiler are described, and because compatibility with upstream Rust is desired, those specific inputs happen to map to inputs to rustc that are identical, but it is important to understand that this can happen completely independently of what the Rust Project decides is best for the language; this is a downstream project.
In theory, if the Rust project wanted a specification, starting with some of the work Ferrocene has done would be an option. But the qualification process doesn't require that.
> Or does this mean to not get the hopes up (right now) for using Rust in a ISO26262 certified project?
The opposite, this means you can use Rust in these places. Even though this work does not specify Rust.
> The difference is pretty important. Getting this certification does not require that the abstract concept of the Rust language is being specified in any specific way.
Sorry, I was being vague.
I meant the outcome for "us", the users, creating certified software relying on Ferrocene.
Totally on board with that there is a huge difference for certifying Ferrocene itself.
> The opposite, this means you can use Rust in these places. Even though this work does not specify Rust.
Nice, that's what I was hoping for. We are currently in a project creating safety certified software (in C, as are our other code) and are curiously looking at Rust, partly because of this effort.
The main page for Ferrocene says "ISO 26262 and IEC 61508 qualified" with "DO-178C, ISO 21434, and IEC 62278 in the future," so depending on exactly which things you need, Ferrocene may work, but it also may not.
Usually, it means that there's a whole lot of paperwork done to say "This specific version of the compiler can run on that specific combination of hardware" with extra things like "if you try to do A, B, or C it will break this or that way, so don't do it".
Note that it doesn't have to be a separate version with patches - it may as well be a recent stable release of Rust. But the paperwork has to be created just fro this release. And these standards require a team to spend months and months documenting everything. That's why having it all done by a vendor like Ferrous Systems is attractive: once the work is done adapting it to some other "compiler version + hardware" combination will take a lot less time.
> it may as well be a recent stable release of Rust.
It essentially is, we're pretty open about this. There's a tiny patchset that's required to enable some guarantees (literally a handful of patches), none of them of interest to the upstream project. Every major change has been contributed upstream. Even the spec that was built as part of the effort is open source.
> There's a tiny patchset that's required to enable some guarantees (literally a handful of patches), none of them of interest to the upstream project.
Do you perhaps have a link where we could see those patches? Purely for curiosity's sake.
No, for mostly organizational reasons this lives in a private repo that we can't easily grant access to. I'll take that on my list of things that we should consider, but we're pretty busy right now - so no promises.
The standards mentioned in the article seem to be required to deploy rust code as part of safety critical systems in cars and other industrial applications. This might be a big deal to get rust code into cars but I’m just guessing
It means you can use it in certain safety critical applications, and works as a proof of some extra verification work compared to a non-certified piece of software. Probably most of it you only care about if you need that specific standard for your specific application due to some regulations, but also if you want to have a greater than normal level of confidence that it will work as expected.
I get that it means that, I meant it doesn't tell me what getting that certification entails - someone else mentioned it involves things like tests to ensure certain behaviors.
I've been doing more Rust hacking at home and I genuinely think that this next decade will be just gangbusters for Rust; its gotten a lot of early adoption, and the next wave is going to be wild.
one of these days I'll work at a Rust shop, and I am hyped for that possibility. it'll be NICE.
Who is going to pay $75/mo for a vacuum when they can get a shark robot vacuum for a one time payment of $500? It sounds like the Juicero of floor cleaning. Apparently VC's haven't learned their lesson yet.
I'm going to echo you, $75/mo for a better Roomba imo is wild. I am very impressed by the custom SLAM and the privacy focused, but it's a reoccurring subscription I couldn't justify. Curious who their target demographics are.
I haven't looked deep into that offer, but I spent some time thinking about other appliances and switching from ownership to renting.
Ecological it's quite interesting: Currently people run inefficient appliances which are decades old till they fall apart and the appliance can't be recycled.
If we would transition to a model where they are rented "all inclusive" the vendor might have a very different motivation to make sure people got a modern device and it's built in a way that as many parts as possible can be reused.
You’ve obviously never owned a dirt ingesting shark robot vacuum.
There are hundreds of thousands of Americans who’ll pay $75/mo for unlimited repairs and maintenance and never having to worry about if the toddler takes the vacuum cleaner for a tumble down the stairs.
I'm on my second roomba in well over a decade. I don't remember what happened to the first one, I think I gave it away in a move, but it didn't break. I don't know anything about the shark brand but I've never really thought twice about repair problems with roomba or heard about issues from friends. Obviously a small sample size, but this is something I don't get as a subscription.
That said, Matician's vision mapping looks really cool.
I know others are piling on but there is also adoption at Google, Facebook, Fastly, Dropbox, Yelp, Reddit, 1password, Discord etc. The list goes on and on. I know more that are using it heavily but aren't public with it. I've spend the last 8 years of my life (minus a short one year stint with python) writing Rust in production. It isn't just hobbyists and hasn't been there way for a long time.
