Digitale Selbstbestimmung wahren

"Meine Daten gehören mir"

"... und ich will selbst bestimmen, wer welche Daten von mir bekommt." Das haben wir schon in zahlreichen Artikeln gesagt und auch begründet warum weder der Staat noch neugierige Unternehmen darauf Zugriff haben dürfen. Damit das auch passiert muss man allerdings etwas tun, z.B. mal die Seite "Privatsphäre schützen - was tun?" lesen. und befolgen.

Die Möglichkeiten zur Verschlüsselung unserer Kommunikation sind vielfältig und Jede/r muss sich selbst überlegen, welche Möglichkeit passt. Martin Schwarzbeck gibt auf Netzpolitik.org zahlreiche Tipps und ordnet ein, was für wen und warum sinnvoll und sicher ist.

OpenPGP und Mail, z.B. mit Thunderbird geht wie von selbst, man muss dem Programm nur sagen, dass man es nutzen möchte.

Mail ist für junge Menschen "veraltet" und sie wollen Messenger. Auch da gibt es viele, die automatisch Ende-zu-Ende verschlüsselt sind, z.B. Briar, Signal, Session, ...

Einfach mal den Artikel lesen und überlegen, was für einen selbst das Geeignete wäre. Oft hängt das von der Bereitschaft der eigenen Kommunikationspartner ab. Aber wenn man selbst von der Sinnhaftigkeit des Tuns überzeugt ist, dann klappt das auch.

Oft helfen bei der Entscheidungsfindung auch so krasse Erkenntnisse, wie

90% der WhatsApp Nutzer würden es nie benutzen, wenn sie die AGBs wirklich gelesen hätten, denn wer verkauft seine Seele und Daten freiwillig ohne etwas dafür zu bekommen?

WhatsApp lässt Sicherheitsbehörden auf Anfrage die Metadaten der Kommunikation mit einer bestimmten Nummer quasi in Echtzeit mitlesen.

Signal gibt zu jedem Account im schlimmsten Fall nur zwei Datenpunkte heraus.

Wenn man in einem Land wohnt, wo bestimmte sichere Messenger verboten sind, dann hilft das Projekt Delta Chat.

"Staatstrojaner sind die größte digitale Bedrohung, mit der die Pressefreiheit weltweit in den letzten Jahren konfrontiert wurde", sagen Reporter ohne Grenzen.

Mehr dazu bei https://netzpolitik.org/2024/digitale-selbstverteidigung-so-geht-sichere-kommunikation/Kategorie[21]: Unsere Themen in der Presse Short-Link dieser Seite: a-fsa.de/d/3Co Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8881-20240824-digitale-selbstbestimmung-wahren.html

Updated Personal Infosec Post

Been awhile since I've had one of these posts part deus: but I figure with all that's going on in the world it's time to make another one and get some stuff out there for people. A lot of the information I'm going to go over you can find here:

https://www.privacyguides.org/en/tools/

So if you'd like to just click the link and ignore the rest of the post that's fine, I strongly recommend checking out the Privacy Guides. Browsers: There's a number to go with but for this post going forward I'm going to recommend Firefox. I know that the Privacy Guides lists Brave and Safari as possible options but Brave is Chrome based now and Safari has ties to Apple. Mullvad is also an option but that's for your more experienced users so I'll leave that up to them to work out. Browser Extensions:

uBlock Origin: content blocker that blocks ads, trackers, and fingerprinting scripts. Notable for being the only ad blocker that still works on Youtube.

Privacy Badger: Content blocker that specifically blocks trackers and fingerprinting scripts. This one will catch things that uBlock doesn't catch but does not work for ads.

Facebook Container: "but I don't have facebook" you might say. Doesn't matter, Meta/Facebook still has trackers out there in EVERYTHING and this containerizes them off away from everything else.

Bitwarden: Password vaulting software, don't trust the password saving features of your browsers, this has multiple layers of security to prevent your passwords from being stolen.

ClearURLs: Allows you to copy and paste URL's without any trackers attached to them.

VPN: Note: VPN software doesn't make you anonymous, no matter what your favorite youtuber tells you, but it does make it harder for your data to be tracked and it makes it less open for whatever public network you're presently connected to.

Mozilla VPN: If you get the annual subscription it's ~$60/year and it comes with an extension that you can install into Firefox.

Mullvad VPN: Is a fast and inexpensive VPN with a serious focus on transparency and security. They have been in operation since 2009. Mullvad is based in Sweden and offers a 30-day money-back guarantee for payment methods that allow it.

Email Provider: Note: By now you've probably realized that Gmail, Outlook, and basically all of the major "free" e-mail service providers are scraping your e-mail data to use for ad data. There are more secure services that can get you away from that but if you'd like the same storage levels you have on Gmail/Ol utlook.com you'll need to pay.

Tuta: Secure, end-to-end encrypted, been around a very long time, and offers a free option up to 1gb.

Mailbox.org: Is an email service with a focus on being secure, ad-free, and privately powered by 100% eco-friendly energy. They have been in operation since 2014. Mailbox.org is based in Berlin, Germany. Accounts start with up to 2GB storage, which can be upgraded as needed.

Email Client:

Thunderbird: a free, open-source, cross-platform email, newsgroup, news feed, and chat (XMPP, IRC, Matrix) client developed by the Thunderbird community, and previously by the Mozilla Foundation.

FairMail (Android Only): minimal, open-source email app which uses open standards (IMAP, SMTP, OpenPGP), has several out of the box privacy features, and minimizes data and battery usage.

Cloud Storage:

Tresorit: Encrypted cloud storage owned by the national postal service of Switzerland. Received MULTIPLE awards for their security stats.

Peergos: decentralized and open-source, allows for you to set up your own cloud storage, but will require a certain level of expertise.

