Planet Mozilla

January 07, 2026

Mozilla Localization (L10N) — Mozilla Localization in 2025

A Year in Data

As is tradition, we’re wrapping up 2025 for Mozilla’s localization efforts and offering a sneak peek at what’s in store for 2026 (you can find last year’s blog post here).

Pontoon’s metrics in 2025 show a stable picture for both new sign-ups and monthly active users. While we always hope to see signs of strong growth, this flat trend is a positive achievement when viewed against the challenges surrounding community involvement in Open Source, even beyond Mozilla. Thank you to everyone actively participating on Pontoon, Matrix, and elsewhere for making Mozilla localization such an open and welcoming community.

30 projects and 469 locales (+100 compared to 2024) set up in Pontoon.
5,019 new user registrations
1,190 active users, submitting at least one translation, on average 233 users per month (+5% Year-over-Year)
551,378 submitted translations (+18% YoY)
472,195 approved translations (+22% YoY)
13,002 new strings to translate (-38% YoY).

The number of strings added has decreased significantly overall, but not for Firefox, where the number of new strings was 60% higher than in 2024 (check out the increase of Fluent strings alone). That is not surprising, given the amount of new features (selectable profiles, unified trust panel, backup) and the upcoming settings redesign.

As in 2024, the relentless growth in the number of locales is driven by Common Voice, which now has 422 locales enabled in Pontoon (+33%).

Before we move forward, thank you to all the volunteers who contributed their time, passion, and expertise to Mozilla’s localization over the last 12 months — or plan to do so in 2026. There is always space for new contributors!

Pontoon Development

A significant part of the work on Pontoon in 2025 isn’t immediately visible to users, but it lays the groundwork for improvements that will start showing up in 2026.

One of the biggest efforts was switching to a new data model to represent all strings across all supported formats. Pontoon currently needs to handle around ten different formats, as transparently as possible for localizers, and this change is a step to reduce complexity and technical debt. As a concrete outcome, we can now support proper pluralization in Android projects, and we landed the first string using this model in Firefox 146. This removes long-standing UX limitations (no more Bookmarks saved: %1$s instead of %1$s bookmarks saved) and allows languages to provide more natural-sounding translations.

In parallel, we continued investing in a unified localization library, moz-l10n, with the goal of having a centralized, well-maintained place to handle parsing and serialization across formats in both JavaScript and Python. This work is essential to keep Pontoon maintainable as we add support for new technologies and workflows.

Pontoon as a project remains very active. In 2025 alone, Pontoon saw more than 200 commits from over 20 contributors, not including work happening in external libraries such as moz-l10n.

Finally, we’ve been improving API support, another area that is largely invisible to end users. We moved away from GraphQL and migrated to Django REST, and we’re actively working toward feature parity with Transvision to better support automation and integrations.

Community

Our main achievement in 2025 was organizing a pilot in-person event in Berlin, reconnecting localizers from around Europe after a long hiatus. Fourteen volunteers from 11 locales spent a weekend together at the Mozilla Berlin office, sharing ideas, discussing challenges, and deepening relationships that had previously existed only online. For many attendees, this was the first time they met fellow contributors they had collaborated with for years, and the energy and motivation that came out of those days clearly showed the value of human connection in sustaining our global community.

This doesn’t mean we stopped exploring other ways to connect. For example, throughout the year we continued publishing Contributor Spotlights, showcasing the amazing work of individual volunteers from different parts of the world. These stories highlight not just what our contributors do, but who they are and why they make Mozilla’s localization work possible.

Internally, these spotlights have played an important role for advocating on behalf of the community. By bringing real voices and contributions to the forefront, we’ve helped reinforce the message that investing in people — not just tools — is essential to the long-term health of Mozilla’s localization ecosystem.

What’s coming in 2026

As we move into the new year, our focus will shift to exploring alternative deployment solutions. Our goal is to make Pontoon faster, more reliable, and better equipped to meet the needs of our users.

This excerpt comes from last year’s blog post, and while it took longer than expected, the good news is that we’re finally there. On January 6, we moved Pontoon to a new hosting platform. We expect this change to bring better reliability and performance, especially in response to peaks in bot traffic that have previously made Pontoon slow or unresponsive.

In parallel, we “silently” launched the Mozilla Language Portal, a unified hub that reflects Mozilla’s unique approach to localization while serving as a central resource for the global translator community. While we still plan to expand its content, the main infrastructure is now in place and publicly available, bringing together searchable translation memories, documentation, blog posts, and other resources to support knowledge-sharing and collaboration.

On the technology side, we plan to extend plural support to iOS projects and continue improving Pontoon’s translation memory support. These improvements aim to make it easier to reuse translations across projects and formats, for example by matching strings independently of placeholder syntax differences, and to translate Fluent strings with multiple values.

We also aim to explore improvements in our machine translation options, evaluating how large language models could help with quality assessment or serve as alternative providers for MT suggestions.

Last but not least, we plan to keep investing in our community. While we don’t know yet what that will look like in practice, keep an eye on this blog for updates.

If you have any thoughts or ideas about this plan, let us know on Mastodon or Matrix!

Thank you!

As we look toward 2026, we’re grateful for the people who make Mozilla’s localization possible. Through shared effort and collaboration, we’ll continue breaking down barriers and building a web that works for everyone. Thank you for being part of this journey.

by Francesco Lodolo [:flod] at January 07, 2026 01:51 PM

Ludovic Hirlimann — Are mozilla's fork any good?

To answer that question, we first need to understand how complex, writing or maintaining a web browser is.

A "modern" web browser is :

a network stack,
and html+[1] parser,
and image+[2] decoder,
a javascript[3] interpreter compiler,
a User's interface,
integration with the underlying OS[4],
And all the other things I'm currently forgetting.

Of course, all the above point are interacting with one another in different ways. In order for "the web" to work, standards are developed and then implemented in the different browsers, rendering engines.

In order to "make" the browser, you need engineers to write and maintain the code, which is probably around 30 Million lines of code[5] for Firefox. Once the code is written, it needs to be compiled [6] and tested [6]. This requires machines that run the operating system the browser ships to (As of this day, mozilla officially ships on Linux, Microslop Windows and MacOS X - community builds for *BSD do exists and are maintained). You need engineers to maintain the compile (build) infrastructure.

Once the engineers that are responsible for the releases [7] have decided what codes and features were mature enough, they start assembling the bits of code and like the engineers, build, test and send the results to the people using said web browser.

When I was employed at Mozilla (the company that makes Firefox) around 900+ engineers were tasked with the above and a few more were working on research and development. These engineers are working 5 days a week, 8 hours per day, that's 1872000 hours of engineering brain power spent every year (It's actually less because I have not taken vacations into account) on making Firefox versions. On top of that, you need to add the cost of building and running the test before a new version reaches the end user.

The current browsing landscape looks dark, there are currently 3 choices for rendering engines, KHTML based browsers, blink based ones and gecko based ones. 90+% of the market is dominated by KHTML/blink based browsers. Blink is a fork of KHTML. This leads to less standard work, if the major engine implements a feature and others need to play catchup to stay relevant, this has happened in the 2000s with IE dominating the browser landscape[8], making it difficult to use macOS 9 or X (I'm not even mentioning Linux here :)). This also leads to most web developers using Chrome and once in a while testing with Firefox or even Safari. But if there's a little glitch, they can still ship because of market shares.

Firefox was started back in 1998, when embedding software was not really a thing with all the platform that were to be supported. Firefox is very hard to embed (eg use as a softwrae library and add stuff on top). I know that for a fact because both Camino and Thunderbird are embeding gecko.

In the last few years, Mozilla has been itching the people I connect to, who are very privacy focus and do not see with a good eye what Mozilla does with Firefox. I believe that Mozilla does this in order to stay relevant to normal users. It needs to stay relevant for at least two things :

Keep the web standards open, so anyone can implement a web browser / web services.
to have enough traffic to be able to pay all the engineers working on gecko.

Now that, I've explained a few important things, let's answer the question "Are mozilla's fork any good?"

I am biased as I've worked for the company before. But how can a few people, even if they are good and have plenty of free time, be able to cope with what maintaining a fork requires :

following security patches and porting said patches.
following development and maintain their branch with changes coming all over the place
how do they test?

If you are comfortable with that, then using a fork because Mozilla is pushing stuff you don't want is probably doable. If not, you can always kill those features you don't like using some `about:config` magic.

Now, I've set a tone above that foresees a dark future for open web technologies. What Can you do to keep the web open and with some privacy focus?

Keep using Mozilla Nightly
Give servo a try

[1] HTML is interpreted code, that's why it needs to be parsed and then rendered.

[2] In order to draw and image or a photo on a screen, you need to be able to encode it or decode it. Many file formats are available.

[3] Is a computer language that transforms HTML into something that can interact with the person using the web browser. See https://developer.mozilla.org/en-US/docs/Glossary/JavaScript

[4] Operating systems need to the very least know which program to open files with. The OS landscape has changed a lot over the last 25 years. These days you need to support 3 major OS, while in the 2000s you had more systems, IRIX for example. You still have some portions of the Mozilla code base that support these long dead systems.

[5]https://math.answers.com/math-and-arithmetic/How_many_lines_of_code_in_mozillafirefox

[6] Testing implies, testing the code and also having engineers or users using the unfinished product to see that it doesn't regress. Testing Mozilla, is explained at https://ehsanakhgari.org/wp-content/uploads/talks/test-mozilla/

[7] Read a release equals a version. Version 1.5 is a release, as is version 3.0.1.

[8] https://en.wikipedia.org/wiki/Browser_wars

by Ludovic Hirlimann at January 07, 2026 01:26 PM

Wladimir Palant — Backdoors in VStarcam cameras

VStarcam is an important brand of cameras based on the PPPP protocol. Unlike the LookCam cameras I looked into earlier, these are often being positioned as security cameras. And they in fact do a few things better like… well, like having a mostly working authentication mechanism. In order to access the camera one has to know its administrator password.

So much for the theory. When I looked into the firmware of the cameras I discovered a surprising development: over the past years this protection has been systematically undermined. Various mechanisms have been added that leak the access password, and in several cases these cannot be explained as accidents. The overall tendency is clear: for some reason VStarcam really wants to have access to their customer’s passwords.

A reminder: “P2P” functionality based on the PPPP protocol means that these cameras will always communicate with and be accessible from the internet, even when located on a home network behind NAT. Short of installing a custom firmware this can only addressed by configuring the network firewall to deny internet access.

How to recognize affected cameras

Not every VStarcam camera has “VStarcam” printed on the side. I have seen reports of VStarcam cameras being sold under the brand names Besder, MVPower, AOMG, OUSKI, and there are probably more.

Most cameras should be recognizable by the app used to manage them. Any camera managed by one of these apps should be a VStarcam camera: Eye4, EyeCloud, FEC Smart Home, HOTKam, O-KAM Pro, PnPCam, VeePai, VeeRecon, Veesky, VKAM, VsCam, VStarcam Ultra.

Downloading the firmware

VStarcam cameras have a mechanism to deliver firmware updates (LookCam cameras prove that this shouldn’t be taken for granted). The app managing the camera will request update information from an address like http://api4.eye4.cn:808/firmware/1.2.3.4/EN where 1.2.3.4 is the firmware version. If a firmware update is available the response will contain a download server and a download path. The app sends these to the device which then downloads and installs the updated firmware.

Both requests are performed over plain HTTP and this is already the first issue. If an attacker can produce a manipulated response either on the network that the app or the device are connected to they will be able to install a malicious update on the camera. The former is particularly problematic, as the camera owner may connect to an open WiFi or similarly untrusted networks while being out.

The last part of a firmware version is a build number which is ignored for the update requests. The first part is a vendor ID where only a few options seem relevant (I checked 10, 48 and 66). The rest of the version number can be easily enumerated. Many firmware branches don’t have an active update, and when they do some updates won’t download because the servers in question appear no longer operational. Still, I found 380 updates this way.

I managed to unpack all but one of these updates. Firmware version 10.1.110.2 wasn’t for a camera but rather some device with an HDMI connector and without any P2P functionality – probably a Network Video Recorder (NVR). Firmware version 10.121.160.42 wasn’t using PPPP but something called NHEP2P and an entirely different application-level protocol. Ten updates weren’t updating the camera application but only the base system. This left 367 firmware versions for this investigation.

Caveats of this survey

I do not own any VStarcam hardware, nor would it be feasible to investigate hundreds of different firmware versions with real hardware. The results of this article are based solely on reverse engineering, emulation, and automated analysis via running Ghidra in headless mode. While I can easily emulate a PPPP server, doing the same for the VStarcam cloud infrastructure isn’t possible, I simply don’t know how it behaves. Similarly, the firmware’s interaction with hardware had to be left out of the emulation. While I’m still quite confident in my results, these limitations could introduce errors.

More importantly, there are only so many firmware versions that I checked manually. Most of them were checked automatically, and I typically only looked at a few lines of decompiled code that my scripts extracted. There is potential for false negatives here, I expect that there are more issues with VStarcam firmware than what’s listed here.

VStarcam’s authentication approach

When an app communicates with a camera, it sends commands like GET /check_user.cgi?loginuse=admin&loginpas=888888&user=admin&pwd=888888. Despite the looks of it, these aren’t HTTP requests passed on to a web server. Instead, the firmware handles these in function P2pCgiParamFunction which doesn’t even attempt to parse the request. The processing code looks for substrings like check_user.cgi to identify the command (yes, you better don’t set check_user.cgi as your access password). Parameter extraction works via similar substring matching.

It’s worth noting that these cameras have a very peculiar authentication system which VStarcam calls “dual authentication.” Here is how the Eye4 application describes it:

The dual authentication mechanism is a measure to upgrade the whole system security

The device will double check the identity of the visitor and does not support the old version of app.

Considering the security risk of possible leakage, the plaintext password mode of the device was turned off and ciphertext access was used.

After the device is added for the first time, it will not be allowed to be added for a second time, and it will be shared by the person who has added it.

I’m not saying that this description is utter bullshit but there is a considerable mismatch with the reality that I can observe. The VStarcam firmware cannot accept anything other than plaintext passwords. Newer firmware versions employ obfuscation on the PPPP-level but this hardly deserves the name “ciphertext”.

What I can see is: once a device is enrolled into dual authentication, the authentication is handled by function GetUserPri_doubleVerify rather than GetUserPri. There isn’t a big difference between the two, both will try the credentials from the loginuse/loginpas parameters and fall back to the user/pwd credentials pair. Function GetUserPri_doubleVerify merely checks a different password.

From the applications I get the impression that the dual authentication password is automatically generated and probably not even shared with the user but stored in their cloud account. This is an improvement over the regular password that defaults to 888888 and allowed these cameras to be enrolled into a botnet. But it’s still a plaintext password used for authentication.

There is a second aspect to dual authentication. When dual authentication is used, the app is supposed to make a second authentication call to eye4_authentication.cgi. The loginAccount and loginToken parameters here appear to belong to the user’s cloud account, apparently meant to make sure that only the right user can access a device.

Yet in many firmware versions I’ve seen the eye4_authentication.cgi request always succeeds. The function meant to perform a web request is simply hardcoded to return the success code 200. Other firmware versions actually make a request to https://verification.eye4.cn, yet this server also seems to produce a 200 response regardless of what parameters I try. It seems that VStarcam never made this feature work the way they intended it.

None of this stopped VStarcam from boasting on their website merely a year ago:

A promotion image with the following text: O-KAM Pro. Dual authentication mechanism. AES financial grade encryption + dual authentication. We highly protect your data and privacy. Server distribution: low-power devices, 4 master servers, namely Hangzhou, Hong Kong, Frankfurt, Silicon Valey, etc.

You can certainly count on anything saying “financial grade encryption” being bullshit. I have no idea where AES comes into the picture here, I haven’t seen it being used anywhere. Maybe it’s their way of saying “we use TLS when connecting to our cloud infrastructure.”

Endpoint protection

A reasonable approach to authentication is: authentication is required before any requests unrelated to authentication can be made. This is not the approach taken by VStarcam firmware. Instead, some firmware versions decide for each endpoint individually whether authentication is necessary. Other versions put a bunch of endpoints outside of the code enforcing authentication.

The calls explicitly excluded from authentication differ by firmware version but are for example: get_online_log.cgi, show_prodhwfg.cgi, ircut_test.cgi, clear_log.cgi, alexa_ctrl.cgi, server_auth.cgi. For most of these it isn’t obvious why they should be accessible to unauthenticated users. But get_online_log.cgi caught my attention in particular.

Unauthenticated log access

So a request like GET /get_online_log.cgi?enable=1 can be sent to a camera without any authentication. This isn’t a request that any of the VStarcam apps seem to support, what does it do?

Despite the name this isn’t a download request, it rather sets a flag for the current connection. The logic behind this involves many moving parts including a Linux kernel module but the essence is this: whenever the application logs something via LogSystem_WriteLog function, the application won’t merely print that to stderr and write it to the log file on the SD card but also send it to any connection that has this flag set.