Workers KV is actually largely implemented as a Worker, in TypeScript. :)
Think of `workerd` as the "kernel" of our "cloud operating system". We try to avoid putting things in the kernel if we can. Features like Workers KV, R2, Queues, D1, etc. are generally built as "userspace" services, that is, they run as Workers.
Durable Objects is a bit special, it's inherently something that needs to be in the core runtime, and which many of these other services build on top of.
FWIW, if I were starting over I'd probably write the runtime in Rust, but it wasn't quite ready yet when we started six years ago.
mmmm... the Windows kernel? Amazon Firecracker (the AWS Lambda engine, afaik)?
I have used Rust off and on for a decade, and in the last 5 years Rust has really moved from hobbyist to making inroads at big tech firms. It is good to be skeptical though. Language boosters can be annoying. :)
This sounds very good. Rust has inherent "x-th mover" problems in spaces where C or C++ is dominant and hard to replace, like automotive and aerospace. These are also the spaces where a language with stronger guarantees and which can target embedded real time devices, is more useful than almost everywhere else.
For rust to succeed in those spaces a "community compiler" is just simply not an option. Having a standardized language (which is still not there yet) with a qualified compiler toolchain would be a significant step forward and actually makes it perspectively possible to use rust on projects for commercial aviation.
IMO a standardize language isn't necessary. Pretty much no C compilers actually follow the C standard exactly (including verified ones). Also it's not like the C standard actually prescribes behavior in lots of cases. Tons of C is UB or implementation defined behavior.
To some extent you certainly need a standardized language and I don't think having rustc as the "defacto" standard is in any way acceptable to use it on an airplane.
A compiler not complying with the standard is also not that problematic, as long as the deviation is known. UB should be avoided under all circumstances, but it is inherent to any language as spread out as C.
> To some extent you certainly need a standardized language
Because we're talking standards, precise wording is important. You do not need a standardized language in order to produce a qualified compiler.
> I don't think having rustc as the "defacto" standard is in any way acceptable to use it on an airplane.
This is true but not because it's a "defacto standard," it is because rustc does not fulfill the requirements to be qualified. Ferrocene, on the other hand, does.
> A compiler not complying with the standard is also not that problematic, as long as the deviation is known.
You're correct here, but that's directly in conflict with the "you need a standardized language," which is why I'd disagree with that portion of what you've said here.
On the specific point of standardization. I do not see how you could get a language without a standard into an aircraft.
The Ferrocene guy mentioned that they worked on some formalization of rust, probably because tracability without it seems sonewhat impossible and maybe that is already enough for the FAA/EASA.
But you said it yourself: deviation from a standard is fine. There is no requirement that there is some sort of upstream standard that must be adhered to.
I do not think it is possible to use rust on a commetcial airplane, above DAL E. See the DO-178(B) 11.8 a.
"For a programming language, reference the data that unambigously defines the syntax, the control behaviour, the data behaviour and side-effects of the language".
If the language has no standard, like rust, you have to essentially create a standard. Afaik rust has no documentation which satisfies those requirements in any way.
I don't think that we're understanding each other, so I'm going to leave it for this post. But this supports what I am saying. This does not say "For a programming language, it must have an ISO standard, and the implementation must be in full compliance with the standard."
> Afaik rust has no documentation which satisfies those requirements in any way.
That is correct, Rust does not. Ferrocene does. And that's perfectly fine according to the requirements.
Is there FAA/EASA certified rust SW on a commercial airplane above DAL E? If not ferrocene potentially does.
>For a programming language, it must have an ISO standard
Which is also not what I am saying. It is obviously not important that it is an ISO standard (the DO certainly has no such Requirement), but you need some documentation which specifies the language. For C/C++ that is trivial, as it is standardized, for rust it isn't.
I fully agree that you can conform to the DO by having a company like Ferrocene which provides that documentation. And that has a compiler toolchain which states how it complies with the specification. And I am glad that they are doing this, as this is a step in the right direction.
I am glad that we are in agreement. Your final paragraphs are what I have been saying, in response to you saying "I do not see how you could get a language without a standard into an aircraft."
> Is there FAA/EASA certified rust SW on a commercial airplane above DAL E?
> Lynx Software Technologies (Lynx) the leader in delivering solutions for the Mission Critical Edge, today announced that its LynxOS-178 operating system and LynxElement unikernel will include support for Rust... LynxOS-178 is a native POSIX, hard real-time partitioning operating system developed and certified to FAA DO-178C DAL A safety standards.
So the interest is there, at least, but given that Ferrocene is currently only qualified for ISO 26262 and IEC 61508, with DO-178C, ISO 21434, and IEC 62278 being listed as "in the future," I am guessing that's something desired, but not true yet.
> If not ferrocene potentially does.
Yes, to be clear I meant conceptually, in a way that the Rust Project does not, and I would be willing to bet money that it never will. Not that it has passed that bar presently.
Does this mean they're going to have a curated subset of crates they'll be willing to vouch for? Cool if true, but sounds like a very significant amount of work.