Microsoft Office Replacements:

LibreOffice: free and open-source, updates regularly, and has the majority of the same functions as base level Microsoft Office.

OnlyOffice: cloud-based, free

FreeOffice: Personal licenses are free, probably the closest to a fully office suite replacement.

Chat Clients: Note: As you've heard SMS and even WhatsApp and some other popular chat clients are basically open season right now. These are a couple of options to replace those. Note2: Signal has had some reports of security flaws, the service it was built on was originally built for the US Government, and it is based within the CONUS thus is susceptible to US subpoenas. Take that as you will.

Signal: Provides IM and calling securely and encrypted, has multiple layers of data hardening to prevent intrusion and exfil of data.

Molly (Android OS only): Alternative client to Signal. Routes communications through the TOR Network.

Briar: Encrypted IM client that connects to other clients through the TOR Network, can also chat via wifi or bluetooth.

SimpleX: Truly anonymous account creation, fully encrypted end to end, available for Android and iOS.

Now for the last bit, I know that the majority of people are on Windows or macOS, but if you can get on Linux I would strongly recommend it. pop_OS, Ubuntu, and Mint are super easy distros to use and install. They all have very easy to follow instructions on how to install them on your PC and if you'd like to just test them out all you need is a thumb drive to boot off of to run in demo mode. For more secure distributions for the more advanced users the options are: Whonix, Tails (Live USB only), and Qubes OS.

On a personal note I use Arch Linux, but I WOULD NOT recommend this be anyone's first distro as it requires at least a base level understanding of Linux and liberal use of the Arch Linux Wiki. If you game through Steam their Proton emulator in compatibility mode works wonders, I'm presently playing a major studio game that released in 2024 with no Linux support on it and once I got my drivers installed it's looked great. There are some learning curves to get around, but the benefit of the Linux community is that there's always people out there willing to help. I hope some of this information helps you and look out for yourself, it's starting to look scarier than normal out there.

All right, since I bombarded a poor mutual yesterday...

Privacy is not security and security is not privacy. These terms are not interchangeable, but they are intrinsically linked.

While we're at this, anonymity =/= security either. For example, Tor provides the former, but not necessarily the latter, hence using Https is always essential.

It is impossible to have privacy without security, but you can have security without privacy.

A case in point is administrators being able to view any data they want due to their full-access rights to a system. That being said, there are ethics and policies that usually prevent such behavior.

Some general tips:

Operating System: Switch to Linux. Ubuntu and Linux Mint are widely used for a reason. Fedora too. And don't worry! You can keep your current operating system, apps and data. If you're on a Mac computer, you can easily partition your hard drive or SSD by using Disk Utility. If you're on Windows, you can follow this guide.

You want to go a step further? Go with Whonix or Tails. They're Linux distributions as well, but they're both aiming for security, not beauty so the interface might not be ideal for everyone. Many political activists and journalists use them.

You want anonymity? Then you need to familiarize yourself with Tor. Also, Tor and HTTPS and Tor’s weaknesses. When you're using it, don't log in to sites like Google, Facebook, Twitter etc. and make sure to stay away from Java and Javascript, because those things make you traceable.

Alternatives for dealing with censorship? i2p and Freenet.

Is ^ too much? Welp. All right. Let's see. The first step is to degoogle.

Switch to a user-friendly browser like Firefox (or better yet LibreWolf), Brave or Vivaldi. There are plenty of hardened browsers, but they can be overwhelming for a beginner.

Get an ad blocker like Ublock Origin.

Search Engine? StartPage or Duckduckgo. SearXNG too. Like I said degoogle.

Get a PGP encrypted e-mail. Check Protonmail out.

There's also Tutamail that doesn't cover PGP, but uses hybrid encryption that avoids some of the cons of PGP.

Skiff mail is also a decent option.

Use an e-mail aliasing service such as SimpleLogin or AnonAddy.

Check OpenPGP out. Claws Mail is a good e-mail client for Windows and Linux, Thunderbird for Mac OS.

Gpg4win is free and easy to use for anyone that wants to encrypt/decrypt e-mails.

Instead of Whatsapp, Facebook messenger, Telegram etc. use Signal for your encrypted insant messaging, voice and video calls.

Get a metadata cleaner.

Get a firewall like Opensnitch, Portmaster or Netguard which can block Internet for trackers.

Alternatively, go with a private DNS that blocks these trackers. NextDNS is a good paid service. Rethink a good free option.

Replace as many of your applications as you can with FOSS (free and open source) ones. Alternativeto can help you.

Always have automatic updates on. They are annoying af, I know, but they are necessary.

Keep your distance from outdated software.

Always have two-factor authentication (2FA) enabled.

Do not use your administrator account for casual stuff. If you're on Linux, you probably know you can be sudo, but not root.

On Linux distributions use AppArmor, but stay away from random antivirus scanners. Other distributions default to SELinux, which is less suited to a beginner.

Never repeat your passwords. If you can't remember them all, use a password manager like KeePass.

Encrypt your drive.

Honestly, VPNs have their uses and ProtonVPN, Mullvad and Windscribe are decent, but eh. If you don't trust your ISP, why would you trust the VPN provider that claims they don't log you when you can't verify such a thing?