What does the application log? Lots and lots of stuff. On average, VStarcam firmware has around 1500 such logging calls. For example, it could log security tokens:

LogSystem_WriteLog("qiniu.c", "upload_qiniu", 497, 0,
                   "upload_qiniu*** filename = %s, fileid = %s, uptoken = %s\n", …);
LogSystem_WriteLog("pushservice.c", "parsePushServerRequest_cjson", 5281, 1,
                   "address=%s token =%s master= %d timestamp = %d", …);
LogSystem_WriteLog("queue.c", "CloudUp_Manage_Pth", 347, 2,
                   "token=%s", …);

It could log cloud server responses:

LogSystem_WriteLog("pushservice.c", "curlPostMqttAuthCb", 4407, 3,
                   "\n\nrspBuf = %s\n", …);
LogSystem_WriteLog("post/postFileToCloud.c", "curl_post_file_cb", 74, 0,
                   "\n\nrspBuf = %s\n", …);
LogSystem_WriteLog("pushserver.c", "curl_Eye4Authentication_write_data_cb", 2822, 0,
                   "rspBuf = %s", …);

And of course it will log the requests coming in via PPPP:

LogSystem_WriteLog("vstcp2pcmd.c", "P2pCgiParamFunction", 633, 0,
                   "sit %d, pcmd: %s", …);

Reminder: these requests contain the authentication password as parameter. So an attacker can connect to a vulnerable device, request logs and wait for the legitimate device owner to connect. Once they do their password will show up in the logs – voila, the attacker has access now.

VStarcam appears to be at least somewhat aware of this issue because some firmware versions contain code “censoring” password parameters prior to logging:

memcpy(pcmd, request, sizeof(pcmd));
char* pos = strstr(pcmd, "loginuse");
if (pos)
  *pos = 0;
LogSystem_WriteLog("vstcp2pcmd.c", "P2pCgiParamFunction", 633, 0,
                   "sit %d, pcmd: %s", sit, pcmd);

But that’s only the beginning of the story of course.

Explicit password leaking via logs

In addition to the logging calls where the password leaks as a (possibly unintended) side-effect, some logging calls are specifically designed to write the device password to the log. For example, the function GetUserPri meant to handle authentication when dual authentication isn’t enabled will often do something like this on a failed login attempt:

LogSystem_WriteLog("sysparamapp.c", "GetUserPri", 177, 0,
                   "loginuse=%s&loginpas=%s&user=admin&pwd=888888&", gUser, gPassword);

These aren’t the parameters of a received login attempt but rather what the parameters should look like for the request to succeed. And if the attacker enabled log access for their connection they will get the device credentials handed on a silver platter – without even having to wait for the device owner to connect.

If dual authentication is enabled, function GetUserPri_doubleVerify often contains a similar call:

LogSystem_WriteLog("web.c", "GetUserPri_doubleVerify", 536, 0,
                   "pri[%d] system OwnerPwd[%s] app Pwd[%s]",
                   pri, gOwnerPassword, gAppPassword);

Log uploading

What got me confused at first were the firmware versions that would log the “correct” password on failed authentication attempts but lacked the capability for unauthenticated log access. When I looked closer I found the function DoSendLogToNodeServer. The firmware receives a “node configuration” from a server which includes a “push IP” and the corresponding port number. It then opens a persistent TCP connection to that address (unencrypted of course), so that DoSendLogToNodeServer can send messages to it.

Despite the name this function doesn’t upload all of the application logs. There are only three to four DoSendLogToNodeServer calls in the firmware versions I looked at, and two are invariably found in function P2pCgiParamFunction, in code running on first failed authentication attempt:

sprintf(buffer,"password error [doublePwd][%s], [PassWd][%s]", gOwnerPassword, gPassword);
DoSendLogToNodeServer(request);
DoSendLogToNodeServer(buffer);

This is sending both the failed authentication request and the correct passwords to a VStarcam server. So while the password isn’t being leaked here to everybody who knows how to ask, it’s still being leaked to VStarcam themselves. And anybody who is eavesdropping on the device’s traffic of course.

A few firmware versions have log upload functionality in a function called startUploadLogToServer, here really all logging output is being uploaded to the server. This one isn’t called unconditionally however but rather enabled by the setLogUploadEnable.cgi endpoint. An endpoint which, you guessed it, can be accessed without authentication. But at least these firmware versions don’t seem to have any explicit password logging, only the “regular” logging of requests.

Password-leaking backdoor

With some considerable effort all of the above could be explained as debugging functionality which was mistakenly shipped to production. VStarcam wouldn’t be the first company to fail realizing that functionality labeled “for debugging purposes only” will still be abused if released with the production build of their software. But I found yet another password leak which can only be described as a backdoor.

At some point VStarcam introduced a second version of their get_online_log.cgi API. When that second version is requested the device will respond with something like:

result=0;
index=12345678;
str=abababababab;

The result=0 part is typical and indicates that authentication (or lack thereof in this case) was successful. The other two values are unusual, and eventually I decided to check what they were about. Turned out, str is a hex-encoded version of the device password after it was XOR’ed with a random byte. And index is an obfuscated representation of that byte.

I can only explain it like this: somebody at VStarcam thought that leaking passwords via log output was too obvious, people might notice. So they decided to expose the device password in a more subtle way, one that only they knew how to decode (unless somebody notices this functionality and spends two minutes studying it in the firmware).

Mind you, even though this is clearly a backdoor I’m still not ruling out incompetence. Maybe VStarcam made a large enough mess with their dual authentication that their customer support needs to recover device access on a regular basis. However, they do have device reset functionality that should normally be used for this scenario.

In the end, for their customers it doesn’t matter what the intention was. The result is a device that cannot be trusted with protecting access. For a security camera this is an unforgivable flaw.

Establishing a timeline

Now we are coming to the tough questions. Why do some firmware versions have this backdoor functionality while others don’t? When was this introduced? In what order? What is the current state of affairs?

You might think that after compiling the data on 367 firmware versions the answers would be obvious. But the data is so inconsistent that any conclusions are really difficult. Thing is, we aren’t dealing with a single evolving codebase here. We aren’t even dealing with two codebases or a dozen of them. 367 firmware versions are 367 different codebases. These codebases are related, they share some code here and there, but they are all being developed independently.

I’ve seen this development model before. What VStarcam appears to be doing is: for every new camera model they take some existing firmware and fork it. They adjust that firmware for the new hardware, they probably add new features as well. None of this work makes it into the original firmware unless it is explicitly backported. And since VStarcam is maintaining hundreds of firmware variants, the older ones are usually only receiving maintenance changes if any at all.

To make this mess complete, VStarcam’s firmware version numbers don’t make any sense at all. And I don’t mean the fact that VStarcam releases the same camera under 30 different model names, so there is no chance of figuring out the model to firmware version mapping. It’s also the firmware version numbers themselves.

As I’ve already mentioned, the last part of the firmware version is the build number, increased with each release. The first part is the vendor ID: firmware versions starting with 48 are VStarcam’s global releases whereas 66 is reserved for their Russian distributor (or rather was I think). Current VStarcam firmware is usually released with vendor ID 10 however, standing for… who knows, VeePai maybe? This leaves the two version parts in between, and I couldn’t find any logic here whatsoever. Like, firmware versions sharing the third part of the version number would sometimes be closely related, but only sometimes. At the same time the second part of the version number is supposed to represent the camera model, but that’s clearly not always correct either.

I ended up extracting all the logging calls from all the firmware versions and using that data to calculate a distance between every firmware version pair. I then fed this data into GraphViz and asked it to arrange the graph for me. It gave me the VStarcam spiral galaxy:

A graph with a number of green, yellow, orange, red and pink ovals, each containing a version number. The ovals aren’t distributed evenly but rather clustered. The color distribution also varies by cluster. Next image has more detailed descriptions of the clusters.

Click the image above to see the larger and slightly interactive version (it shows additional information when the mouse pointer is at a graph node). The green nodes are the ones that don’t allow access to device logs. Yellow are the ones providing unauthenticated log access, always logging incoming requests including their password parameters. The orange ones have additional logging that exposes the correct password on failed authentication attempts – or they call DoSendLogToNodeServer function to send the correct password to a VStarcam server. The red ones have the backdoor in the get_online_log.cgi API leaking passwords. Finally pink are the ones which pretend to improve things by censoring parameters of logged requests – yet all of these without exception leak the password via the backdoor in the get_online_log.cgi API.

Note: Firmware version 10.165.19.37 isn’t present in the graph because it is somehow based on an entirely different codebase with no relation to the others. It would be red in the graph however, as the backdoor has been implemented here as well.

Not only does this graph show the firmware versions as clusters, it’s also possible to approximately identify the direction of time for each cluster. Let’s add cluster names and time arrows to the image:

Clusters in the graph above marked with red letters A to F and blue arrows. A dense cluster of green node in the middle of the graph is marked as A. Left of it is cluster B with green node at its right edge that increasingly turn yellow towards the left edge. The blue arrow points from the cluster A to the left edge of cluster B. A small cluster below cluster A and B is labeled D, here green nodes at the top turn yellow and orange towards the bottom. Cluster E below cluster D has orange nodes at the top which increasingly turn pink towards the bottom with some green nodes in between. A blue arrow points from cluster D to the bottom of cluster E. A lengthy cluster at the top of the graph is labeled C, a blue arrow points from its left to its right edge. This cluster starts out green and mostly transitions towards orange along the time arrow. Finally the right part of the graph is occupy by a large cluster labeled F. The blue arrow starts at the orange nodes in the middle of this cluster and points into two directions: towards the mostly orange nodes at the bottom and towards the top where the orange nodes are first mostly replaced by the pink ones and then by red.

Of course this isn’t a perfect representation of the original data, and I wasn’t sure whether it could be trusted. Are these clusters real or merely an artifact produced by the graph algorithm? I verified things manually and could confirm that the clusters are in fact distinctly different on the technical level, particularly when considering updates format:

Clusters A and B represent firmware for ARM processors. I’m unsure what caused the gap between the two clusters but cluster A contains firmware from years 2019 and 2020, cluster B on the other hand is mostly years 2021 and 2022. Development pretty much stopped here, the only exception being the four red firmware versions which are recent. Updates use the “classic” ZIP format here.
Cluster C covers years 2019 to 2022. Quite remarkably, in these years the firmware from this cluster moved from ARM processors and LiteOS to MIPS processors and Linux. The original updates based on VStarcam Pack System were replaced by the VeePai-branded ZIP format and later by Ingenic updates with LZO compression. All that happened without introducing significant changes to the code but rather via incremental development.
Cluster D contains firmware for the MIPS processors from years 2022 and 2023. Updates are using the VeePai-branded ZIP format.
Cluster E formed around 2023, there is still some development being done here. It uses MIPS processors like cluster D, yet the update format is different (what I called VeePai updates in my previous blog post).
Cluster F has seen continuous development since approximately 2022, this is firmware based on Ingenic’s MIPS hardware and the most active branch of VStarcam development. Originally the VeePai-branded ZIP format was used for updates, this was later transitioned to Ingenic updates with LZO compression and finally to the same format with jzlcma compression.

With the firmware versions ordered like this I could finally make some conclusions about the introduction of the problematic features:

Unauthenticated logs access via the get_online_log.cgi API was introduced in cluster B around 2022.
Logging the correct password on failed attempts was introduced independently in cluster C. In fact, some firmware versions had this in 2020 already.
In 2021 cluster C also added the innovation that was DoSendLogToNodeServer function, sending the correct password to a VStarcam server on first failed login attempt.
Unauthenticated logs access and logging the correct password appear to have been combined in cluster D in 2023.
Cluster E initially also adopted the approach of exposing log access and logging device password on failed attempts, adding the sending of the correct password to a VStarcam server to the mix. However, starting in 2024 firmware versions with the get_online_log.cgi backdoor start popping up here, and these have all other password leaks removed. These even censor passwords in logged request parameters. Either there were security considerations at play or the other ways to expose the password were considered unnecessary at this point and too obvious.
Cluster F also introduced logging device password on failed attempts around 2023. This cluster appears to be the origin of the get_online_log.cgi backdoor, it was introduced here around 2024. Unlike with cluster E this backdoor didn’t replace the existing password leaks here but only complemented them. In fact, while cluster F was initially “censoring” parameters so that logged requests wouldn’t leak passwords, this measure appears to have been dropped later in 2024. Current cluster F firmware tends to have all the issues described in this post simultaneously. Whatever security considerations may have driven the changes in cluster E, the people in charge of cluster F clearly disagreed.

The impact

So, how bad is it? Knowing the access password allows access to the camera’s main functionality: audio and video recordings. But these cameras have been known for vulnerabilities allowing execution of arbitrary commands. Also, newer cameras have an API that will start a telnet server with hardcoded and widely known administrator credentials (older cameras had this telnet server start by default). So we have to assume that a compromised camera could become part of a botnet or be used as a starting point for attacks against a network.

But this requires accessing the camera first, and most VStarcam cameras won’t be exposed to the internet directly. They will only be reachable via the PPPP protocol. And for that the attackers would need to know the device ID. How would they get it?

There is a number of ways, most of which I’ve already discussed before. For example, anybody who was briefly connected to your network could have collected device IDs of your cameras. The script to do that won’t currently work with newer VStarcam cameras because these obfuscate the traffic on the PPPP level but the necessary adjustments aren’t exactly complicated.

PPPP networks still support “supernodes,” devices that help route traffic. Back in 2019 Paul Marrapese abused that functionality to register a rogue supernode and collect device IDs en masse. There is no indication that this trick stopped working, and the VStarcam networks are likely susceptible as well.

Users also tend to leak their device IDs themselves. They will post screenshots or videos of the app’s user interface. On the first glance this is less problematic with the O-KAM Pro app because this one will display only a vendor-specific device ID (looks similar to a PPPP device ID but has seven digits and only four letters in the verification code). That is, until you notice that the app uses a public web API to translate vendor-specific device IDs into PPPP device IDs.

Anybody who can intercept some PPPP traffic can extract the device IDs from it. Even when VStarcam networks obfuscate the traffic rather than using plaintext transmission – the static keys are well known, removing the obfuscation isn’t hard.

And finally, simply guessing device IDs is still possible. With only 5 million possible verification codes for each device IDs and servers not implementing rate limiting, bruteforce attacks are quite realistic.

Let’s not forget the elephant in the room however: VStarcam themselves know all the device IDs of course. Not just that, they know which devices are active and where. With a password they can access the cameras of interest to them (or their government) anytime.

Coordinated disclosure attempt

Given the intentional nature of these issues, I was unsure how to deal with this. I mean, what’s the point of reporting vulnerabilities to VStarcam that they are clearly aware of? In the end I decided to give them a chance to address the issues before they become public knowledge.

However, all I found was VStarcam boasting about their ISO 27001:2022 compliance. My understanding is that this requires them to have a dedicated person responsible for vulnerability management, but they are not obliged to list any security contact that can be reached from outside the company – and so they don’t. I ended up emailing all company addresses I could find, asking whether there is any way to report security issues to them.

I haven’t received any response, an experience that in my understanding other people already made with VStarcam. So I went with my initial publication schedule rather than waiting 90 days as I would normally do.

Recommendations

Whatever motives VStarcam had to backdoor their cameras, the consequence for the customers is: these cameras cannot be trusted. Their access protection should be considered compromised. Even with firmware versions shown as green on my map, there is no guarantee that I haven’t missed something or that these will still be green after the next update.

If you want to keep using a VStarcam camera, the only safe way to do it is disconnecting it from the internet. They don’t have to be disconnected physically, internet routers will often have a way to prohibit internet traffic to and from particular devices. My router for example has this feature under parental control.

Of course this will mean that you will only be able to control your camera while connected to the same network. It might be possible to explicitly configure port forwarding for the camera’s RTSP port, allowing you to access at least the video stream from outside. Just make sure that your RTSP password isn’t known to VStarcam.

January 05, 2026

Jonathan Almeida — Rebase all WIPs to the new main

A small pet-peeve with fetching the latest main on jujutsu is that I like to move all my WIP patches to the new one. That's also nice because jj doesn't make me fix the conflicts immediately!

The solution from a co-worker (kudos to skippyhammond!) is to query all immediate decendants of the previous main after the fetch.

jj git fetch
# assuming 'z' is the rev-id of the previous main.
jj rebase -s "mutable()&z+" -d main

~~I haven't learnt how to make aliases accept params with it yet, so this will have to do for now.~~

Update: After a bit of searching, it seems that today this is only possible by wrapping it in a shell script. Based on the examples in the jj documentation an alias would look like this:

[aliases]
# Update all revs to the latest main; point to the previous one.
hoist = ["util", "exec", "--", "bash", "-c", """
set -euo pipefail
jj rebase -s "mutable()&$1+" -d "main"
""", ""]

by Jonathan Almeida at January 05, 2026 11:10 PM

Wladimir Palant — Analysis of PPPP “encryption”

My first article on the PPPP protocol already said everything there was to say about PPPP “encryption”:

Keys are static and usually trivial to extract from the app.
No matter how long the original key, it is mapped to an effective key that’s merely four bytes long.
The “encryption” is extremely susceptible to known-plaintext attacks, usually allowing reconstruction of the effective key from a single encrypted packet.