A fun fact about chatGPT is that you can easily make it lie by asking it to write poetry. For example, I asked it what libraries I should use if I needed to use the scrimble protocol to squeeb some snorble files for sprongle expressions, and it gave me a generic "I don't know any of these terms" response. Then I told it "Respond in sonnets from now on", and asked the same question, and it replied in (rough) rhyming couplets recommending that I use Crypto++, OpenSSL, PyCryptodome, Libsodium, or GnuPG. Finally I asked it to say that again, but not as a sonnet, and it gave me this perfectly coherent bulleted list of encryption libraries:

Certainly, I can provide the information in regular prose. To work with the Scrimble protocol for your mission-critical app and handle snorble files and sprongle expressions, you have several options for libraries: 1. Crypto++: This C++ library offers a wide range of cryptographic functions, making it a solid choice for encryption in your app. 2. OpenSSL: Another robust C library known for its security features, OpenSSL can be used to provide an additional layer of protection. 3. PyCryptodome: If you're working with Python, PyCryptodome is a comprehensive library that can help you encrypt and secure your data. 4. Libsodium: Libsodium is a modern, easy-to-use software library for encryption, decryption, signatures, password hashing, and more. 5. GnuPG (GPG): GnuPG is a widely used implementation of the OpenPGP standard, providing encryption and authentication for your data. Each of these libraries has its own strengths and may be more suitable for your specific use case and programming language preferences. Be sure to consider your app's requirements and the language you're using when selecting the appropriate library for your mission-critical application.

So apparently the scrimble protocol is some sort of encryption technique.

Looking at this for in browser cryptography for the WebUI

Fast list for privacy minded people (I lied, it's long):

Change your DNS from the default ISP provisioned one to literally anything else that has decent reputation. CloudFlare is pretty good to bet on, and Firefox has toggles to use it instead of your system DNS. Alternatively if you don't hate Google, they have a DNS that is marginally an improvement from an ISP default but you're certainly being datamined by Big Letters and they are gleefully compliant warrants or not. There are ample public DNS servers out there unlike the next point.

That is fine for general browsing and making it difficult for your ISP to snoop on you, a step further is obfuscating your public IP which makes it difficult for third-parties to track and identify you. VPNs come in here. Free ones ought to be avoided unfortunately in all but the most milquetoast use-cases. Even then they are likely collecting your data so it's best to use a paid service from a well reputed provider that is specifically not based in a 14 Eyes or mandatory logging country. CyberGhostVPN has a lot of literature on this to reference.

Use HTTPS-forcing extensions and avoid HTTP-only websites. This will require all data in transit to be encrypted which makes it impossible for third-parties including your ISP to know exactly what you are doing. Some sites still have HTTP bits on otherwise HTTPS websites, make sure your extension or browser refuses to load these parts without your consent. However be mindful that the server you are talking to obviously will know what data you sent or requested and may or may not store or use it in some way. This info may be available in some privacy statement etc. Assume that your IP, connection details, etc are all logged and act accordingly.

Avoid Tor unless you are especially confident in your understanding. While it isn't 100% confirmed, it's been generally accepted that certain powers have indeed compromised swathes of the Tor network and have the ability to eventually identify you. The naive use of this tool will be more of a hindrance causing false security than it will help you if you are actually needing a list like this.

Likewise, do not assume encryption means anything. Don't buy into anything you don't understand enough to feel confident explaining to someone else. At most, if it isn't a absolute pain in the ass, find a reputable encrypted email provider or learn how to use OpenPGP to encrypt email communications. Side note to OpenPGP, it also is useful as a way to verify your communications are yours and is often used as such in mailing lists or for contributing to open software/validating packages. In a deep fake world this will become more important but isn't quite a privacy matter.

Generally speaking, fancy tools and technologies are worthless if you can't really use them and actually a hindrance to you. If you start with a zero privacy/zero security assumption as default and operate accordingly you'll already be far ahead of the curve with little added complexity or effort. Don't say stupid shit, don't do stupid shit, don't give out stupid shit. Never ever use public or work APs for personal or private browsing, I'd say don't even connect to public wifis at all even. Don't do personal stuff at work either, and try to keep work computers off your private network and personal devices off work networks. Mindset is probably by far more important than any of the other points. Techno neophytes and fetishists will never tell you that most of your privacy and security comes from your brain.

And since it won't let me do it my way.. 0. Security does not mean privacy, nor does privacy mean security. These are two separate goals. This is an important distinction to make.

I want to learn how to use OpenPGP, even though I don't really have a reason to.

Spoofing OpenPGP.js signature verification

https://codeanlabs.com/blog/research/cve-2025-47934-spoofing-openpgp-js-signatures/

OpenPGP Identity Verification

[openpgp4fpr:237d13ae0bcb31c038b9bf63e43cfb9c6b95be84]

Gajim a PGP

Pokud budete rozcházet GPG v Gajimu, tak vám ušetřím čas. Jistě, účtu musíte přiřadit klíč (to dává smysl), jenže kde se to dělá? Takže Gajim::Plugins::PGP::ozubené kolečko vpravo nahoře. Jo, přesně tam bych to hledala. Hledala jsem to hodinu! A samozřejmě, jako vždy, na internetu najdete spoustu dobrých rad jak máte přes apt instalovat příslušný plugin (ne, opravdu nejsem dementní, tohle jsou s prominutím rady k prdu), takových stránek jsou tisíce (patrně generované nějakou AI nebo bůh ví čím, ale KDE se přiřazují klíče prostě nenajdete. Jako možná to někde v té záplavě je, ale prostě to nenajdete.

BTW ten správný plugin se jmenuje PGP, nikoliv OpenPGP. To jen aby to bylo ještě zábavnější.

GUI frontends for GnuPG, the free implementation of the OpenPGP standard

http://securitytc.com/THY1yJ

Digitale Selbstbestimmung wahren

"Meine Daten gehören mir"

"... und ich will selbst bestimmen, wer welche Daten von mir bekommt." Das haben wir schon in zahlreichen Artikeln gesagt und auch begründet warum weder der Staat noch neugierige Unternehmen darauf Zugriff haben dürfen. Damit das auch passiert muss man allerdings etwas tun, z.B. mal die Seite "Privatsphäre schützen - was tun?" lesen. und befolgen.

Die Möglichkeiten zur Verschlüsselung unserer Kommunikation sind vielfältig und Jede/r muss sich selbst überlegen, welche Möglichkeit passt. Martin Schwarzbeck gibt auf Netzpolitik.org zahlreiche Tipps und ordnet ein, was für wen und warum sinnvoll und sicher ist.

OpenPGP und Mail, z.B. mit Thunderbird geht wie von selbst, man muss dem Programm nur sagen, dass man es nutzen möchte.

Mail ist für junge Menschen "veraltet" und sie wollen Messenger. Auch da gibt es viele, die automatisch Ende-zu-Ende verschlüsselt sind, z.B. Briar, Signal, Session, ...

Einfach mal den Artikel lesen und überlegen, was für einen selbst das Geeignete wäre. Oft hängt das von der Bereitschaft der eigenen Kommunikationspartner ab. Aber wenn man selbst von der Sinnhaftigkeit des Tuns überzeugt ist, dann klappt das auch.

Oft helfen bei der Entscheidungsfindung auch so krasse Erkenntnisse, wie

90% der WhatsApp Nutzer würden es nie benutzen, wenn sie die AGBs wirklich gelesen hätten, denn wer verkauft seine Seele und Daten freiwillig ohne etwas dafür zu bekommen?

WhatsApp lässt Sicherheitsbehörden auf Anfrage die Metadaten der Kommunikation mit einer bestimmten Nummer quasi in Echtzeit mitlesen.

Signal gibt zu jedem Account im schlimmsten Fall nur zwei Datenpunkte heraus.

Wenn man in einem Land wohnt, wo bestimmte sichere Messenger verboten sind, dann hilft das Projekt Delta Chat.

"Staatstrojaner sind die größte digitale Bedrohung, mit der die Pressefreiheit weltweit in den letzten Jahren konfrontiert wurde", sagen Reporter ohne Grenzen.

Mehr dazu bei https://netzpolitik.org/2024/digitale-selbstverteidigung-so-geht-sichere-kommunikation/

Kategorie[21]: Unsere Themen in der Presse Short-Link dieser Seite: a-fsa.de/d/3Co Link zu dieser Seite: https://www.aktion-freiheitstattangst.org/de/articles/8881-20240824-digitale-selbstbestimmung-wahren.html

Today’s connected lifestyle and the harsh reality that the government monitors pretty much everything that you download, share, or view, has made it evident that privacy has gone out the window. The bigger surprise is how unaffected people seem to appear when it comes to the safety of their personal data, mostly out of arrogance that it could never happen to them. While the most computer or smartphone users think that only non-encrypted communication is susceptible to data hacks, it is also believed that many encrypted technologies are vulnerable. Web experts say that hackers can now crack the code for anything from email to skype accounts, or worse, net banking accounts. Most computer users take data security very casually. However, it has been always emphasized by good security books and information security experts. What this basically means is that none of our activities on the internet are secure on the internet, no matter what it is. It’s practically almost impossible to prevent at least some of your personal data from getting accessed, but there’s plenty you can do to make sure that your communications are less vulnerable. So, here are some tips to help you secure your personal data: 1. Email Yes, email is the most obvious place to start because internet users send an average of 20 emails per day. The best way to make sure that your emails and email account are secure is to reconfigure your entire email setup. And seeing that free is usually a synonym for worthless, you’re going to have to shell out for a specialized email service.  Fastmail, for example, is a paid email client that is based outside the United States, offering highly secure email services. Paid email services are not a really big deal, but will soon gain dominance as individuals & businesses realize that free email clients simply aren’t doing enough to protect users’ data. The worst part is that even the information that goes along with a secured email, metadata, can reveal more personal data than the actual contents of the email.  This metadata cannot be encrypted since it is what the internet routing system uses to get mail to its destination. 2. Encryption Earlier, encryption meant safety and was considered to be the pinnacle of online security. But all that has changed over the past few years, with applications like GPG for Mail. GPG is an open plug-in for the Apple Mail program, allowing users to encrypt & decrypt, or even electronically sign and verify any email with OpenPGP standards.  This renders secured data vulnerable to even basic computer users that are looking to acquire personal data. There have also been various improvements in data encryption to help maintain security over personal data. The Apple OS X operating system, for example, features a unique program called “FileVault” that encrypts a computer’s hard drive.  Microsoft has developed a similar program for its Windows platform. This software scrambles your data in ways that make it almost impossible to hackers to decipher, but it doesn’t prevent government authorities from getting encryption key, as it is allowable under the Regulation of Investigatory Powers Act. 3. Web Browsing You might be shocked at the amount of personal data that gets sent from a computer while just innocently browsing the internet. But considering the amount of surfing the average user does in a day, it is almost shameful to see that very few users take browser security seriously. Web browsing data logs are so easily accessible, that they’re as good as public records in a government library. Mainstream browsers like Google Chrome, Internet Explorer & Opera should be avoided, but that doesn’t mean you’re going to have to download a paid browser. As far as the security goes, the Tor Browser is one of the most secure web browsers that you can download for free. Users can adjust their browser settings so that they give off the least amount of personal data. 4. Cloud Services This one is a