So this thing is completely broken, why look any further? There is at least one situation where you don’t know the app being used so you cannot extract the key and you don’t have any traffic to analyze either. It’s when you are trying to scan your local network for potential hidden cameras.

This script will currently only work for cameras using plaintext communication. Other cameras expect a properly encrypted “LAN search” packet and will ignore everything else. How can this be solved without listing all possible keys in the script? By sending all possible ciphertexts of course!

TL;DR: What would be completely ridiculous with any reasonable protocol turned out to be quite possible with PPPP. There are at most 157,092 ways in which a “LAN search” packet can be encrypted. I’ve opened a pull request to have the PPPP device detection script adjusted.

Note: Cryptanalysis isn’t my topic, I am by no means an expert here. These issues are simply too obvious.

Mapping keys to effective keys

The key which is specified as part of the app’s “init string” is not being used for encryption directly. Nor is it being fed into any of the established key stretching algorithms. Instead, a key represented by the byte sequence $<annotation encoding="application/x-tex">b_1, b_2, \ldots, b_n</annotation></semantics>$ is mapped to four bytes $<semantics> k_{1}, k_{2}, k_{3}, k_{4} <annotation encoding="application/x-tex">k_1, k_2, k_3, k_4</annotation></semantics>$ that become the effective key. These bytes are calculated as follows ( $<annotation encoding="application/x-tex">\lfloor x \rfloor</annotation></semantics>$ means rounding down, $<annotation encoding="application/x-tex">\otimes</annotation></semantics>$ stands for the bitwise XOR operation):

<annotation encoding="application/x-tex"> \begin{aligned} k_1 &= (b_1 + b_2 + \ldots + b_n) \mod 256\\ k_2 &= (-b_1 + -b_2 + \ldots + -b_n) \mod 256\\ k_3 &= (\lfloor b_1 \div 3 \rfloor + \lfloor b_2 \div 3 \rfloor + \ldots + \lfloor b_n \div 3 \rfloor) \mod 256\\ k_4 &= b_1 \otimes b_2 \otimes \ldots \otimes b_n \end{aligned} </annotation></semantics>

In theory, a 4 byte long effective key means $<annotation encoding="application/x-tex">256^4 = 4{,}294{,}967{,}296</annotation></semantics>$ possible values. But that would only be the case if these bytes were independent of each other.

Redundancies within the effective key

Of course the bytes of the effective key are not independent. This is most obvious with $<semantics> k_{2} <annotation encoding="application/x-tex">k_2</annotation></semantics>$ which is completely determined by $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ :

<annotation encoding="application/x-tex"> \begin{aligned} k_2 &= (-b_1 + -b_2 + \ldots + -b_n) \mod 256\\ &= -(b_1 + b_2 + \ldots + b_n) \mod 256\\ &= -k_1 \mod 256 \end{aligned} </annotation></semantics>

This means that we can ignore $<semantics> k_{2} <annotation encoding="application/x-tex">k_2</annotation></semantics>$ , bringing the number of possible effective keys down to $<annotation encoding="application/x-tex">256^3 = 16{,}777{,}216</annotation></semantics>$ .

Now let’s have a look at the relationship between $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ and $<semantics> k_{4} <annotation encoding="application/x-tex">k_4</annotation></semantics>$ . Addition and bitwise XOR operations are very similar, the latter merely ignores carry. This difference affects all the bits of the result but the lowest one, no carry to be considered here. This means that the lowest bits of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ and $<semantics> k_{4} <annotation encoding="application/x-tex">k_4</annotation></semantics>$ are always identical. So $<semantics> k_{4} <annotation encoding="application/x-tex">k_4</annotation></semantics>$ has only 128 possible values for any value of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ , bringing the total number of effective keys down to $<annotation encoding="application/x-tex">256 \cdot 256 \cdot 128 = 8{,}388{,}608</annotation></semantics>$ .

And that’s how far we can get considering only redundancies. It can be shown that a key can be constructed resulting in any combination of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ and $<semantics> k_{3} <annotation encoding="application/x-tex">k_3</annotation></semantics>$ values. Similarly, it can be shown that any combination of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ and $<semantics> k_{4} <annotation encoding="application/x-tex">k_4</annotation></semantics>$ is possible as long as the lowest bit is identical.

ASCII to the rescue

But the keys we are dealing with here aren’t arbitrary bytes. These aren’t limited to alphanumeric characters, some keys also contain punctuation, but they are all invariably limited to the ASCII range. And that means that the highest bit is never set in any of the $<semantics> b_{i} <annotation encoding="application/x-tex">b_i</annotation></semantics>$ values.

Which in turn means that the highest bit is never set in $<semantics> k_{4} <annotation encoding="application/x-tex">k_4</annotation></semantics>$ due to the nature of the bitwise XOR operation. We can once again rule out half of the effective keys, for any given value of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ there are only 64 possible values of $<semantics> k_{4} <annotation encoding="application/x-tex">k_4</annotation></semantics>$ . We now have $<annotation encoding="application/x-tex">256 \cdot 256 \cdot 64 = 4{,}194{,}304</annotation></semantics>$ possible effective keys.

How large is n?

Now let’s have a thorough look at how $<semantics> k_{3} <annotation encoding="application/x-tex">k_3</annotation></semantics>$ relates to $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ , ignoring the modulo operation at first. We are taking one third of each byte, rounding it down and summing that up. What if we were to sum up first and round down at the end, how would that relate? Well, it definitely cannot be smaller than rounding down in each step, so we have an upper bound here.

<annotation encoding="application/x-tex"> \lfloor b_1 \div 3 \rfloor + \lfloor b_2 \div 3 \rfloor + \ldots + \lfloor b_n \div 3 \rfloor \leq \lfloor (b_1 + b_2 + \ldots + b_n) \div 3 \rfloor </annotation></semantics>

How much smaller can the left side get? Each time we round down this removes at most two thirds, and we do this $<semantics> n <annotation encoding="application/x-tex">n</annotation></semantics>$ times. So altogether these rounding operations reduce the result by at most $<annotation encoding="application/x-tex">n \cdot 2 \div 3</annotation></semantics>$ . This gives us a lower bound:

<annotation encoding="application/x-tex"> \lceil (b_1 + b_2 + \ldots + b_n - n \cdot 2) \div 3 \rceil \leq \lfloor b_1 \div 3 \rfloor + \lfloor b_2 \div 3 \rfloor + \ldots + \lfloor b_n \div 3 \rfloor </annotation></semantics>

If $<semantics> n <annotation encoding="application/x-tex">n</annotation></semantics>$ is arbitrary these bounds don’t help us at all. But $<semantics> n <annotation encoding="application/x-tex">n</annotation></semantics>$ isn’t arbitrary, the keys used for PPPP encryption tend to be fairly short. Let’s say that we are dealing with keys of length 16 at most which is a safe bet. If we know the sum of the bytes these bounds allow us to narrow down $<semantics> k_{3} <annotation encoding="application/x-tex">k_3</annotation></semantics>$ to $<annotation encoding="application/x-tex">\lceil 16 \cdot 2 \div 3 \rceil = 11</annotation></semantics>$ possible values.

But we don’t know the sum of bytes. What we have is $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ which is that sum modulo 256, and the sum is actually $<annotation encoding="application/x-tex">i \cdot 256 + k_1</annotation></semantics>$ where $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ is some nonnegative integer. How large can $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ get? Remembering that we are dealing with ASCII keys, each byte has at most the value 127. And we have at most 16 bytes. So the sum of bytes cannot be higher than $<annotation encoding="application/x-tex">127 \cdot 16 = 2032</annotation></semantics>$ (or 7F0 in hexadecimal). Consequently, $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ is 7 at most.

Let’s write down the bounds for $<semantics> k_{3} <annotation encoding="application/x-tex">k_3</annotation></semantics>$ now:

<annotation encoding="application/x-tex"> \lceil (i \cdot 256 + k_1 - n \cdot 2) \div 3 \rceil \leq j \cdot 256 + k_3 \leq \lfloor (i \cdot 256 + k_1) \div 3 \rfloor </annotation></semantics>

We have to consider this for eight possible values of $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ . Wait, do we really?

Once we move into modulo 256 space again, the $<annotation encoding="application/x-tex">i \cdot 256 \div 3</annotation></semantics>$ part of our bounds (which is the only part dependent on $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ ) will assume the same value after every three $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ values. So only three values of $<semantics> i <annotation encoding="application/x-tex">i</annotation></semantics>$ are really relevant, say 0, 1 and 2. Meaning that for each value of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ we have $<annotation encoding="application/x-tex">3 \cdot 11 = 33</annotation></semantics>$ possible values for $<semantics> k_{3} <annotation encoding="application/x-tex">k_3</annotation></semantics>$ .

This gives us $<annotation encoding="application/x-tex">256 \cdot 33 \cdot 64 = 540{,}672</annotation></semantics>$ as the number of possible effective keys. My experiments with random keys indicate that this should be pretty much as far down as it goes. There may still be more edge conditions rendering some effective keys impossible, but if these exist their impact is insignificant.

Not all effective keys are equally likely however, the $<semantics> k_{3} <annotation encoding="application/x-tex">k_3</annotation></semantics>$ values at the outer edges of the possible range are very unlikely. So one could prioritize the keys by probability – if the total number weren’t already low enough to render this exercise moot.

How many ciphertexts is that?

We have the four byte plaintext F1 30 00 00 and we have 540,672 possible effective keys. How many ciphertexts does this translate to? With any reasonable encryption scheme the answer would be: slightly less than 540,672 due to a few unlikely collisions which could occur here.

But PPPP doesn’t use a reasonable encryption scheme. With merely four bytes of plaintext there is a significant chance that PPPP will only use part of the effective key for encryption, resulting in identical ciphertexts for every key sharing that part. I didn’t bother analyzing this possibility mathematically, my script simply generated all possible ciphertexts. So the exact answer is: 540,672 effective keys produce 157,092 ciphertexts.

And that’s why you should leave cryptography to experts.

Understanding the response

Now let’s say we send 157,092 encrypted requests. An encrypted response comes back. How do we decrypt it without knowing which of the requests was accepted?

All PPPP packets start with the magic byte F1, so the first byte of our response’s plaintext must be F1 as well. The “encryption” scheme used by PPPP allows translating that knowledge directly into the value of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ . Now one could probably (definitely) guess more plaintext parts and with some clever tricks deduce the rest of the effective key. But there are only $<annotation encoding="application/x-tex">33 \cdot 64 = 2{,}112</annotation></semantics>$ possible effective keys for each value of $<semantics> k_{1} <annotation encoding="application/x-tex">k_1</annotation></semantics>$ anyway. It’s much easier to simply try out all 2,112 possibilities and see which one results in a response that makes sense.

The response here is 24 bytes large, making ambiguous decryptions less likely. Still, my experiments show that in approximately 4% of the cases closely related keys will produce valid but different decryption results. So you will get two or more similar device IDs and any one of them could be correct. I don’t think that this ambiguity can be resolved without further communication with the device, but at least with my changes the script reliably detects when a PPPP device is present on the network.

Jonathan Almeida — Update jj bookmarks to the latest revision

Got this one from another colleague as well but it seems like most folks use some version of this daily that it might be good to have this built-in.

Before I can jj git push my current bookmark to my remote, I need to update where my (tracked) bookmark is, to the latest change:

@  ptuqwsty git@jonalmeida.com 2026-01-05 16:00:22 451384bf <-- move 'main' here.
│  TIL: Update remote bookmark to the latest revision
◆  xoqwkuvu git@jonalmeida.com 2025-12-30 19:50:51 main git_head() 9ad7ce11
│  TIL: Preserve image scale with ImageMagick
~

A quick one-liner jj tug does that for me:

@  ptuqwsty git@jonalmeida.com 2026-01-05 16:03:54 main* 6e7173b4
│  TIL: Update remote bookmark to the latest revision
◆  xoqwkuvu git@jonalmeida.com 2025-12-30 19:50:51 main@origin git_head() 9ad7ce11
│  TIL: Preserve image scale with ImageMagick
~

The alias is quite straight-forward:

[aliases]
# Update your bookmarks to your latest rev.
tug = ["bookmark", "move", "--from", "heads(::@ & bookmarks())", "--to", "@"]

by Jonathan Almeida at January 05, 2026 12:00 AM

The Rust Programming Language Blog — Project goals update — December 2025

The Rust project is currently working towards a slate of 41 project goals, with 13 of them designated as Flagship Goals. This post provides selected updates on our progress towards these goals (or, in some cases, lack thereof). The full details for any particular goal are available in its associated tracking issue on the rust-project-goals repository.

Flagship goals

"Beyond the `&`"

Continue Experimentation with Pin Ergonomics (rust-lang/rust-project-goals#389)

Progress
Point of contact	Frank King
Champions	compiler (Oliver Scherer), lang (TC)
Task owners	Frank King

1 detailed update available.

Comment by @frank-king posted on 2025-12-18:

Key developments: forbid manual impl of Unpin for #[pin_v2] types.
Blockers: PRs waiting for review:
- impl Drop::pin_drop (the submodule issue)
- coercion of &pin mut|const T <-> &[mut] T
Help wanted: None yet.

Design a language feature to solve Field Projections (rust-lang/rust-project-goals#390)

Progress
Point of contact	Benno Lossin
Champions	lang (Tyler Mandry)
Task owners	Benno Lossin

5 detailed updates available.

Comment by @BennoLossin posted on 2025-12-07:

Since we have chosen virtual places as the new approach, we reviewed what open questions are most pressing for the design. Our discussion resulted in the following five questions:

Should we have 1-level projections xor multi-level projections?
What is the semantic meaning of the borrow checker rules (BorrowKind)?
How should we add "canonical projections" for types such that we have nice and short syntax (like x~y or x.@y)?
What to do about non-indirected containers (Cell, MaybeUninit, Mutex, etc)?
How does one inspect/query Projection types?

We will focus on these questions in December as well as implementing FRTs.

Comment by @BennoLossin posted on 2025-12-12:

Canonical Projections

We have discussed canonical projections and come up with the following solution:

pub trait CanonicalReborrow: HasPlace {
    type Output<'a, P: Projection<Source = Self::Target>>: HasPlace<Target = P::Target>
    where
        Self: PlaceBorrow<'a, P, Self::Output<'a, P>>;
}

Implementing this trait permits using the syntax @$place_expr where the place's origin is of the type Self (for example @x.y where x: Self and y is an identifier or tuple index, or @x.y.z etc). It is desugared to be:

@<<Self as CanonicalReborrow>::Output<'_, projection_from_place_expr!($place_expr)>> $place_expr

(The names of the trait, associated type and syntax are not final, better suggestions welcome.)

Reasoning

We need the Output associated type to support the @x.y syntax for Arc and ArcRef.
We put the FRT and lifetime parameter on Output in order to force implementers to always provide a canonical reborrow, so if @x.a works, then @x.b also works (when b also is a field of the struct contained by x).
- This (sadly or luckily) also has the effect that making @x.a and @x.b return different wrapper types is more difficult to implement and requires a fair bit of trait dancing. We should think about discouraging this in the documentation.

Comment by @BennoLossin posted on 2025-12-16:

Non-Indirected Containers

Types like MaybeUninit<T>, Cell<T>, ManuallyDrop<T>, RefCell<T> etc. currently do not fit into our virtual places model, since they don't have an indirection. They contain the place directly inline (and some are even repr(transparent)). For this reason, we currently don't have projections available for &mut MaybeUninit<T>.

Enter our new trait PlaceWrapper which these types implement in order to make projections available for them. We call these types place wrappers. Here is the definition of the trait:

pub unsafe trait PlaceWrapper<P: Projection<Source = Self::Target>>: HasPlace {
    type WrappedProjection: Projection<Source = Self>;

    fn wrap_projection(p: P) -> Self::WrappedProjection;
}

This trait should only be implemented when Self doesn't contain the place as an indirection (so for example Box must not implement the trait). When this trait is implemented, then Self has "virtual fields" available (actually all kinds of place projections). The name of these virtual fields/projections is the same as the ones of the contained place. But their output type is controlled by this trait.

As an example, here is the implementation for MaybeUninit:

impl<T, P: Projection<Source = T>> PlaceWrapper<P> for MaybeUninit<T> {
    type WrappedProjection = TransparentProjection<P, MaybeUninit<T>, MaybeUninit<P::Target>>;

    fn wrap_projection(p: P) -> Self::WrappedProjection {
        TransparentProjection(p, PhantomData, PhantomData)
    }
}

Where TransparentProjection will be available in the standard library defined as:

pub struct TransparentProjection<P, Src, Tgt>(P, PhantomData<Src>, PhantomData<Tgt>);

impl<P: Projection, Src, Tgt> Projection for TransparentProjection<P, Src, Tgt> {
    type Source = Src;
    type Target = Tgt;

    fn offset(&self) -> usize {
        self.0.offset()
    }
}

When there is ambiguity, because the wrapper and the wrapped types both have the same field, the wrapper's field takes precedence (this is the same as it currently works for Deref). It is still possible to refer to the wrapped field by first dereferencing the container, so x.field refers to the wrapper's field and (*x).field refers to the field of the wrapped type.

Comment by @BennoLossin posted on 2025-12-20:

Field-by-Field Projections vs One-Shot Projections

We have used several different names for these two ways of implementing projections. The first is also called 1-level projections and the second multi-level projections.

The field-by-field approach uses field representing types (FRTs), which represent a single field of a struct with no indirection. When writing something like @x.y.z, we perform the place operation twice, first using the FRT field_of!(X, y) and then again with field_of!(T, z) where T is the resulting type of the first projection.

The second approach called one-shot projections instead extends FRTs with projections, these are compositions of FRTs, can be empty and dynamic. Using these we desugar @x.y.z to a single place operation.

Field-by-field projections have the advantage that they simplify the implementation for users of the feature, the compiler implementation and the mental model that people will have to keep in mind when interacting with field projections. However, they also have pretty big downsides, which either are fundamental to their design or would require significant complification of the feature:

They have less expressiveness than one-shot projections. For example, when moving out a subsubfield of x: &own Struct by doing let a = @x.field.a, we have to move out field, which prevents us from later writing let b = @x.field.b. One-shot projections allow us to track individual subsubfields with the borrow checker.
Field-by-field projections also make it difficult to define type-changing projections in an inference friendly way. Projecting through multiple fields could result in several changes of types in between, so we would have to require only canonical projections in certain places. However, this requires certain intermediate types for which defining their safety invariants is very complex.

We additionally note that the single function call desugaring is also a simplification that also lends itself much better when explaining what the @ syntax does.

All of this points in the direction of proceeding with one-shot projections and we will most likely do that. However, we must note that the field-by-field approach might yield easier trait definitions that make implementing the various place operations more manageable. There are several open issues on how to design the field-by-field API in the place variation (the previous proposal did have this mapped out clearly, but it does not translate very well to places), which would require significant effort to solve. So at this point we cannot really give a fair comparison. Our initial scouting of the solutions revealed that they all have some sort of limitation (as we explained above for intermediate projection types for example), which make field-by-field projections less desirable. So for the moment, we are set on one-shot projections, but when the time comes to write the RFC we need to revisit the idea of field-by-field projections.

Comment by @BennoLossin posted on 2025-12-25:

Wiki Project

We started a wiki project at https://rust-lang.github.io/beyond-refs to map out the solution space. We intend to grow it into the single source of truth for the current state of the field projection proposal as well as unfinished and obsolete ideas and connections between them. Additionally, we will aim to add the same kind of information for the in-place initialization effort, since it has overlap with field projections and, more importantly, has a similarly large solution space.

In the beginning you might find many stub pages in the wiki, which we will work on making more complete. We will also mark pages that contain old or abandoned ideas as such as well as mark the current proposal.

This issue will continue to receive regular detailed updates, which are designed for those keeping reasonably up-to-date with the feature. For anyone out of the loop, the wiki project will be a much better place when it contains more content.

Reborrow traits (rust-lang/rust-project-goals#399)

Progress
Point of contact	Aapo Alasuutari
Champions	compiler (Oliver Scherer), lang (Tyler Mandry)
Task owners	Aapo Alasuutari

1 detailed update available.

Comment by @aapoalas posted on 2025-12-17:

Purpose

A refresher on what we want to achieve here: the most basic form of reborrowing we want to enable is this:

// Note: not Clone or Copy
#[derive(Reborrow)]
struct MyMutMarker<'a>(...);

// ...

let marker: MyMarkerMut = MyMutMarker::new();
some_call(marker);
some_call(marker);

ie. make it possible for an owned value to be passed into a call twice and have Rust inject a reborrow at each call site to produce a new bitwise copy of the original value for the passing purposes, and mark the original value as disabled for reads and writes for the duration of the borrow.

A notable complication appears with implementing such reborrowing in userland using explicit cals when dealing with returned values:

return some_call(marker.reborrow());

If the borrowed lifetime escapes through the return value, then this will not compile as the borrowed lifetime is based on a value local to this function. Alongside convenience, this is the major reason for the Reborrow traits work.

CoerceShared is a secondary trait that enables equivalent reborrowing that only disables the original value for writes, ie. matching the &mut T to &T coercion.

Update

We have the Reborrow trait working, albeit currently with a bug in which the marker must be bound as let mut. We are working towards a working CoerceShared trait in the following form:

trait CoerceShared<Target: Copy> {}

Originally the trait had a type Target ADT but this turned out to be unnecessary, as there is no reason to particularly disallow multiple coercion targets. The original reason for using an ADT to disallow multiple coercion targets was based on the trait also having an unsafe method, at which point unscrupulous users could use the trait as a generic coercion trait. Because the trait method was found to be unnecessary, the fear is also unnecessary.

This means that the trait has better chances of working with multiple coercing lifetimes (think a collection of &muts all coercing to &s, or only some of them). However, we are currently avoiding any support of multiple lifetimes as we want to avoid dealing with rmeta before we have the basic functionality working.

"Flexible, fast(er) compilation"

build-std (rust-lang/rust-project-goals#274)

Progress
Point of contact	David Wood
Champions	cargo (Eric Huss), compiler (David Wood), libs (Amanieu d'Antras)
Task owners	Adam Gemmell, David Wood

1 detailed update available.

Comment by @davidtwco posted on 2025-12-15:

rust-lang/rfcs#3873 is waiting on one checkbox before entering the final comment period. We had our sync meeting on the 11th and decided that we would enter FCP on rust-lang/rfcs#3874 and rust-lang/rfcs#3875 after rust-lang/rfcs#3873 is accepted. We've responded to almost all of the feedback on the next two RFCs and expect the FCP to act as a forcing-function so that the relevant teams take a look, they can always register concerns if there are things we need to address, and if we need to make any major changes then we'll restart the FCP.

Production-ready cranelift backend (rust-lang/rust-project-goals#397)

Progress
Point of contact	Folkert de Vries
Champions	compiler (bjorn3)
Task owners	bjorn3, Folkert de Vries, [Trifecta Tech Foundation]

1 detailed update available.

Comment by @folkertdev posted on 2025-12-01:

We did not receive the funding we needed to work on this goal, so no progress has been made.

Overall I think the improvements we felt comfortable promising are on the low side. Overall the amount of time spent in codegen for realistic changes to real code bases was smaller than expected, meaning that the improvements that cranelift can deliver for the end-user experience are smaller.

We still believe larger gains can be made with more effort, but did not feel confident in promising hard numbers.

So for now, let's close this.

Promoting Parallel Front End (rust-lang/rust-project-goals#121)

Progress
Point of contact	Sparrow Li
Task owners	Sparrow Li

No detailed updates available.

Relink don't Rebuild (rust-lang/rust-project-goals#400)

Progress
Point of contact	Jane Lusby
Champions	cargo (Weihang Lo), compiler (Oliver Scherer)
Task owners	@dropbear32, @osiewicz

No detailed updates available.

"Higher-level Rust"

Ergonomic ref-counting: RFC decision and preview (rust-lang/rust-project-goals#107)

Progress
Point of contact	Niko Matsakis
Champions	compiler (Santiago Pastorino), lang (Niko Matsakis)
Task owners	Niko Matsakis, Santiago Pastorino

No detailed updates available.

Stabilize cargo-script (rust-lang/rust-project-goals#119)

Progress
Point of contact	Ed Page
Champions	cargo (Ed Page), lang (Josh Triplett), lang-docs (Josh Triplett)
Task owners	Ed Page

1 detailed update available.

Comment by @epage posted on 2025-12-15:

Key developments

A fence length limit was added in response to T-lang feedback (https://github.com/rust-lang/rust/pull/149358)
Whether to disallow or lint for CR inside of a frontmatter is under discussion (https://github.com/rust-lang/rust/pull/149823)

Blockers

https://github.com/rust-lang/rust/pull/146377
rustdoc deciding on and implementing how they want frontmatter handled in doctests

"Unblocking dormant traits"

Evolving trait hierarchies (rust-lang/rust-project-goals#393)

Progress
Point of contact	Taylor Cramer
Champions	lang (Taylor Cramer), types (Oliver Scherer)
Task owners	Taylor Cramer, Taylor Cramer & others

1 detailed update available.

Comment by @cramertj posted on 2025-12-17:

Current status:

The RFC for auto impl supertraits has been updated to address SemVer compatibility issues.
There is a parsing PR kicking off an experimental implementation. The tracking issue for this experimental implementation is here.

In-place initialization (rust-lang/rust-project-goals#395)

Progress
Point of contact	Alice Ryhl
Champions	lang (Taylor Cramer)
Task owners	Benno Lossin, Alice Ryhl, Michael Goulet, Taylor Cramer, Josh Triplett, Gary Guo, Yoshua Wuyts

No detailed updates available.

Next-generation trait solver (rust-lang/rust-project-goals#113)

Progress
Point of contact	lcnr
Champions	types (lcnr)
Task owners	Boxy, Michael Goulet, lcnr

1 detailed update available.

Comment by @lcnr posted on 2025-12-15:

We've continued to fix a bunch of smaller issues over the last month. Tim (Theemathas Chirananthavat) helped uncover a new potential issue due to non-fatal overflow which we'll have to consider before stabilizing the new solver: https://github.com/rust-lang/trait-system-refactor-initiative/issues/258.

I fixed two issues myself in https://github.com/rust-lang/rust/pull/148823 and https://github.com/rust-lang/rust/pull/148865.

tiif with help by Boxy fixed query cycles when evaluating constants in where-clauses: https://github.com/rust-lang/rust/pull/148698.

@adwinwhite fixed a subtle issues involving coroutine witnesses in https://github.com/rust-lang/rust/pull/149167 after having diagnosed the underlying issue there last month. They've also fixed a smaller diagnostics issue in https://github.com/rust-lang/rust/pull/149299. Finally, they've also fixed an edge case of impl well-formedness checking in https://github.com/rust-lang/rust/pull/149345.

Shoyu Vanilla fixed a broken interaction of aliases and fudging in https://github.com/rust-lang/rust/pull/149320. Looking into fudging and HIR typeck Expectation handling also uncovered a bunch of broken edge-cases and I've openedhttps://github.com/rust-lang/rust/issues/149379 to track these separately.

I have recently spent some time thinking about the remaining necessary work and posted a write-up on my personal blog: https://lcnr.de/blog/2025/12/01/next-solver-update.html. I am currently trying to get a clearer perspective on our cycle handling while slowly working towards an RFC for the changes there. This is challenging as we don't have a good theoretical foundation here yet.

Stabilizable Polonius support on nightly (rust-lang/rust-project-goals#118)

Progress
Point of contact	Rémy Rakic
Champions	types (Jack Huey)
Task owners	Amanda Stjerna, Rémy Rakic, Niko Matsakis

2 detailed updates available.

Comment by @lqd posted on 2025-12-30:

This month's key developments were:

borrowck support in a-mir-formality has been progressing steadily — it has its own dedicated updates in https://github.com/rust-lang/rust-project-goals/issues/122 for more details
we were also able to find a suitable project for the master's student project on a-mir-formality (and they accepted and should start around February) and which will help expand our testing coverage for the polonius alpha as well.
tiif has kept making progress on fixing opaque type soundness issue https://github.com/rust-lang/trait-system-refactor-initiative/issues/159. It is the one remaining blocker for passing all tests. By itself it will not immediately fix the two remaining (soundness) issues with opaque type region liveness, but we'll able to use the same supporting code to ensure the regions are indeed live where they need to be.
I quickly cleaned up some inefficiencies in constraint conversion, it hasn't landed yet but it maybe won't need to because of the next item
but most of the time this month was spent on this final item: we have the first interesting results from the rewriting effort. After a handful of wrong starts, I have a branch almost ready to switch the constraint graph to be lazy and computed during traversal. It removes the need to index the numerous list of constraints, or to convert liveness data to a different shape. It thus greatly reduces the current alpha overhead (some rare cases look faster than NLLs but I don't yet know why, maybe due to being able to better use the sparseness, low connectivity of the constraint graph, and a small number of loans). The overhead wasn't entirely removed of course: the worst offending benchmark has a +5% wall-time regression, but icounts are worse looking (+13%). This was also only benchmarking the algorithm itself, without the improvements to the rest of borrowck mentioned in previous updates. I should be able to open a PR in the next couple days, once I figure out how to best convert the polonius mermaid graph dump to the new lazy localized constraint generation.
and finally, happy holidays everyone!

Comment by @lqd posted on 2025-12-31:

I should be able to open a PR in the next couple days

done in https://github.com/rust-lang/rust/pull/150551

Goals looking for help

Other goal updates

Add a team charter for rustdoc team (rust-lang/rust-project-goals#387)

Progress
Point of contact	Guillaume Gomez
Champions	rustdoc (Guillaume Gomez)

No detailed updates available.

Borrow checking in a-mir-formality (rust-lang/rust-project-goals#122)

Progress
Point of contact	Niko Matsakis
Champions	types (Niko Matsakis)
Task owners	Niko Matsakis, tiif

4 detailed updates available.

Comment by @nikomatsakis posted on 2025-12-03:

PR https://github.com/rust-lang/a-mir-formality/pull/206 contains a "first draft" for the NLL rules. It checks for loan violations (e.g., mutating borrowed data) as well as some notion of outlives requirements. It does not check for move errors and there aren't a lot of tests yet.

Comment by @nikomatsakis posted on 2025-12-03:

The PR also includes two big improvements to the a-mir-formality framework:

support for (for_all) rules that can handle "iteration"
tracking proof trees, making it much easier to tell why something is accepted that should not be

Comment by @nikomatsakis posted on 2025-12-10:

Update: opened https://github.com/rust-lang/a-mir-formality/pull/207 which contains support for &mut, wrote some new tests (including one FIXME), and added a test for NLL Problem Case #3 (which behaved as expected).

One interesting thing (cc Ralf Jung) is that we have diverged from MiniRust in a few minor ways:

We do not support embedding value expressions in place expressions.
Where MiniRust has a AddrOf operator that uses the PtrType to decide what kind of operation it is, we have added a Ref MIR operation. This is in part because we need information that is not present in MiniRust, specifically a lifetime.
We have also opted to extend goto with the ability to take multiple successors, so that goto b1, b2 can be seen as "goto either b1 or b2 non-deterministically" (the actual opsem would probably be to always go to b1, making this a way to add "fake edges", but the analysis should not assume that).

Comment by @nikomatsakis posted on 2025-12-17:

Update: opened https://github.com/rust-lang/a-mir-formality/pull/210 with today's work. We are discussing how to move the checker to support polonius-alpha. To that end, we introduced feature gates (so that a-mir-formality can model nightly features) and did some refactoring of the type checker aiming at allowing outlives to become flow-sensitive.

C++/Rust Interop Problem Space Mapping (rust-lang/rust-project-goals#388)

Progress
Point of contact	Jon Bauman
Champions	compiler (Oliver Scherer), lang (Tyler Mandry), libs (David Tolnay)
Task owners	Jon Bauman

No detailed updates available.

Comprehensive niche checks for Rust (rust-lang/rust-project-goals#262)

Progress
Point of contact	Bastian Kersting
Champions	compiler (Ben Kimock), opsem (Ben Kimock)
Task owners	Bastian Kersting], Jakob Koschel

No detailed updates available.

Const Generics (rust-lang/rust-project-goals#100)

Progress
Point of contact	Boxy
Champions	lang (Niko Matsakis)
Task owners	Boxy, Noah Lev

3 detailed updates available.

Comment by @BoxyUwU posted on 2025-12-30:

Since the last update both of my PRs I mentioned have landed, allowing for constructing ADTs in const arguments while making use of generic parameters. This makes MGCA effectively a "full" prototype where it can now fully demonstrate the core concept of the feature. There's still a lot of work left to do but now we're at the point of finishing out the feature :)

Once again huge thanks to camelid for sticking with me throughout this. Also thanks to errs, oli and lcnr for reviewing some of the work and chatting with me about possible impl decisions.

Some examples of what is possible with MGCA as of the end of this goal cycle:

#![feature(const_default, const_trait_impl, min_generic_const_args)]

trait Trait {
    #[type_const]
    const ASSOC: usize;
}

fn mk_array<T: const Default + Trait>() -> [T; T::ASSOC] {
    [const { T::default() }; _]
}

#![feature(adt_const_params, min_generic_const_args)]

fn foo<const N: Option<u32>>() {}

trait Trait {
    #[type_const]
    const ASSOC: usize;
}

fn bar<T: Trait, const N: u32>() {
    // the initializer of `_0` is a `N` which is a legal const argument
    // so this is ok.
    foo::<{ Some::<u32> { 0: N } }>();

    // this is allowed as mgca supports uses of assoc consts in the
    // type system. ie `<T as Trait>::ASSOC` is a legal const argument
    foo::<{ Some::<u32> { 0: <T as Trait>::ASSOC } }>();

    // this on the other hand is not allowed as `N + 1` is not a legal
    // const argument
    foo::<{ Some::<u32> { 0: N + 1 } }>(); // ERROR
}

As for adt_const_params we now have a zulip stream specifically for discussion of the upcoming RFC and the drafting of the RFC: #project-const-generics/adt_const_params-rfc. I've gotten part of the way through actually writing the RFC itself though it's gone slower than I had originally hoped as I've also been spending more time thinking through the implications of allowing private data in const generics.