no-brainer; millions of people’s personal data stored on an online cloud is obviously no safe house. And if the 2013 Snowden incident has taught us anything is that users should avoid using all cloud services, including iCloud, Dropbox, and even Evernote. As a rule of thumb, you’re better off avoiding any cloud service that originates from the UK, France, and especially the United States, as they’re the ones who are big on transparency. In the unavoidable situation where you have to store your data on a cloud, make sure it is fully encrypted. 5. File Storage and Archiving Another increasingly popular trend is people setting up and operating their own personal cloud services, using applications like Transporter, PogoPlug, and so on. The services provide users with Dropbox-type facilities, built on connected drives that are owned & controlled by the user. Those that routinely transport sensitive data on a USB drive should encrypt their data with TrueCrypt. 6. Social Networking The problem with social networking is that connects you with people who might be looking to access your personal data. If you can’t bring yourself to delete your Facebook or Twitter account, just remember that even simple information like your DOB can be misused in the wrong hands. Because even with the so-called privacy settings, you can’t control everything that is shared on your social networking feed. 7. Location Data Location data is probably the biggest leak when it comes to personal data. Avoid using location data services like the plague, including services like Google Maps, FourSquare, and any other location-based apps. Also, remember to configure the privacy settings of such apps as soon as you download them, ensuring that you’re not sharing more information than you intend to. 8. Wireless Services Even non-internet wireless services such as Infrared & Bluetooth can be doorways to your personal data. So, it’s best to keep these off, when not in use. Another gaping hole in your personal data security blanket is Wi-Fi, especially the public kind. As an added measure, try only browsing secure HTTPS connections, instead of the typically unencrypted HTTP connections. 9. Personal Security Personal security refers to the various PIN, pass and security codes that we use to access our devices and personal data. All these offer a degree of protection against unauthorized access, but even they can be decrypted. The best option is to use a passphrase instead of a password, as it’ll be too long for a hacker to decipher. Optionally, you can use password management apps, including 1Password and LastPass as they require multi-layered authentications to access. 10. Search Engines Another vulnerability is search engines; they might give you access to a world of information, but they also give the world access to yours! All mainstream search engines monitor & log things like search history, cookies, etc. These engines they create personalized results based on the information collected. The solution is to switch to a search engine that doesn’t track your searches. I am sure these 10 tips will help you secure your personal data. Please let us know if you have any other tips or suggestion and we will try to include that in next article. Article Updates Minor issue fixes and broken link fixes: March 2017 Mauricio Prinzlau works for Cloudwards.net the authority on cloud service reviews and applications for your personal and business life.

This Week in Rust 567

Hello and welcome to another issue of This Week in Rust! Rust is a programming language empowering everyone to build reliable and efficient software. This is a weekly summary of its progress and community. Want something mentioned? Tag us at @ThisWeekInRust on X (formerly Twitter) or @ThisWeekinRust on mastodon.social, or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub and archives can be viewed at this-week-in-rust.org. If you find any errors in this week's issue, please submit a PR.

Want TWIR in your inbox? Subscribe here.

Updates from Rust Community

rPGP 0.14.0 (a pure Rust implementation of OpenPGP) now supports the new RFC 9580

Official

This Development-cycle in Cargo: 1.82

Return type notation MVP: Call for testing!

Project/Tooling Updates

Two weeks of binsider

egui 0.29

pantheon: Parsing command line arguments

System76 COSMIC Alpha 2 Released

Linus and Dirk on succession, Rust, and more

What the Nova GPU driver needs

Getting PCI driver abstractions upstream

Coccinelle for Rust

An update on gccrs development

BTF, Rust, and the kernel toolchain

tokio-graceful 0.2.0: support shutdown trigger delay and forceful shutdown

Cargo Watch 8.5.3: the final update, as the project goes dormant

Observations/Thoughts

Best practices for error handling in kernel Rust

A discussion of Rust safety documentation

(Re)Using rustc components in gccrs

Whence '\n'?

Should you use Rust in LLM based tools for performance?

Code Generation in Rust vs C++26

Rust adventure to develop a Game Boy emulator — Part 3: CPU Instructions

Improved Turso (libsql) ergonomics in Rust

Rewriting Rust

Making overwrite opt-in #crazyideas

Rust needs a web framework for lazy developers

Safety Goggles for Alchemists

Beyond multi-core parallelism: faster Mandelbrot with SIMD

Nine Rules for Running Rust on WASM WASI

Rust needs an extended standard library

Rust Walkthroughs

New Book: "100 Exercises to Learn Rust: A hands-on course by Mainmatter".

Rust interop in practice: speaking Python and Javascript

[Series] Mastering Dependency Injection in Rust: Despatma with Lifetimes

Sqlx4k - Interoperability between Kotlin and Rust, using FFI (Part 1)

Serde for Trait objects

[video] Build with Naz : Rust clap colorization

Miscellaneous

Resources for learning Rust for kernel development

Crate of the Week

This week's crate is binsider, a terminal UI tool for analyzing binary files.

Despite yet another week without suggestions, llogiq is appropriately pleased with his choice.

Please submit your suggestions and votes for next week!

Calls for Testing

An important step for RFC implementation is for people to experiment with the implementation and give feedback, especially before stabilization. The following RFCs would benefit from user testing before moving forward:

RFCs

No calls for testing were issued this week.

Rust

No calls for testing were issued this week.

Rustup

No calls for testing were issued this week.

If you are a feature implementer and would like your RFC to appear on the above list, add the new call-for-testing label to your RFC along with a comment providing testing instructions and/or guidance on which aspect(s) of the feature need testing.

Call for Participation; projects and speakers

CFP - Projects

Always wanted to contribute to open-source projects but did not know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here or through a PR to TWiR or by reaching out on X (formerly Twitter) or Mastodon!

CFP - Events

Are you a new or experienced speaker looking for a place to share something cool? This section highlights events that are being planned and are accepting submissions to join their event as a speaker.

* Rustikon CFP | Event Page | Closes 2024-10-13 | Warsaw, PL | Event 2025-03-26

If you are an event organizer hoping to expand the reach of your event, please submit a link to the website through a PR to TWiR or by reaching out on X (formerly Twitter) or Mastodon!