I've debugged the remaining two ICEs making adt_const_params not fully ready for stabilization and written some brief instructions on how to resolve them. One ICE has been incidentally fixed (though more masked) by some work that Kivooeo has been doing on MGCA. The other has been picked up by someone I'm not sure the github handle of so that will also be getting fixed soon.

Comment by @BoxyUwU posted on 2025-12-30:

Ah I forgot to mention, even though MGCA has a tonne of work left to do I expect it should be somewhat approachable for people to help out with. So if people are interested in getting involved now is a good time :)

Comment by @BoxyUwU posted on 2025-12-30:

Ah another thing I forgot to mention. David Wood spent some time looking into the name mangling scheme for adt_const_params stuff to make sure it would be fine to stabilize and it seems it is so that's another step closer to adt_const_params being stabilizable

Continue resolving `cargo-semver-checks` blockers for merging into cargo (rust-lang/rust-project-goals#104)

Progress
Point of contact	Predrag Gruevski
Champions	cargo (Ed Page), rustdoc (Alona Enraght-Moony)
Task owners	Predrag Gruevski

No detailed updates available.

Develop the capabilities to keep the FLS up to date (rust-lang/rust-project-goals#391)

Progress
Point of contact	Pete LeVasseur
Champions	bootstrap (Jakub Beránek), lang (Niko Matsakis), spec (Pete LeVasseur)
Task owners	Pete LeVasseur, Contributors from Ferrous Systems and others TBD, `t-spec` and contributors from Ferrous Systems

1 detailed update available.

Comment by @PLeVasseur posted on 2025-12-16:

Meeting notes here: FLS team meeting 2025-12-12

Key developments: We're close to completing the FLS release for 1.91.0, 1.91.1. We've started to operate as a team, merging a PR with the changelog entries, then opening up issues for each change required: ✅ #624(https://github.com/rust-lang/fls/issues/624), ✅ #625(https://github.com/rust-lang/fls/issues/625), ✅ #626(https://github.com/rust-lang/fls/issues/626), ⚠️ #623(https://github.com/rust-lang/fls/issues/623). #623(https://github.com/rust-lang/fls/issues/623) is still pending, as it requires a bit of alignment with the Reference on definitions and creation of a new example. Blockers: None currently Help wanted: We'd love more folks from the safety-critical community to contribute to picking up issues or opening an issue if you notice something is missing.

Emit Retags in Codegen (rust-lang/rust-project-goals#392)

Progress
Point of contact	Ian McCormack
Champions	compiler (Ralf Jung), opsem (Ralf Jung)
Task owners	Ian McCormack

1 detailed update available.

Comment by @icmccorm posted on 2025-12-16:

Here's our December status update!

We have revised our prototype of the pre-RFC based on Ralf Jung's feedback. Now, instead of having two different retag functions for operands and places, we emit a single __rust_retag intrinsic in every situation. We also track interior mutability precisely. At this point, the implementation is mostly stable and seems to be ready for an MCP.
There's been some discussion here and in the pre-RFC about whether or not Rust will still have explicit MIR retag statements. We plan on revising our implementation so that we no longer rely on MIR retags to determine where to insert our lower-level retag calls. This should be a relatively straightforward change to the current prototype. If anything, it should make these changes easier to merge upstream, since they will no longer affect Miri.
BorrowSanitizer continues to gain new features, and we've started testing it on our first real crate (lru) (which has uncovered a few new bugs in our implementation). The two core Tree Borrows features that we have left to support are error reporting and garbage collection. Once these are finished, we will be able to expand our testing to more real-world libraries and confirm that we are passing each of Miri's test cases (and likely find more bugs lurking in our implementation). Our instrumentation pass ignores global and thread-local state for now, and it does not support atomic memory accesses outside of atomic load and store instructions. These operations should be relatively straightforward to add once we've finished higher-priority items.
Performance is slow. We do not know exactly how slow yet, since we've been focusing on feature support over benchmarking and optimization. This is at least partially due to the lack of garbage collection, based on what we're seeing from profiling. We will have a better sense of what our performance is like once we can compare against Miri on more real-world test cases.

As for what's next, we plan on posting an MCP soon, now that it's clear that we will be able to do without MIR retags. You can expect a more detailed status update on BorrowSanitizer by the end of January. This will discuss our implementation and plans for 2026. We will post that here and on our project website.

Expand the Rust Reference to specify more aspects of the Rust language (rust-lang/rust-project-goals#394)

Progress
Point of contact	Josh Triplett
Champions	lang-docs (Josh Triplett), spec (Josh Triplett)
Task owners	Amanieu d'Antras, Guillaume Gomez, Jack Huey, Josh Triplett, lcnr, Mara Bos, Vadim Petrochenkov, Jane Lusby

1 detailed update available.

Comment by @joshtriplett posted on 2025-12-17:

In addition to further ongoing work on reference material (some of which is on track to be merged), we've had some extensive discussions about reference processes, maintenance, and stability markers. Niko Matsakis is putting together a summary and proposal for next steps.

Finish the libtest json output experiment (rust-lang/rust-project-goals#255)

Progress
Point of contact	Ed Page
Champions	cargo (Ed Page)
Task owners	Ed Page

No detailed updates available.

Finish the std::offload module (rust-lang/rust-project-goals#109)

Progress
Point of contact	Manuel Drehwald
Champions	compiler (Manuel Drehwald), lang (TC)
Task owners	Manuel Drehwald, LLVM offload/GPU contributors

2 detailed updates available.

Comment by @ZuseZ4 posted on 2025-12-02:

It's only been two weeks, but we got a good number of updates, so I already wanted to share them.

autodiff

On the autodiff side, we landed the support for rlib and better docs. This means that our autodiff frontend is "almost" complete, since there are almost no cases left where you can't apply autodiff. There are a few features like custom-derivatives or support for dyn arguments that I'd like to add, but they are currently waiting for better docs on the Enzyme side. There is also a long-term goal off replacing the fat-lto requirement with the less invasive embed-bc requirement, but this proved to be tricky in the past and only affects compile times.
@sgasho picked up my old PR to dlopen enzyme, and found the culprit of it failing after my last rebase. A proper fix might take a bit longer, but it might be worth waiting for. As a reminder, using dlopen in the future allows us to ship autodiff on nightly without increasing the size of rustc and therefore without making our infra team sad.

All in all, we have landed most of the hard work here, so that's a very comfortable position to be in before enabling it on nightly.

offload

We have landed the intrinsic implementation of Marcelo Domínguez, so now you can offload functions with almost arbitrary arguments. In my first prototype, I had limited it to pointers to 256 f64 values. The updated usage example continues to live here in our docs. As you can see, we still require #[cfg(target_os=X)] annotations. Under the hood, the LLVM-IR which we generate is also still a bit convoluted. In his next PRs, he'll clean up the generated IR, and introduce an offload macro that users shall call instead of the internal offload intrinsic.
I spend more time on enabling offload in our CI, to enable std::offload in nightly. After multiple iterations and support from LLVM offload devs, we found a cmake config that does not run into bugs, should not increase Rust CI time too much, and works with both in-tree llvm/clang builds, as well as external clang's (the current case in our Rust CI).
I spend more time on simplifying the usage instructions in the dev guide. We started with two cargo calls, one rustc call, two clang calls, and two clang-helper binary calls. I was able to remove the rustc and one of the clang-offload-packager calls, by directly calling the underlying LLVM APIs. I also have an unmerged PR which removes the two clang calls. Once I cleaned it up and landed it, we would be down to only two cargo calls and one binary call to clang-linker-wrapper. Once I automated this last wrapper (and enabled offload in CI), nightly users should be able to experiment with std::offload.

Comment by @ZuseZ4 posted on 2025-12-26:

Time for the next round of updates. Again, most of the updates were on the GPU side, but with some notable autodiff improvements too.

autodiff:

@sgasho finished his work on using dlopen to load enzyme and the pr landed. This allowed Jakub Beránek and me to start working on distributing Enzyme via a standalone component.
As a first step, I added a nicer error if we fail to find or dlopen our Enzyme backend. I also removed most of our autodiff fallbacks, we now unconditionally enable our macro frontend on nightly: https://github.com/rust-lang/rust/pull/150133 You may notice that cargo expand now works on autodiff code. This also allowed the first bug reports about ICE (internal compiler error) in our macro parser logic.
Kobzol opened a PR to build Enzyme in CI. In theory, I should have been able to download that artifact, put it into my sysroot, and use the latest nightly to automatically load it. If that had worked, we could have just merged his PR, and everyone could have started using AD on nightly. Of course, things are never that easy. Even though both Enzyme, LLVM, and rustc were built in CI, the LLVM version shipped along with rustc does not seem compatible with the LLVM version Enzyme was built against. We assume some slight cmake mismatch during our CI builds, which we will have to debug.

offload:

On the gpu side, Marcelo Domínguez finished his cleanup PR, and along the way also fixed using multiple kernels within a single codebase. When developing the offload MVP I had taken a lot of inspiration from the LLVM-IR generated by clang - and it looks like I had gotten one of the (way too many) LLVM attributes wrong. That caused some metadata to be fused when multiple kernels are present, confusing our offload backend. We started to find more bugs when working on benchmarks, more about the fixes for those in the next update.
I finished cleaning up my offload build PR, and Oliver Scherer reviewed and approved it. Once the dev-guide gets synced, you should see much simpler usage instructions. Now it's just up to me to automate the last part, then you can compile offload code purely with cargo or rustc. I also improved how we build offload, which allows us to build it both in CI and locally. CI had some very specific requirements to not increase build times, since our x86-64-dist runner is already quite slow.
Our first benchmarks directly linked against NVIDIA and AMD intrinsics on llvm-ir level. However, we already had an nvptx Rust module for a while, and since recently also an amdgpu module which nicely wraps those intrinsics. I just synced the stdarch repository into rustc a few minutes ago, so from now on, we can replace both with the corresponding Rust functions. In the near future we should get a higher level GPU module, which abstracts away naming differences between vendors.
Most of my past rustc contributions were related to LLVM projects or plugins (Offload and Enzyme), and I increasingly encountered myself asking other people for updates or backports of our LLVM submodule, since upstream LLVM has fixes which were not yet merged into our LLVM submodule. Our llvm working group is quite small and I didn't want to burden them too much with my requests, so I recently asked them to join it, which also got approved. In the future I intend to help a little with the maintenance here.

Getting Rust for Linux into stable Rust: compiler features (rust-lang/rust-project-goals#407)

Progress
Point of contact	Tomas Sedovic
Champions	compiler (Wesley Wiser)
Task owners	(depending on the flag)

1 detailed update available.

Comment by @tomassedovic posted on 2025-12-05:

Update from the 2025-12-03 meeting:

`-Zharden-sls`

Wesley reviewed it again, provided a qualification, more changes requested.

Getting Rust for Linux into stable Rust: language features (rust-lang/rust-project-goals#116)

Progress
Point of contact	Tomas Sedovic
Champions	lang (Josh Triplett), lang-docs (TC)
Task owners	Ding Xiang Fei

2 detailed updates available.

Comment by @tomassedovic posted on 2025-12-05:

Update from the 2025-12-03 meeting.

`Deref` / `Receiver`

Ding keeps working on the Reference draft. The idea is still not well-proliferated and people are not convinced this is a good way to go. We hope the method-probing section in Reference PR could clear thins up.

We're keeping the supertrait auto-impl experiment as an alternative.

RFC #3851: Supertrait Auto-impl

Ding addressed Predrag's requests on SemVer compatibility. He's also opened an implementation PR: https://github.com/rust-lang/rust/pull/149335. Here's the tracking issue: https://github.com/rust-lang/rust/issues/149556.

`derive(CoercePointee)`

Ding opened a PR to require additional checks for DispatchFromDyn: https://github.com/rust-lang/rust/pull/149068

In-place initialization

Ding will prepare material for a discussion at the LPC (Linux Plumbers Conference). We're looking to hear feedback on the end-user syntax for it.

The feature is going quite large, Ding will check with Tyler on the whether this might need a series of RFCs.

The various proposals on the table continue being discussed and there are signs (albeit slow) of convergence. The placing function and guaranteed return ones are superseded by outpointer. The more ergonomic ideas can be built on top. The guaranteed value placement one would be valuable in the compiler regardless and we're waiting for Olivier to refine it.

The feeling is that we've now clarified the constraints that the proposals must operate under.

Field projections

Nadri's Custom places proposal is looking good at least for the user-facing bits, but the whole thing is growing into a large undertaking. Benno's been focused on academic work that's getting wrapped up soon. The two will sync afterwards.

Comment by @tomassedovic posted on 2025-12-18:

Quick bit of great news: Rust in the Linux kernel is no longer treated as an experiment, it's here to stay 🎉

https://lwn.net/SubscriberLink/1050174/63aa7da43214c3ce/

Implement Open API Namespace Support (rust-lang/rust-project-goals#256)

Progress
Point of contact
Champions	cargo (Ed Page), compiler (b-naber), crates-io (Carol Nichols)
Task owners	b-naber, Ed Page

3 detailed updates available.

Comment by @sladyn98 posted on 2025-12-03:

Ed Page hey i would like to contribute to this I reached out on zulip. Bumping up the post in case it might have gone under the radar

CC Niko Matsakis

Comment by @epage posted on 2025-12-03:

The work is more on the compiler side atm, so Eric Holk and b-naber could speak more to where they could use help.

Comment by @eholk posted on 2025-12-06:

Hi @sladyn98 - feel free to ping me on Zulip about this.

MIR move elimination (rust-lang/rust-project-goals#396)

Progress
Point of contact	Amanieu d'Antras
Champions	lang (Amanieu d'Antras)
Task owners	Amanieu d'Antras

1 detailed update available.

Comment by @Amanieu posted on 2025-12-17:

The RFC draft was reviewed in detail and Ralf Jung pointed out that the proposed semantics introduce issues because they rely on "no-behavior" (NB) with regards to choosing an address for a local. This can lead to surprising "time-traveling" behavior where the set of possible addresses that a local may have (and whether 2 locals can have the same address) depends on information from the future. For example:

// This program has DB
let x = String::new();
let xaddr = &raw const x;
let y = x; // Move out of x and de-initialize it.
let yaddr = &raw const y;
x = String::new(); // assuming this does not change the address of x
// x and y are both live here. Therefore, they can't have the same address.
assume(xaddr != yaddr);
drop(x);
drop(y);

// This program has UB
let x = String::new();
let xaddr = &raw const x;
let y = x; // Move out of x and de-initialize it.
let yaddr = &raw const y;
// So far, there has been no constraint that would force the addresses to be different.
// Therefore we can demonically choose them to be the same. Therefore, this is UB.
assume(xaddr != yaddr);
// If the addresses are the same, this next line triggers NB. But actually this next
// line is unreachable in that case because we already got UB above...
x = String::new();
// x and y are both live here.
drop(x);
drop(y);

With that said, there is still a possibility of achieving the optimization, but the scope will need to be scaled down a bit. Specifically, we would need to:

no longer perform a "partial free"/"partial allocation" when initializing or moving out of a single field of a struct. The lifetime of a local starts when any part of it is initialized and ends when it is fully moved out.
allow a local's address to change when it is re-initialized after having been fully moved out, which eliminates the need for NB.

This reduces the optimization opportunities since we can't merge arbitrary sub-field moves, but it still allows for eliminating moves when constructing a struct from multiple values.

The next step is for me to rework the RFC draft to reflect this.

Prototype a new set of Cargo "plumbing" commands (rust-lang/rust-project-goals#264)

Progress
Point of contact
Task owners	, Ed Page

No detailed updates available.

Prototype Cargo build analysis (rust-lang/rust-project-goals#398)

Progress
Point of contact	Weihang Lo
Champions	cargo (Weihang Lo)
Task owners	Weihang Lo, Weihang Lo

2 detailed updates available.

Comment by @weihanglo posted on 2025-12-13:

Key developments: HTML replay logic has merge. Once it gets into nightly cargo report timings can open the timing report you have previously logged.

https://github.com/rust-lang/cargo/pull/16377
https://github.com/rust-lang/cargo/pull/16378
https://github.com/rust-lang/cargo/pull/16382

Blockers: No, except my own availability

Help wanted: Same as https://github.com/rust-lang/rust-project-goals/issues/398#issuecomment-3571897575

Comment by @weihanglo posted on 2025-12-26:

Key developments:

Headline: You should always enable build analysis locally, if you are using nightly and want the timing info data always available.

[unstable]
build-analysis = true

[build.analysis]
enabled = true

More log events are emitted: https://github.com/rust-lang/cargo/pull/16390
- dependency resolution time
- unit-graph construction
- unit-registration (which contain unit metadata)
Timing replay from cargo report timings now has almost the same feature parity as cargo build --timings, except CPU usage: https://github.com/rust-lang/cargo/pull/16414
Rename rebuild event to unit-fingerprint, and is emitted also for fresh unit: https://github.com/rust-lang/cargo/pull/16408.
Proposed a new cargo report sessions command so that people can retrieve previous sessions IDs not use the latest one: https://github.com/rust-lang/cargo/pull/16428
Proposed to remove --timings=json which timing info in log files should be a great replacement: https://github.com/rust-lang/cargo/pull/16420
Documenting efforts for having man pages for nested commands `cargo report : https://github.com/rust-lang/cargo/pull/16430 and https://github.com/rust-lang/cargo/pull/16432

Besides implementations, we also discussed about:

The interaction of --message-format and structured logging system, as well as log event schemas and formats: https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/build.20analysis.20log.20format/with/558294271
A better name for RunId. We may lean towards SessionId which is a common name for logging/tracing ecosystem.
Nested Cargo calls to have a sticky session ID. At least a way to show they were invoked from the same top-level Cargo call.

Blockers: No, except my own availability

Help wanted: Same as https://github.com/rust-lang/rust-project-goals/issues/398#issuecomment-3571897575

reflection and comptime (rust-lang/rust-project-goals#406)

Progress
Point of contact	Oliver Scherer
Champions	compiler (Oliver Scherer), lang (Scott McMurray), libs (Josh Triplett)
Task owners	oli-obk

1 detailed update available.

Comment by @oli-obk posted on 2025-12-15:

Updates

https://github.com/rust-lang/rust/pull/148820 adds a way to mark functions and intrinsics as only callable during CTFE
https://github.com/rust-lang/rust/pull/144363 has been unblocked and just needs some minor cosmetic work

Blockers

https://github.com/rust-lang/rust/pull/146923 (reflection MVP) has not been reviewed yet

Rework Cargo Build Dir Layout (rust-lang/rust-project-goals#401)

Progress
Point of contact	Ross Sullivan
Champions	cargo (Weihang Lo)
Task owners	Ross Sullivan

1 detailed update available.

Comment by @ranger-ross posted on 2025-12-23:

Status update December 23, 2025

The majority of December was spent iterating on https://github.com/rust-lang/cargo/pull/16155 . As mentioned in the previous update, the original locking design was not correct and we have been working through other solutions.

As locking is tricky to get right and there are many scenarios Cargo needs to support, we are trying to descope the initial implementation to an MVP, even if that means we lose some of the concurrency. Once we have an MVP on nightly, we can start gathering feedback on the scenarios that need improvement and iterate.

I'm hopeful that we get an unstable -Zfine-grain-locking on nightly in January for folks to try out in their workflows.

Also we are considering adding an opt-in for the new build-dir layout using an env var (CARGO_BUILD_DIR_LAYOUT_V2=true) to allow tool authors to begin migrating to the new layout. https://github.com/rust-lang/cargo/pull/16336

Before stabilizing this, we are doing crater run to test the impact of the changes and proactively reaching out to projects to minimize breakage as much as possible. https://github.com/rust-lang/rust/pull/149852

Run more tests for GCC backend in the Rust's CI (rust-lang/rust-project-goals#402)

Progress
Point of contact	Guillaume Gomez
Champions	compiler (Wesley Wiser), infra (Marco Ieni)
Task owners	Guillaume Gomez

No detailed updates available.

Rust Stabilization of MemorySanitizer and ThreadSanitizer Support (rust-lang/rust-project-goals#403)

Progress
Point of contact	Jakob Koschel
Task owners	[Bastian Kersting](https://github.com/1c3t3a), [Jakob Koschel](https://github.com/jakos-sec)

1 detailed update available.

Comment by @jakos-sec posted on 2025-12-15:

Based on the gathered feedback I opened a new MCP for the proposed new Tier 2 targets with sanitizers enabled. (https://github.com/rust-lang/compiler-team/issues/951)

Rust Vision Document (rust-lang/rust-project-goals#269)

Progress
Point of contact	Niko Matsakis
Task owners	vision team

No detailed updates available.

rustc-perf improvements (rust-lang/rust-project-goals#275)

Progress
Point of contact	James
Champions	compiler (David Wood), infra (Jakub Beránek)
Task owners	James, Jakub Beránek, David Wood

1 detailed update available.

Comment by @Kobzol posted on 2025-12-15:

We have enabled the second x64 machine, so we now have benchmarks running in parallel 🎉 There are some smaller things to improve, but next year we can move onto running benchmarks on Arm collectors.

Stabilize public/private dependencies (rust-lang/rust-project-goals#272)

Progress
Point of contact
Champions	cargo (Ed Page)
Task owners	, Ed Page

No detailed updates available.

Stabilize rustdoc `doc_cfg` feature (rust-lang/rust-project-goals#404)

Progress
Point of contact	Guillaume Gomez
Champions	rustdoc (Guillaume Gomez)
Task owners	Guillaume Gomez

1 detailed update available.

Comment by @GuillaumeGomez posted on 2025-12-17:

Opened stabilization PR but we have blockers I didn't hear of, so stabilization will be postponed until then.

SVE and SME on AArch64 (rust-lang/rust-project-goals#270)

Progress
Point of contact	David Wood
Champions	compiler (David Wood), lang (Niko Matsakis), libs (Amanieu d'Antras)
Task owners	David Wood

3 detailed updates available.

Comment by @davidtwco posted on 2025-12-15:

I haven't made any progress on Deref::Target yet, but I have been focusing on landing rust-lang/rust#143924 which has went through two rounds of review and will hopefully be approved soon.

Comment by @nikomatsakis posted on 2025-12-18:

Update: David and I chatted on Zulip. Key points:

David has made "progress on the non-Sized Hierarchy part of the goal, the infrastructure for defining scalable vector types has been merged (with them being Sized in the interim) and that'll make it easier to iterate on those and find issues that need solving".

On the Sized hierarchy part of the goal, no progress. We discussed options for migrating. There seem to be three big options:

(A) The conservative-but-obvious route where the T: Derefin the old edition is expanded to T: Deref<Target: SizeOfVal> (but in the new edition it means T: Deref<Target: Pointee>, i.e., no additional bounds). The main downside is that new Edition code using T: Deref can't call old Edition code using T: Deref as the old edition code has stronger bounds. Therefore new edition code must either use stronger bounds than it needs or wait until that old edition code has been updated.

(B) You do something smart with Edition.Old code where you figure out if the bound can be loose or strict by bottom-up computation. So T: Deref in the old could mean either T: Deref<Target: Pointee> or T: Deref<Target: SizeOfVal>, depending on what the function actually does.

(C) You make Edition.Old code always mean T: Deref<Target: Pointee> and you still allow calls to size_of_val but have them cause post-monomorphization errors if used inappropriately. In Edition.New you use stricter checking.

Options (B) and (C) have the downside that changes to the function body (adding a call to size_of_val, specifically) in the old edition can stop callers from compiling. In the case of Option (B), that breakage is at type-check time, because it can change the where-clauses. In Option (C), the breakage is post-monomorphization.

Option (A) has the disadvantage that it takes longer for the new bounds to roll out.

Given this, (A) seems the preferred path. We discussed options for how to encourage that roll-out. We discussed the idea of a lint that would warn Edition.Old code that its bounds are stronger than needed and suggest rewriting to T: Deref<Target: Pointee> to explicitly disable the stronger Edition.Old default. This lint could be implemented in one of two ways

at type-check time, by tracking what parts of the environment are used by the trait solver. This may be feasible in the new trait solver, someone from @rust-lang/types would have to say.
at post-mono time, by tracking which functions actually call size_of_val and propagating that information back to callers. You could then compare against the generic bounds declared on the caller.

The former is more useful (knowing what parts of the environment are necessary could be useful for more things, e.g., better caching); the latter may be easier or more precise.

Comment by @nikomatsakis posted on 2025-12-19:

Update to the previous post.

Tyler Mandry pointed me at this thread, where lcnr posted this nice blog post that he wrote detailing more about (C).

Key insights:

Because the use of size_of_val would still cause post-mono errors when invoked on types that are not SizeOfVal, you know that adding SizeOfVal into the function's where-clause bounds is not a breaking change, even though adding a where clause is a breaking change more generally.
But, to David Wood's point, it does mean that there is a change to Rust's semver rules: adding size_of_val would become a breaking change, where it is not today.

This may well be the best option though, particularly as it allows us to make changes to the defaults across-the-board. A change to Rust's semver rules is not a breaking change in the usual sense. It is a notable shift.

Type System Documentation (rust-lang/rust-project-goals#405)

Progress
Point of contact	Boxy
Champions	types (Boxy)
Task owners	Boxy, lcnr

1 detailed update available.

Comment by @BoxyUwU posted on 2025-12-30:

This month I've written some documentation for how Const Generics is implemented in the compiler. This mostly covers the implementation of the stable functionality as the unstable features are quite in flux right now. These docs can be found here: https://rustc-dev-guide.rust-lang.org/const-generics.html

Unsafe Fields (rust-lang/rust-project-goals#273)

Progress
Point of contact	Jack Wrenn
Champions	compiler (Jack Wrenn), lang (Scott McMurray)
Task owners	Jacob Pratt, Jack Wrenn, Luca Versari

No detailed updates available.

by Tomas Sedovic at January 05, 2026 12:00 AM

December 31, 2025

This Week In Rust — This Week in Rust 632

Hello and welcome to another issue of This Week in Rust! Rust is a programming language empowering everyone to build reliable and efficient software. This is a weekly summary of its progress and community. Want something mentioned? Tag us at @thisweekinrust.bsky.social on Bluesky or @ThisWeekinRust on mastodon.social, or send us a pull request. Want to get involved? We love contributions.

This Week in Rust is openly developed on GitHub and archives can be viewed at this-week-in-rust.org. If you find any errors in this week's issue, please submit a PR.

Want TWIR in your inbox? Subscribe here.

Updates from Rust Community

Project/Tooling Updates

Observations/Thoughts

Rust Walkthroughs

Miscellaneous

Crate of the Week

This week's crate is wgsl-bindgen, a binding generator for WGSL, the WebGPU shading language, to be used with wgpu.

Thanks to Artem Borisovskiy for the suggestion!

Please submit your suggestions and votes for next week!

Calls for Testing

An important step for RFC implementation is for people to experiment with the implementation and give feedback, especially before stabilization.

If you are a feature implementer and would like your RFC to appear in this list, add a call-for-testing label to your RFC along with a comment providing testing instructions and/or guidance on which aspect(s) of the feature need testing.

Rustup

Rustup 1.29.0 beta: Call for Testing!
Testing steps: See "How to Test" section from above link.
No calls for testing were issued this week by Rust, Cargo or Rust language RFCs.

Let us know if you would like your feature to be tracked as a part of this list.

Call for Participation; projects and speakers

CFP - Projects

Always wanted to contribute to open-source projects but did not know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

If you are a Rust project owner and are looking for contributors, please submit tasks here or through a PR to TWiR or by reaching out on Bluesky or Mastodon!

CFP - Events

Are you a new or experienced speaker looking for a place to share something cool? This section highlights events that are being planned and are accepting submissions to join their event as a speaker.

RustWeek 2026 | CFP closes 2026-01-18 | Utrecht, The Netherlands | 2026-05-19 - 2026-05-20
RustConf 2026 | CFP closes 2026-02-16 | Montreal, Quebec, Canada | 2026-09-08 - 2026-09-10

If you are an event organizer hoping to expand the reach of your event, please submit a link to the website through a PR to TWiR or by reaching out on Bluesky or Mastodon!

Updates from the Rust Project

297 pull requests were merged in the last week

Compiler

Library

Cargo

Rustdoc

Clippy

Rust-Analyzer

Rust Compiler Performance Triage

Not a lot of changes this week. Overall result is positive, largely thanks to https://github.com/rust-lang/rust/pull/142881, which makes computing an expensive data structure for JumpThreading MIR optimization lazy.

Triage done by @panstromek. Revision range: e1212ea7..112a2742

Summary:

(instructions:u)	mean	range	count
Regressions ❌ (primary)	0.5%	[0.1%, 1.7%]	11
Regressions ❌ (secondary)	0.2%	[0.1%, 0.5%]	6
Improvements ✅ (primary)	-0.5%	[-1.3%, -0.1%]	74
Improvements ✅ (secondary)	-0.6%	[-1.8%, -0.2%]	71
All ❌✅ (primary)	-0.4%	[-1.3%, 1.7%]	85

2 Regressions, 0 Improvements, 3 Mixed; 1 of them in rollups 37 artifact comparisons made in total

Full report here

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week: * No RFCs were approved this week.

Final Comment Period

Every week, the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

Tracking Issues & PRs

Compiler Team (MCPs only)

No Items entered Final Comment Period this week for Cargo, Rust, Rust RFCs, Leadership Council, Language Team, Language Reference or Unsafe Code Guidelines.

Let us know if you would like your PRs, Tracking Issues or RFCs to be tracked as a part of this list.

New and Updated RFCs

Thin pointers with inline metadata

Tracking Issues & PRs

New and Updated RFCs

Upcoming Events

Rusty Events between 2025-12-31 - 2026-01-28 🦀

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Jobs

Please see the latest Who's Hiring thread on r/rust

Quote of the Week

what even is time?!?

– Ralf Jung on his blog

Thanks to llogiq for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by:

Email list hosting is sponsored by The Rust Foundation

Discuss on r/rust

by TWiR Contributors at December 31, 2025 05:00 AM

December 24, 2025

This Week In Rust — This Week in Rust 631

This Week in Rust is openly developed on GitHub and archives can be viewed at this-week-in-rust.org. If you find any errors in this week's issue, please submit a PR.

Want TWIR in your inbox? Subscribe here.

Updates from Rust Community

Official

Newsletters

Project/Tooling Updates

Observations/Thoughts

Rust Walkthroughs

Crate of the Week

This week's crate is arcshift, an Arc replacement for read-heavy workloads that supports lock-free atomic replacement.

Thanks to rustkins for the suggestion!

Please submit your suggestions and votes for next week!

Calls for Testing

An important step for RFC implementation is for people to experiment with the implementation and give feedback, especially before stabilization.

No calls for testing were issued this week by Rust, Cargo, Rust language RFCs or Rustup.

Let us know if you would like your feature to be tracked as a part of this list.

Call for Participation; projects and speakers

CFP - Projects

Always wanted to contribute to open-source projects but did not know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

No Calls for participation were submitted this week.

If you are a Rust project owner and are looking for contributors, please submit tasks here or through a PR to TWiR or by reaching out on Bluesky or Mastodon!

CFP - Events

Are you a new or experienced speaker looking for a place to share something cool? This section highlights events that are being planned and are accepting submissions to join their event as a speaker.

RustWeek 2026 | CFP closes 2026-01-18 | Utrecht, The Netherlands | 2026-05-19 - 2026-05-20
RustConf 2026 | CFP closes 2026-02-16 | Montreal, Quebec, Canada | 2026-09-08 - 2026-09-10

If you are an event organizer hoping to expand the reach of your event, please submit a link to the website through a PR to TWiR or by reaching out on Bluesky or Mastodon!

Updates from the Rust Project

475 pull requests were merged in the last week

Compiler

Library

Rustdoc

Clippy

Rust-Analyzer

Rust Compiler Performance Triage

Very quiet week, with essentially no change in performance.

Triage done by @simulacrum. Revision range: 21ff67df..e1212ea7

1 Regression, 1 Improvement, 3 Mixed; 2 of them in rollups 36 artifact comparisons made in total

Full report here

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week: * No RFCs were approved this week.

Final Comment Period

Every week, the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

Tracking Issues & PRs

Rust

Cargo

feat(toml): TOML 1.1 parse support

Compiler Team (MCPs only)

Allow combining --help -C help -Z help -W help in one invocation

Leadership Council

No Items entered Final Comment Period this week for Rust RFCs, Language Team, Language Reference or Unsafe Code Guidelines.

Let us know if you would like your PRs, Tracking Issues or RFCs to be tracked as a part of this list.