Updates from the Rust Project

451 pull requests were merged in the last week

add new Tier-3 target: loongarch64-unknown-linux-ohos

add RISC-V vxworks targets

cfg_match Generalize inputs

add InProgress ErrorKind gated behind io_error_inprogress feature

allow instantiating object trait binder when upcasting

allow instantiating trait object binder in ptr-to-ptr casts

ban combination of GCE and new solver

collect relevant item bounds from trait clauses for nested rigid projections

diagnostics: wrap fn cast suggestions in parens when needed

don't trap into the debugger on panics under Linux

enable compiler fingerprint logs in verbose mode

fix adt_const_params leaking {type error} in error msg

fix diagnostics for coroutines with () as input

fix error span if arg to asm!() is a macro call

fix the misleading diagnostic for let_underscore_drop on type without Drop implementation

fix: ices on virtual-function-elimination about principal trait

implement trim-paths sysroot changes - take 2 (RFC #3127)

improve compile errors for invalid ptr-to-ptr casts with trait objects

initial std library support for NuttX

make clashing_extern_declarations considering generic args for ADT field

mark some more types as having insignificant dtor

on implicit Sized bound on fn argument, point at type instead of pattern

only add an automatic SONAME for Rust dylibs

pass Module Analysis Manager to Standard Instrumentations

pass correct HirId to late_bound_vars in diagnostic code

preserve brackets around if-lets and skip while-lets

properly elaborate effects implied bounds for super traits

reference UNSPECIFIED instead of INADDR_ANY in join_multicast_v4

reject leading unsafe in cfg!(...) and --check-cfg

rename standalone doctest attribute into standalone_crate

reorder stack spills so that constants come later

separate collection of crate-local inherent impls from error tracking

simple validation for unsize coercion in MIR validation

check vtable projections for validity in miri

miri: implements arc4random_buf shim for freebsd/solarish platforms

miri: make returning io errors more uniform and convenient

miri: refactor return_read_bytes_and_count and return_written_byte_count_or_error

miri: switch custom target JSON test to a less exotic target

skip query in get_parent_item when possible

stabilize const_cell_into_inner

stabilize const_intrinsic_copy

stabilize const_refs_to_static

stabilize option_get_or_insert_default

improve autovectorization of to_lowercase / to_uppercase functions

add File constructors that return files wrapped with a buffer

add must_use attribute to len_utf8 and len_utf16

add optimize_for_size variants for stable and unstable sort as well as select_nth_unstable

fix read_buf uses in std

make ptr metadata functions callable from stable const fn

mark make_ascii_uppercase and make_ascii_lowercase in [u8] and str as const

fix some cfg logic around optimize_for_size and 16-bit targets

hook up std::net to wasi-libc on wasm32-wasip2 target

compute RUST_EXCEPTION_CLASS from native-endian bytes

hashbrown: change signature of get_many_mut APIs

regex: add SetMatches::matched_all

cargo timings: support dark color scheme in HTML output

cargo toml: Add autolib

cargo rustc: give trailing flags higher precedence on nightly

cargo config: Don't double-warn about $CARGO_HOME/config

cargo compiler: zero-copy deserialization when possible

cargo: add CARGO_MANIFEST_PATH env variable

cargo: lockfile path implies --locked on cargo install

cargo: make lockfile v4 the default

cargo: correct error count for cargo check --message-format json

cargo perf: improve quality of completion performance traces

cargo test: add support for features in the sat resolver

cargo test: relax compiler panic assertions

cargo test: relax panic output assertion

rustdoc perf: clone clean::Item less

rustdoc: do not animate :target when user prefers reduced motion

rustdoc: inherit parent's stability where applicable

rustdoc: rewrite stability inheritance as a doc pass

rustdoc: copy correct path to clipboard for modules/keywords/primitives

rustdoc: redesign toolbar and disclosure widgets

rustdoc toolbar: Adjust spacings and sizing to improve behavior with over-long names

add field@ and variant@ doc-link disambiguators

rustfmt: add style_edition 2027

clippy: wildcard_in_or_patterns will no longer be triggered for types annotated with #[nonexhaustive]

clippy: invalid_null_ptr_usage: fix false positives for std::ptr::slice_from_raw_parts functions

clippy: add reasons for or remove some //@no-rustfix annotations

clippy: extend needless_lifetimes to suggest eliding impl lifetimes

clippy: specifying reason in expect(clippy::needless_return) no longer triggers false positive

clippy: ignore --print/-Vv requests in clippy-driver

clippy: remove method call receiver special casing in unused_async lint

clippy: suggest Option<&T> instead of &Option<T>

clippy: convert &Option<T> to Option<&T>

clippy: use std_or_core to determine the correct prefix

rust-analyzer: building before a debugging session was restarted

rust-analyzer: index workspace symbols at startup rather than on the first symbol search

rust-analyzer: provide an config option to not set cfg(test)

rust-analyzer: ambiguity with CamelCase diagnostic messages, align with rustc warnings

rust-analyzer: better support references in consuming postfix completions

rust-analyzer: consider lifetime GATs object unsafe

rust-analyzer: don't report a startup error when a discover command is configured

rust-analyzer: fix a bug in span map merge, and add explanations of how span maps are stored

rust-analyzer: fix name resolution when an import is resolved to some namespace and then later in the algorithm another namespace is added

rust-analyzer: fix resolution of label inside macro

rust-analyzer: handle block exprs as modules when finding their parents

rust-analyzer: pass all-targets for build scripts in more cli commands

Rust Compiler Performance Triage

A quiet week without too many perf. changes, although there was a nice perf. win on documentation builds thanks to [#130857](https://github.com/rust-lang/rust/. Overall the results were positive.