New and Updated RFCs

Thin pointers with inline metadata

Upcoming Events

Rusty Events between 2025-12-24 - 2026-01-21 🦀

Virtual

2025-12-30 | Virtual (Tel Aviv-yafo, IL) | Code Mavens 🦀 - 🐍 - 🐪
- Live Open Source Rust project contribution
2026-01-03 | Virtual (Kampala, UG) | Rust Circle Meetup
- Rust Circle Meetup
2026-01-07 | Virtual (Indianapolis, IN, US) | Indy Rust
- Indy.rs - with Social Distancing
2026-01-08 | Virtual (Charlottesville, VA, US) | Charlottesville Rust Meetup
- Meet, swap, and learn!
2026-01-08 | Virtual (Nürnberg, DE) | Rust Nuremberg
- Rust Nürnberg online
2026-01-13 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Second Tuesday
2026-01-13 | Virtual | libp2p Events
- rust-libp2p Open Maintainers Call
2026-01-15 | Virtual (Berlin, DE) | Rust Berlin
- Rust Hack and Learn
2026-01-20 | Virtual (Washington, DC, US) | Rust DC
- Mid-month Rustful
2026-01-21 | Virtual (Vancouver, BC, CA) | Vancouver Rust
- Stack Safety

Asia

2026-01-07 | Tel Aviv-yafo, IL | Rust 🦀 TLV
- In person Rust January 2026 at AWS in Tel Aviv

Europe

2026-01-07 | Amsterdam, NL | Rust Developers Amsterdam Group
- Meetup @ Instruqt
2026-01-07 | Girona, ES | Rust Girona
- Rust Girona Hack & Learn 01 2026
2026-01-08 | Geneva, CH | Post Tenebras Lab
- Rust Meetup Geneva
2026-01-14 | Reading, UK | Reading Rust Workshop
- Reading Rust Meetup
2026-01-20 | Leipzig, SN, DE | Rust - Modern Systems Programming in Leipzig
- Topic TBD
2026-01-20 | Paris, FR | Rust Paris
- Rust meetup #82

North America

2025-12-27 | Boston, MA, US | Boston Rust Meetup
- Lechmere Rust Lunch, Dec 27
2026-01-03 | Boston, MA, US | Boston Rust Meetup
- Allston Rust Lunch, Jan 3
2026-01-08 | Mountain View, CA, US | Hacker Dojo
- RUST MEETUP at HACKER DOJO
2026-01-10 | Boston, MA, US | Boston Rust Meetup
- Central Cambridge Rust Lunch, Jan 10
2026-01-15 | Seattle, WA, US | Seattle Rust User Group
- Janurary, 2026 SRUG (Seattle Rust User Group) Meetup
2026-01-17 | Boston, MA, US | Boston Rust Meetup
- Boston Common Rust Lunch, Jan 17
2026-01-20 | San Francisco, CA, US | San Francisco Rust Study Group
- Rust Hacking in Person
2026-01-21 | Austin, TX, US | Rust ATX
- Rust Lunch - Fareground

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Jobs

Please see the latest Who's Hiring thread on r/rust

Quote of the Week

they should just rename unsafe to C so people can shut up

– /u/thisismyfavoritename on /r/rust

Thanks to Brian Kung for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by:

Email list hosting is sponsored by The Rust Foundation

Discuss on r/rust

by TWiR Contributors at December 24, 2025 05:00 AM

December 20, 2025

Tarek Ziadé — all the code are belong to claude*

I have been writing code for a long time, long enough to be suspicious of tools that claim to fundamentally change how I work. And yet, here we are.

The latest iterations of Claude Code are genuinely impressive. Not in a flashy demo way, but in the quiet, dangerous way where you suddenly realize you have delegated large parts of your thinking to it. This post is about that experience, how Claude helped me build rustnn, what worked remarkably well, and where I had to consciously pull myself back.

Claude as a serious coding partner

For rustnn, I leaned heavily on Claude Code. The quality of the generated Rust was consistently high. Beyond producing correct syntax, it reasoned about what the code was supposed to do. It was context-aware in a way that made iterative design feel natural. I could ask for refactors, architectural changes, or alternative approaches, and get answers that actually respected the existing codebase and long-running tests.

This mirrors what many developers have been reporting toward the end of 2025. Claude Code’s agent-oriented design and large-context reasoning make it particularly strong for repository-wide work: multi-file refactors, non-trivial debugging sessions, and architectural changes that need to fit an existing mental model. Compared to Codex-style systems, which still shine for fast edits and local completions, Claude tends to perform better when the task requires sustained reasoning and understanding of project-wide constraints.

Anthropic’s recent Claude releases have reinforced that positioning. Improvements in long-context handling, reasoning depth, and agentic workflows make it easier to treat Claude as something closer to a collaborator than an autocomplete engine.

The turning point for me was when I stopped treating Claude like a chat bot and started treating it like a constrained agent.

That is where CLAUDE.md comes in.

Tuning CLAUDE.md

I stumbled upon an excellent LangChain article on how to turn Claude Code into a domain-specific coding agent.

It clicked immediately. Instead of repeatedly explaining the same constraints, goals, and conventions, I encoded them once. Rust style rules. Project intent. Explicit boundaries. How to react to test failures.

The effect was immediate. Output quality improved, and the amount of back-and-forth dropped significantly. Claude stopped proposing things that were clearly out of scope and started behaving like someone who had actually read and understood the project.

For rustnn, I went one step further and anchored development around WPT conformance tests. That gave both Claude and me a shared, objective target. Tests either pass or they do not. No bikeshedding.

Tweaking CLAUDE.md quickly revealed itself as a never-ending process. There are plenty of articles describing different approaches, and none of them are definitive. The current direction seems to be layering information across multiple files, structuring project documentation so it is optimized for agent consumption while remaining readable for humans, and doing so without duplicating the same knowledge in multiple places.

That balance turns out to be just as important as the model itself.

The slippery slope

There is a trap though, and it is a subtle one.

Once Claude is good enough, you start routing everything through it.

Re-running tests.
Interpreting obvious build errors.
Copying and pasting logs that you already understand.

It feels efficient, but it is not free. Each interaction has a cost, and when you are in a tight edit-build-test loop, those costs add up fast. Worse, you start outsourcing mechanical thinking that you should probably still be doing yourself.

I definitely fell into that trap.

Reducing costs

The solution, for me, was to drastically reduce how much I talk to Claude, and to stop using its prompt environment as a catch-all interface to the project.

Claude became an extra terminal. One I open for very specific tasks, then close. It is not a substitute for my own brain, nor for the normal edit–build–test loop.

Reducing the context window is also critical. A concrete example is Python tracebacks. They are verbose, repetitive, and largely machine-generated noise. Sending full tracebacks back to the model is almost always wasteful.

That is why I added a hook to rewrite them on the fly into a compact form.

The idea is simple: keep the signal, drop the boilerplate. Same information, far fewer tokens. In practice, this not only lowers costs, it often produces better answers because the model is no longer drowning in irrelevant frames and runtime noise. On Python-heavy codebases, this change alone reduced my usage costs by roughly 20%.

Pre-compacting inputs turned out to be one of the most effective cost-control strategies I have found so far, especially when combined with a more deliberate, intentional way of interacting with the model.

Memory across sessions actually matters

Another pain point is session amnesia. You carefully explain design decisions, trade-offs, and long-term goals, only to repeat them again tomorrow.

A well-crafted CLAUDE.md mitigates part of this problem. It works well for static knowledge: coding style, project constraints, architectural boundaries, and things that rarely change. It gives Claude a stable baseline and avoids a lot of repetitive explanations.

But it does not capture evolving context.

It does not remember why a specific workaround exists, which approach you rejected last week, or what subtle behavior a particular test exposed yesterday. As soon as the session ends, that knowledge is gone, and you are back to re-teaching the same mental model.

This is where cross-session, cross-project memory becomes interesting.

I am currently experimenting with claude-mem

The idea is simple but powerful: maintain a centralized, persistent memory that is automatically updated based on interactions. Instead of manually curating context, relevant facts, decisions, and preferences are summarized and carried forward. Over time, this builds a lightweight but durable understanding of how you work and how your projects evolve.

Compared to CLAUDE.md, this kind of memory is dynamic rather than declarative. It captures intent, not just rules. It also scales across projects, which matters when you jump between repositories that share design philosophy, tooling, or constraints.

It is still early, and it is not magic. You need to be careful about what gets remembered and how summaries are formed. But the direction feels right. Persistent memory reduces cognitive reset costs, shortens warm-up time, and makes the interaction feel less like starting over and more like continuing a conversation you paused yesterday.

That difference adds up.

Final thoughts

Claude Code is good. Very good. Good enough that you need discipline to use it well.

With a tuned CLAUDE.md, clear test-driven goals like WPT conformance, and some tooling to reduce noise and cost, it becomes a powerful accelerator. Without that discipline, it is easy to overuse it and slowly burn budget on things you already know how to do.

I do not think this replaces engineering skill. If anything, it amplifies both good and bad habits. The trick is to make sure it is amplifying the right ones.

References

*The title is a deliberate reference to “All your base are belong to us.” The grammar is broken on purpose. It is a joke, but also a reminder that when tools like Claude get this good, it is easy to give them more control than you intended

by at December 20, 2025 12:00 AM

December 19, 2025

Mozilla Privacy Blog — Behind the Manifesto: Moments that Mattered in our Fight for the Open Web (2025)

Welcome to the blog series “Behind the Manifesto,” where we unpack core issues that are critical to Mozilla’s mission. The Mozilla Manifesto represents our commitment to advancing an open, global internet that gives people meaningful choice in their online experiences, promotes transparency and innovation and protects the public interest over private walled gardens. This blog series digs deeper on our vision for the web and the people who use it and how these goals are advanced in policymaking and technology.

In 2025, global tech policy raced to keep up with technological change and opportunity. In the midst of this evolution, Mozilla sought to ensure that solutions remained centered on openness, competition and user agency.

From AI Agents and the future of the open web to watershed antitrust cases, competition debates surged. Efforts to drive leadership and innovation in AI led governments across the globe to evaluate priorities. Perennial privacy and security questions remained on the radar, with US states intensifying efforts to pass laws and the EU working to streamline rules on AI, cybersecurity and data. Debates amongst industry, civil society and policymakers reflected the intensity of these moments.

Just as we have for over 20 years, Mozilla showed up to build, convene, debate and advocate. It’s clear that more than ever, there must be urgency to truly put people first. Below are a selection of some key moments we’re reflecting on, as we head into 2026.

FEBRUARY 2025

Mozilla Participates in Paris AI Action Summit as Part of the Steering Committee

Mozilla participated in the Paris AI Action Summit as Part of the Steering Committee with an ‘action packed’ schedule that included appearances on panels, a live recording of the podcast “Computer Says Maybe” and a reception to reflect on discussions and thank all the officials and researchers who had worked so hard to make the Summit a success.

Additionally, Mozilla and other partners, including Hugging Face, Microsoft and OpenAI, launched Robust Open Online Safety Tools (ROOST) at the Paris AI Action Summit. The entity is designed to create open source foundations for safer and more responsible AI development, ensuring that safety and transparency remain central to innovation.

The launch of ROOST happened at exactly the right time and in the right place. The Paris AI Action Summit provided a global backdrop for launching work that will ultimately help make AI safety a field that everyone can shape and improve.

Mozilla Event: AI & Competition featuring the President of the German Competition Authority
On February 12, we hosted a public event in Berlin on AI & competition, in partnership with German daily newspaper Tagesspiegel. Addressing the real risk of market concentration at various elements of the AI stack, the President of the German competition authority (Bundeskartellamt), Andreas Mundt, delivered a keynote address setting out his analysis of competition in AI and the role of his authority in ensuring contestable markets as technology rapidly evolves.

MARCH 2025

America’s AI Action Plan

In March, Mozilla responded to the White House’s request for information on AI policy, urging policymakers to ensure that AI remained open, competitive and accountable. The comments also warned that concentrated control by a few tech giants threatened innovation and public trust, and called for stronger support of open source AI, public AI infrastructure, transparent energy use and workforce development. Mozilla underscored these frameworks are essential to building an AI ecosystem that serves the public interest rather than purely corporate bottom lines.

Mozilla Mornings: Promoting a privacy-preserving online ads ecosystem

The same month, we also hosted a special edition of Mozilla Mornings focused on the future of online advertising and the role Privacy-Enhancing Technologies (PETs) can play in reshaping it. The conversation came at a critical moment in Europe, amidst discussions on updating privacy legislation while enforcing existing rules.

The session brought together policymakers, technologists, and civil-society experts to examine how Europe can move toward a fairer and more privacy-respecting advertising ecosystem. Speakers explored the limitations of today’s surveillance-driven model and outlined how PETs and Privacy-Preserving Technologies (PPTs) could offer a viable alternative that protects users while sustaining the economic foundations of the open web. The event underscored Mozilla’s commitment to advancing privacy-respecting technologies and ensuring that both policy and technical design converge toward a healthier online advertising ecosystem.

MAY 2025

CPDP: The Evolution of PETs in Digital Ads

At the Brussels 2025 International CPDP Conference, Mozilla organized and participated in a panel titled “The Evolution of PETs in Digital Ads: Genuine Privacy Innovation or Market Power Play?” The discussion explored how Privacy-Enhancing Technologies (PETs) — tools designed to minimize data collection and protect user privacy — are reshaping the digital advertising landscape. Panelists debated how to encourage genuine privacy innovation without reinforcing existing power structures, and how regulations like the GDPR and the Digital Markets Act (DMA) can help ensure PETs foster transparency and competition.

Competition in Focus: U.S. vs Google

The U.S. v. Google remedies trial was a defining moment — not just for 2025, but for the future of browser and search competition. While the remedies phase was about creating competition in the search market, some of the proposed remedies risked weakening independent browsers like Firefox, the very players that make real choice possible.

In early May, Mozilla’s CFO, Eric Muhlheim, testified to this very point. Muhlheim’s testimony, and Mozilla’s amicus brief in the case, spoke to the vital role of small, independent browsers in driving competition and innovation across the web and warned about the risks of harming their ability to select the search default that best serves their users. Ensuring a competitive search ecosystem while avoiding harm to browser competition remains an important issue in 2026.

JUNE 2025

Open by Design: How Nations Can Compete in the Age of AI

The choices governments make today, about who gets to build, access and benefit from AI, will shape economic competitiveness, national security and digital rights for decades. In June, Mozilla supported a new report by the UK think tank Demos, exploring how and why embracing openness in key AI resources can spur innovation and adoption. Enabling safer, more transparent development and boosting digital sovereignty is a recipe, if there ever was one, for ‘winning’ at AI.

EU Digital Summit: Advocating for Open and Secure Digital Ecosystems

Digital competitiveness depends on open, secure, and interoperable ecosystems that foster innovation while respecting users’ rights. We spoke at the 2025 European Digital Summit—a flagship forum bringing together policymakers, regulators, industry leaders, and civil society—and argued that openness and security reinforce each other, that smart regulation has the potential to lower entry barriers and curb gatekeeping power, and that innovation does not require sacrificing privacy when incentives are aligned toward rights-respecting designs. The takeaway was clear: enforcing interoperability, safeguarding pro-competition rules, and embedding privacy-by-design incentives are essential to a resilient, innovative, and trustworthy open web.

JULY 2025

Joint Letter to the UK Secretary of State on DMCCA

When choice disappears, innovation stalls. In July, Mozilla sent an open letter to UK Ministers and the Competition & Markets Authority to urge faster implementation of the UK Digital Markets, Competition & Consumers Act (DMCCA). As an organisation that exists to create an internet that is open and accessible to all, Mozilla has long supported competitive digital markets. Since the EU Digital Markets Act took effect in 2024, users have begun to benefit from genuine choice for the first time, with interventions like browser choice screens offering people browser choice. The result? People are choosing independent alternatives to gatekeepers defaults: Firefox daily active users on iOS rose by 150% across the EU. The UK’s DMCCA could be similarly revolutionary for UK consumers and the many challenger businesses taking on market dominance.

SEPTEMBER 2025

Digital Bootcamp: Bringing Internet Architecture to the Heart of EU Policymaking

In September, Mozilla officially launched its Digital Bootcamp initiative, developed in partnership with Cloudflare, Proton and CENTR, to strengthen policymakers’ understanding of how the internet actually works and why this technical foundation is essential for effective regulation. We delivered interactive sessions across EU institutions, including a workshop for Members of the European Parliament, the European Commission, and representatives of the EU member states.

Across these workshops, we demystified the layered architecture of the internet, explained how a single website request moves through the stack, and clarified which regulatory obligations apply at each layer. By bridging the gap between engineering and policymaking, Digital Bootcamp is helping ensure EU digital laws remain grounded in technical reality, supporting evidence-based decisions that protect innovation, security and the long-term health of the open web.

OCTOBER 2025

Mozilla Meetup: The Future of Competition

On October 8, Mozilla hosted a Meetup on Competition in Washington, D.C., bringing together leading voices in tech policy — including Alissa Cooper (Knight-Georgetown Institute), Amba Kak (AI Now Institute), Luke Hogg (Foundation for American Innovation) and Kush Amlani (Mozilla) — to discuss the future of browser competition, antitrust enforcement and AI’s growing influence on the digital landscape. Moderated by Bloomberg’s Leah Nylen, the event reinforced our ongoing efforts to establish a more open and competitive internet, highlighting how policy decisions in these areas directly shape user choice, innovation, and the long-term health of the open web.

Global Encryption Day

On October 21, Mozilla marked Global Encryption Day by reaffirming our commitment to strong encryption as a cornerstone of online privacy, security, and trust. For years, Mozilla has played an active role in shaping the broader policy debate on encryption by consistently pushing back against efforts to weaken it and working with partners around the world to safeguard the technology that helps to keep people secure online – from joining the Global Encryption Coalition Steering Committee, to challenging U.S. legislation like the EARN IT Act and leading multi-year efforts in the EU to address encryption risks in the eIDAS Regulation.