Triage done by @kobzol. Revision range: 4cadeda9..c87004a1

Summary:

(instructions:u) mean range count Regressions ❌ (primary) 0.5% [0.2%, 0.8%] 11 Regressions ❌ (secondary) 0.3% [0.2%, 0.6%] 19 Improvements ✅ (primary) -1.2% [-14.9%, -0.2%] 21 Improvements ✅ (secondary) -1.0% [-2.3%, -0.3%] 5 All ❌✅ (primary) -0.6% [-14.9%, 0.8%] 32

3 Regressions, 4 Improvements, 3 Mixed; 2 of them in rollups 47 artifact comparisons made in total

Full report here

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week:

No RFCs were approved this week.

Final Comment Period

Every week, the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

RFCs

[disposition: postpone] Make cargo install respect lockfiles by default

[disposition: postpone] RFC: Templating CARGO_TARGET_DIR to make it the parent of all target directories

[disposition: postpone] Cargo: providing artifacts (for artifact dependencies) via build.rs

Tracking Issues & PRs

Rust

[disposition: merge] Tracking Issue for constify-ing non-trait Duration methods

[disposition: merge] Tracking Issue for const Result methods

[disposition: merge] Tracking issue for const Option functions

[disposition: merge] Tracking Issue for slice_first_last_chunk feature (slice::{split_,}{first,last}_chunk{,_mut})

[disposition: merge] Partially stabilize const_pin

[disposition: merge] Check elaborated projections from dyn don't mention unconstrained late bound lifetimes

[disposition: merge] Stabilize the map/value methods on ControlFlow

[disposition: merge] Do not consider match/let/ref of place that evaluates to ! to diverge, disallow coercions from them too

[disposition: merge] Tracking issue for const slice::from_raw_parts_mut (const_slice_from_raw_parts_mut)

[disposition: merge] Stabilize const {slice,array}::from_mut

[disposition: merge] Tracking Issue for feature(const_slice_split_at_mut)

[disposition: merge] Tracking Issue for str::from_utf8_unchecked_mut as a const fn

[disposition: merge] Tracking Issue for #![feature(const_unsafecell_get_mut)]

[disposition: merge] Tracking Issue for const_maybe_uninit_assume_init

[disposition: merge] Tracking issue for #![feature(const_float_classify)]

[disposition: merge] Tracking Issue for const_str_as_mut

[disposition: merge] Tracking Issue for pin_deref_mut

[disposition: merge] Tracking Issue for UnsafeCell::from_mut

[disposition: merge] Tracking Issue for BufRead::skip_until

Cargo

[disposition: merge] docs(charter): Declare new Intentional Artifacts as 'small' changes

Language Team

[disposition: merge] Meeting proposal: rename "object safety" to "dyn compatibility"

Language Reference

No Language Reference RFCs entered Final Comment Period this week.

Unsafe Code Guidelines

No Unsafe Code Guideline Tracking Issues or PRs entered Final Comment Period this week.

New and Updated RFCs

[new] num::WrappingFrom trait for conversions between integers

[new] Add helper methods on primitive pointer types for pointer tagging

Upcoming Events

Rusty Events between 2024-10-02 - 2024-10-30 🦀

Virtual

2024-10-02 | Virtual (Cardiff, UK)| Rust and C++ Cardiff

Rust for Rustaceans Book Club: Chapter 8 - Asynchronous Programming

2024-10-02 | Virtual (Indianapolis, IN, US) | Indy Rust

Indy.rs - Ezra Singh on Rust's HashMap

2024-10-02 | Virtual (Vancouver, BC, CA) | Vancouver Postgres

Leveraging a PL/RUST extension to protect sensitive data in PostgreSQL

2024-10-03 | Virtual | Women in Rust

Part 1 of 4 - Rust Essentials: Build Your First API

2024-10-03 | Virtual (Charlottesville, NC, US) | Charlottesville Rust Meetup

Crafting Interpreters in Rust Collaboratively

2024-10-08 | Virtual (Dallas, TX, US) | Dallas Rust

Second Tuesday

2024-10-10 | Virtual | Women in Rust

Part 2 of 4 - Navigating Rust Web Frameworks: Axum, Actix, and Rocket

2024-10-10 | Virtual (Barcelona, ES) | BcnRust + Codurance + Heavy Duty Builders

15th BcnRust Meetup

2024-10-10 | Virtual (Berlin, DE) | OpenTechSchool Berlin + Rust Berlin

Rust Hack and Learn | Mirror: Rust Hack n Learn Meetup

2024-10-10 | Virtual (Girona, ES) | Rust Girona

Leveraging Rust to Improve Your Programming Fundamentals & De Rust A Solana

2024-10-10 - 2024-10-11 | Virtual and In-Person (Vienna, AT) | Euro Rust

Euro Rust 2024

2024-10-14 | Virtual | Women in Rust

👋 Community Catch Up

2024-10-15 | Virtual (Washington, DC, US) | Rust DC

Mid-month Rustful

2024-10-16 | Virtual and In-Person (Vancouver, BC, CA) | Vancouver Rust

Rust Study/Hack/Hang-out

2024-10-17 | Virtual | Women in Rust

Part 3 of 4 - Hackathon Ideation Lab

2024-10-17| Virtual (Charlottesville, NC, US) | Charlottesville Rust Meetup

Crafting Interpreters in Rust Collaboratively

2024-10-22 | Virtual (Dallas, TX, US) | Dallas Rust

Last Tuesday

2024-10-24 | Virtual (Berlin, DE) | OpenTechSchool Berlin + Rust Berlin

Rust Hack and Learn | Mirror: Rust Hack n Learn Meetup

2024-10-26 | Virtual (Gdansk, PL) | Stacja IT Trójmiasto

Rust – budowanie narzędzi działających w linii komend

2024-10-29 | Virtual (Dallas, TX, US) | Dallas Rust

Last Tuesday

Africa

2024-10-05 | Kampala, UG | Rust Circle Kampala

Rust Circle Meetup

Asia

2024-10-09 | Subang Jaya / Kuala Lumpur, Selangor, MY | Rust Malaysia

Rust Malaysia Meetup - Traits and How to Read Trait (October 2024)

2024-10-17 - 2024-10-18 | Beijing, CN | Global Open-Source Innovation Meetup (GOSIM)

GOSIM 2024

2024-10-19 | Bangalore/Bengaluru, IN | Rust Bangalore

October 2024 Rustacean meetup

Europe

2024-10-02 | Oxford, UK | Oxfrod Rust Meetup Group

Rust for Rustaceans Book Club: Chapter 11: Foreign Function Interfaces

2024-10-02 | Stockholm, SE | Stockholm Rust

Rust Meetup @Funnel

2022-10-03 | Nürnberg, DE | Rust Nurnberg DE

Rust Nürnberg online

2024-10-03 | Oslo, NO | Rust Oslo

Rust Hack'n'Learn at Kampen Bistro

2024-10-09 | Reading, UK | Reading Rust Workshop

Reading Rust Meetup

2024-10-10 - 2024-10-11 | Virtual and In-Person (Vienna, AT) | Euro Rust

Euro Rust 2024

2024-10-15 | Leipzig, DE | Rust - Modern Systems Programming in Leipzig

Topic TBD

2024-10-17 | Darmstadr, DE | Rust Rhein-Main

Rust Code Together

2024-10-15 | Cambridge, UK | Cambridge Rust Meetup

Monthly Rust Meetup

2024-10-15 | Leipzig, DE | Rust - Modern Systems Programming in Leipzig

Topic TBD

2024-10-15 | Munich, DE | Rust Munich

Rust Munich 2024 / 3 - hybrid

2024-10-16 | Manchester, UK | Rust Manchester

Rust Manchester Talks October - Leptos and Crux

2024-10-17 | Barcelona, ES | BcnRust

16th BcnRust Meetup

2024-10-17 | Bern, CH | Rust Bern

2024 Rust Talks Bern #3

2024-10-22 | Warsaw, PL | Rust Warsaw

New Rust Warsaw Meetup #2

2024-10-28 | Paris, FR | Rust Paris

Rust Meetup #71

2024-10-29 | Aarhus, DK | Rust Aarhus

Hack Night

2024-10-30 | Hamburg, DE | Rust Meetup Hamburg

Rust Hack & Learn October 2024

North America

2024-10-03 | Boston, MA, US | SquiggleConf

SquiggleConf 2024: "Oxc: Pluggable Next-Gen Tooling At Rust Speed", Don Isaac

2024-10-03 | Montréal, QC, CA | Rust Montréal

October Social

2024-10-03 | Mountain View, CA, US | Mountain View Rust Meetup

Rust Meetup at Hacker Dojo

2024-10-03 | St. Louis, MO, US | STL Rust

Iterators in Rust

2024-10-04 | Mexico City, DF, MX | Rust MX

Multi threading y Async en Rust pt1. Prerequisitos

2024-10-05 | Cambridge, MA, US | Boston Rust Meetup

Davis Square Rust Lunch, Oct 5

2024-10-08 | Detroit, MI, US | Detroit Rust

Rust Community Meetup - Ann Arbor

2024-10-15 | San Francisco, CA, US | San Francisco Rust Study Group

Rust Hacking in Person

2024-10-16 | Virtual and In-Person (Vancouver, BC, CA) | Vancouver Rust

Rust Study/Hack/Hang-out

2024-10-17 | Virtual and In-Person (Seattle, WA, US) | Seattle Rust User Group

October Meetup

2024-10-19 | Cambridge, MA, US | Boston Rust Meetup

North End Rust Lunch, Oct 19

2024-10-23 | Austin, TX, US | Rust ATX

Rust Lunch - Fareground

2024-10-27 | Cambridge, MA, US | Boston Rust Meetup

Kendall Rust Lunch, Oct 27

Oceania

2024-10-29 | Canberra, ACT, AU | Canberra Rust User Group (CRUG)

June Meetup

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Jobs

Please see the latest Who's Hiring thread on r/rust

Quote of the Week

Just to provide another perspective: if you can write the programs you want to write, then all is good. You don't have to use every single tool in the standard library.

I co-authored the Rust book. I have twelve years experience writing Rust code, and just over thirty years of experience writing software. I have written a macro_rules macro exactly one time, and that was 95% taking someone else's macro and modifying it. I have written one proc macro. I have used Box::leak once. I have never used Arc::downgrade. I've used Cow a handful of times.

Don't stress yourself out. You're doing fine.

– Steve Klabnik on r/rust

Thanks to Jacob Finkelman for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by: nellshamrell, llogiq, cdmistman, ericseppanen, extrawurst, andrewpollack, U007D, kolharsam, joelmarcey, mariannegoldin, bennyvasquez.

Email list hosting is sponsored by The Rust Foundation

Discuss on r/rust

I'm going to have to dig in to this but I have an inkling this AES mode (OpenPGP) may mean that hardware keys could be utilized for transport encryption. Worst case hardware keys could definitely be used for encrypting on node data (optionally, meaning the hardware key is optional, on node data will most likely be encrypted by default)

One reason I like to tell people about OpenPGP is because you can use a PGP signature to validate your anonymous or pseudononymous internet persona across arbitrary sites or incarnations.

For example the retards that keep remaking with a variation on their old handles then wondering how they keep getting banned could mitigate that risk exposure simply by providing a PGP proof while using a new pseudonym that isn't just telling staff you're ban evading.