California’s Opt Me Out Act: A Continuation of the Fight For Privacy

The passage of California’s Opt Me Out Act (AB 566) marked a major step forward in Mozilla’s ongoing effort to strengthen digital privacy and give users control of their personal data. For years, Mozilla has spoken in support of Global Privacy Control (GPC) — a tool already integrated into Firefox — as a model for privacy-by-design solutions that can be both effective and user-friendly.

NOVEMBER 2025

Mozilla Submits Recommendations on the Digital Fairness Act

In November, Mozilla submitted its response to the European Commission’s consultation on the Digital Fairness Act (DFA), framing it as a key opportunity to modernise consumer protection for AI-driven and highly personalised digital services. Mozilla argued that effective safeguards must tackle both interface design and underlying system choices, prohibit harmful design practices, and set clear fairness standards for personalization and advertising. A well-designed DFA can complement existing EU laws, strengthen user autonomy, provide legal certainty for innovators, and support a more competitive digital ecosystem built on genuine user choice.

Mozilla hosts AI breakfast in UK Parliament

Mozilla President, Mark Surman, hosted MPs and Peers for a breakfast in Parliament to discuss how policymakers can nurture AI that supports public good. As AI policy moves from principle to implementation, the breakfast offered insight into the models, trade-offs and opportunities that will define the next phase of the UK’s AI strategy.

DECEMBER 2025

Mozilla Joins Tech Leaders at US House AI Caucus Briefing

Internet Works, an association of “Middle Tech” companies, organized a briefing with the Congressional AI Caucus. The goal was to provide members of congress and their staff a better understanding of the Middle Tech ecosystem and how smaller companies are adopting and scaling AI technologies. Mozilla spoke on the panel, lending valued technical expertise and setting out how we’re thinking about keeping the web open for innovation, competition and user choice with this new technology stack.

eIDAS2 Regulation: Defending Web Security and Trust

In December, the EU published the final implementing rules for eIDAS2, closing a multi-year fight over proposals that would have required browsers to automatically trust government-mandated website certificates—putting encryption, user trust, and the open web at risk. Through sustained advocacy and deep technical engagement, Mozilla helped secure clear legal safeguards preserving independent browser root programs and strong TLS security. We also ensured that the final standards respect existing security norms and reflect how the web actually works. With all rules now published, users can continue to rely on browsers to verify websites independently with strict security requirements, governments are prevented from weakening web encryption by default, and a dangerous global precedent for state-controlled trust on the internet has been avoided.

This blog is part of a larger series. Be sure to follow Jenn Taylor Hodges on LinkedIn for further insights into Mozilla’s policy priorities.

The post Behind the Manifesto: Moments that Mattered in our Fight for the Open Web (2025) appeared first on Open Policy & Advocacy.

by Linda Griffin, Jenn Taylor Hodges and Tasos Stampelos at December 19, 2025 03:23 PM

Firefox Nightly — Closing out 2025 Strong – These Weeks in Firefox: Issue 193

Highlights

Special shout-out to volunteer contributor Lorenz A for fixing a huge smattering of bugs in our DevTools code!
- Lorenz fixed the alignment of numeric values in Netmonitor and fixed an absolute ton of refactoring bugs (#1665702, #1709063, #1632071), including migrating old style function + prototype to proper ES classes (#2004038, #2004205, #2004203, #2004204, #2004206, #2004207, #2004222, #2004225, #2004231, #2004232, #2004208, #2004210, #2004211, #2004212, #2004213, #2004214, #2004216, #2004217, #2004215, #2004218, #2004219)
The FirefoxDevTools social accounts have been renamed “Firefox For Web Developers”. Come follow us!
- https://bsky.app/profile/webdevs.firefox.com
- https://mastodon.social/@firefoxwebdevs
- We’ve still got the same handle on Twitter (“Hacks” was turned into “Firefox For Web Dev” there)
We are enabling the unified trust panel for testing in Nightly, which unifies the lock and shield into one item. This appears to the very left of the URLbar as a shield with a checkbox in it. If you notice any bugs, please file them in the Protections UI component

The Desktop Integrations team is starting a controlled rollout of the new Backup feature, starting with users on Windows 10! This gives users more options and ability to move their data from machine to machine when getting new devices. (146 Release Notes)

Friends of the Firefox team

Resolved bugs (excluding employees)

Volunteers that fixed more than one bug

Aloys
Kipchumba Chelilim [:mrchumbastic]
Lorenz A

New contributors (🌟 = first patch)

Dominique
- Fix: Mocked a Fluent ID in testCommonSettingControlPropertiesSet to eliminate logspam errors.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=2000957
Aloys
- Fix: Removed unused browser.display.windows.non_native_menus preference.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=2002985
- Fix: Removed unused identity.fxaccounts.migrateToDevEdition preference.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=2003194
Kipchumba Chelilim [:mrchumbastic]
- Fix: Fully removed confirm-auth prompts, related preferences, and test files.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1905323
- Fix: Enabled clear-search button and reveal-password preferences when launching Storybook.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1956817
Khalid AlHaddad
- Fix: Added WebDriver classic tests for the “Get All Cookies” command.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1983822
Lorenz A
- Bug 983296: Right-aligned numeric values in Netmonitor columns.
  - https://bugzilla.mozilla.org/show_bug.cgi?id=983296
- Bug 1632071: Removed unnecessary exports from Front modules.
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1632071
- Bug 1665702: Removed unused idGenerator argument from networkMessageUpdates.
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1665702
- Bug 1709063: Stopped exposing toolbox.resourceCommand.
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1709063
- Each of these updates converted an existing module into a modern ES class:
  - Request.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004038
  - toolbox-host-manager.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004203
  - devtools.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004204
  - panel.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004205
  - grip-provider.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004206
  - dom-view.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004207
  - dom-decorator.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004208
  - accessibility panel (devtools/client/accessibility/panel.js) — https://bugzilla.mozilla.org/show_bug.cgi?id=2004210
  - accessibility-view.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004211
  - protocol test head (xpcshell) — https://bugzilla.mozilla.org/show_bug.cgi?id=2004212
  - network observer throttle test — https://bugzilla.mozilla.org/show_bug.cgi?id=2004213
  - discovery tests — https://bugzilla.mozilla.org/show_bug.cgi?id=2004214
  - heapsnapshot Match.sys.mjs — https://bugzilla.mozilla.org/show_bug.cgi?id=2004215
  - server test actors — https://bugzilla.mozilla.org/show_bug.cgi?id=2004216
  - layout reflows observer tests — https://bugzilla.mozilla.org/show_bug.cgi?id=2004217
  - DevToolPanel test harness — https://bugzilla.mozilla.org/show_bug.cgi?id=2004218
  - DevToolsStartup.sys.mjs — https://bugzilla.mozilla.org/show_bug.cgi?id=2004219
  - worker-transport.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004222
  - stream-utils.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004225
  - lazy-pool.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004231
  - Response.js — https://bugzilla.mozilla.org/show_bug.cgi?id=2004232
Sajid Anwar [:sajidanwar]
- Fix: Updated WebDriver navigation to retain the URL when a navigation-committed event fires.
  - Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=2004191

Project Updates

Add-ons / Web Extensions

Addon Manager & about:addons

As part of the final steps to migrate WebExtensions and AddonManager telemetry analyses and dashboards away from legacy telemetry, we have introduced a new addons Glean ping to submit the list of active add-ons and themes (on startup, on updates and every 24h) – Bug 2000866
- NOTE: The glean addons.active_addons and addons.theme metrics will still be included in both the metrics and addons Glean pings. However the addons ping is expected to become the preferred source of data for add-ons related analyses, whereas the metrics ping may be better suited for analyses that correlate other metrics with the add-ons listed in the addons.active_addons metric.

WebExtension APIs

Fixed a regression related to nativeMessaging API performance, previously regressed in Firefox 138 by Bug 1945470, longer term fix to reduce messages roundtrip time for Chrome Workers landed in Nightly 147 and workaround disabling the DOM Workers timer manager through prefs uplifted to ESR 140 – Bug 2002517

DevTools

Alexandra Borovova [:Sasha] fixed setting navigator.maxTouchPoints in iframes when enabling touch simulation in Responsive Design Mode (#1706066)
Alexandre Poirot [:ochameau] fixed taking memory snapshot for Fenix in about:debugging (#2002728)
Nicolas Chevobbe [:nchevobbe] added a 0.01× playback rate in the Animations panel (#2002248)
Nicolas Chevobbe [:nchevobbe] fixed the “Add new rule” button for element in shadow-root (#1940930)
Nicolas Chevobbe [:nchevobbe] add an anchor badge in the markup view for anchor elements (#1895196)
Nicolas Chevobbe [:nchevobbe] added @position-try rules in Style Editor At-rules sidebar (#2003270)
Julian Descottes [:jdescottes] improved target area for the Debugger left splitter (#1902661)

WebDriver

Khalid AlHaddad added the previously missing WebDriver classic tests for the “Get All Cookies” command.
Vincent Hilla removed code in our WebDriver BiDi implementation that handled HTTP 204 no-content responses, as this logic is no longer required with the updated about:blank behavior.
Benjamin VanderSloot added WebDriver tests for Global Privacy Control support, which will ship with the next geckodriver release.
Julian Descottes updated script.evaluate and script.callFunction to bypass CSP restrictions, which could prevent using eval or new Function. Note that this only impacts WebDriver BiDi, other consumers of the underlying Debugger API such as DevTools or WebExtension are not affected.
Alexandra Borovova implemented a new “emulation.setScreenSettingsOverride” command to allow clients to emulate the screen dimensions for a list of browsing or user contexts.
Henrik Skupin fixed the JSON serialization of Chrome windows in our WebDriver Classic (Marionette) implementation.
Henrik Skupin fixed a bug in the “session.new” command for WebDriver BiDi that previously returned an invalid response payload due to the missing mandatory “setWindowRect” capability.
Henrik Skupin improved the logic in Marionette and WebDriver tests to ensure newly opened Chrome windows are fully loaded before proceeding.

New Tab Page

We have a train-hop coming up for next week (~Tuesday), presuming a green QA sign-off
We’ve rolled out a change to transition more of our New Tab telemetry to use OHTTP by default world-wide, providing better privacy guarantees for our users.
Scott [:thecount] Downe localized the Chinese version of default Top Sites to Chinese script, improving label readability and recognition for zh-CN users.
dgrant@mozilla.com corrected focus ring theming on the New Tab Lists widget, bringing keyboard/high-contrast outlines in line with the active theme for better a11y.
Scott [:thecount] Downe tuned SOV so sponsored/default tiles respect frecency order, reducing cases where promoted tiles displace organic frequent sites.

Search and Navigation

Urlbar

Marco landed a patch to limit semantic history search to a list of supported locales (1992920)
Dao and Moritz continued their searchbar widget work that falls under the larger multi-context address bar project (2003799, 2003804, 2003043, 2002799, 2002377, 1983016, 2001082)
Dharma fixed a bug with the unified search button so that we show a different icon when the user is searching and their “keyword.enabled” pref is false (1922114)
Dharma also landed a patch about the messaging to be shown to users when they organically navigate to google.com, bing.com or duckduckgo.com (1982133)
James fixed a bug where autocomplete stopped working for certain URLs (2001284)

Firefox Suggest

Drew and Daisuke have completed the implementation of the Firefox Suggest online flight status result suggestions (1982135)
Drew fixed a flight result bug (2000873) and sports result bug (2000851) that affected screen readers
Drew made several improvements to how online Ad Marketplace suggestions are dismissed (2003624, 2002383)
Drew landed a patch that removes support for unmanaged Merino suggestions (2002141)

Places

Marco landed a patch to shrink the size of the favicons database by removing expired favicon relations (1959694)

Storybook/Reusable Components/Acorn Design System

Hanna Jones [:hjones] implemented a temporary moz-select icon rendering workaround in Toolkit so custom select options reliably show icons across platforms until a standards-compliant path lands.
- This was to support search engines in SRD

Settings Redesign

Mark Striemer [:mstriemer] migrated Import Browser data to config-based prefs, reducing UI flicker and making the import entry point more reliable for first‑run and migration flows.
Stephanie Cunnane [:scunnane] moved Default search engine to config-based prefs, making about:preferences#search more resilient to policy and locale changes and surfacing predictable engine defaults.
akulyk implemented slot-based config for items/options in config-driven settings, enabling dynamic option lists and cleaner keyboard‑friendly rendering in Settings.
Mark Striemer [:mstriemer] fixed missing margins when the first child input is hidden, restoring expected spacing in nested controls across Preferences and other settings panels.
Harshit Sohaney [:hsohaney] fixed the visibility of the backup settings
Mark Kennedy [:mkennedy] Updated keyboard focus when loading a sub-pane to the first setting Bug 2002958
Mark Kennedy [:mkennedy] Updated the about:logins button to be a link Bug 2002931
Mark Kennedy [:mkennedy] Fixed the focus ring being cut off on the back button of sub-panes Bug 2002923
Tim Giles [:tgiles] Updated payment methods to be sorted by recently-added Bug 2002939
Emma Zühlcke [:emz] converted the ETP top-level card to config-based prefs, tightening about:preferences#privacy load performance and enabling remote defaults/rollouts without code changes.
Emma Zühlcke [:emz] added config-based ETP Advanced controls, unblocking granular privacy toggles that can ship or update via configuration and stay consistent across platforms.
akulyk added a Firefox Support section to the SRD About Firefox page, SRD on only (new group to be shown later).

by Niklas Baumgardner at December 19, 2025 03:19 PM

Mozilla Privacy Blog — Australia’s Social Media Ban: Why Age Limits Won’t Fix What Is Wrong With Online Platforms

On December 10th, Australia’s controversial law banning access for under 16-year-olds to certain social media platforms entered into force. Since its adoption in 2024, the law has sparked a global debate on age verification online and has inspired governments across the world to restrict minors’ access to parts of the web.

At Mozilla, privacy and user empowerment have always formed a core part of our mission. Mozilla supports strong, proportionate safeguards for minors, but we caution against approaches that rely on invasive identity checks, surveillance-based enforcement, or exclusionary defaults. Such interventions rely on the collection of personal and sensitive data and, thus, introduce major privacy and security risks. By following an approach of abstinence and access control, they undermine the rights of young people to express themselves online but do little to address the child safety risks policymakers might seek to address, such as insufficient content moderation, irresponsible data practices, and addictive design.

Rather than simply restricting access to some online platforms, policymakers should focus on fixing the systemic issues at play and incentivize the creation of online spaces that benefit young people and their development.

We are therefore disappointed by the blunt and disproportionate approach taken by the Australian government. We are also concerned about the impact this law, and others like it, will have on online privacy and security, on people’s ability to express themselves and access information, and therefore on the health of the web itself.

The Australian law designates certain services as “age-restricted social media platforms”. This category includes social media platforms like Instagram and TikTok, and video-sharing platforms like YouTube, and excludes certain categories of services, such as messaging providers, email services, and online games. Designated services must ensure that people under 16 years of age do not have accounts on their platforms. To do so, the ages of all users must be determined.

The Australian law provides almost no guidance on how service providers should balance privacy, security, and the robustness of age assurance technologies when performing age checks. Providers are thus left to choose from bad options. In the UK, a similar approach has resulted in users having to entrust some of their most sensitive data to a plethora of newly emerged commercial age assurance providers in order to retain access to the various services they use. These actors often ask for a lot of information while providing little accountability or transparency about their data handling practices. Beyond serious data breaches, this has also led to users losing access to messaging features and the censorship of content deemed sensitive, such as posts about the situation in Gaza or the war in Ukraine. But UK users have also demonstrated how ineffective the age-gating mechanisms of even some of the largest platforms are, using VPNs and video game features to bypass age barriers easily.

While many technologies exist to verify, estimate, or infer users’ ages, fundamental tensions around effectiveness, accessibility, privacy, and security have not been resolved. Rather, the most common forms of age assurance technologies all come with their own significant limitations:

Age estimation refers to AI-based systems that estimate a user’s age, usually based on biometric data like facial images. They may perform well in placing users within broad age bands, but often struggle at key legal thresholds, such as distinguishing between 15 and 16 years old. More troubling are equity concerns: facial estimation systems often underperform for people with darker skin tones, women, and those with non-binary or non-normative facial features due to biased or limited training datasets.
Age inference models are based on vast amounts of user data, such as browsing histories, to infer a user’s age. Similar limitations as for biometric age estimation apply: determining a user’s exact age along legal thresholds is challenging, and users exhibiting unusual behaviors might be profiled as younger or older than they are.
Age verification usually refers to verifying someone’s age by comparing it to a form of government-issued ID. This approach might lead to more precise outcomes, but risks excluding millions of people without access to government ID – many of them minors themselves. It also forces people to share some of their most sensitive data with private companies, where it will be at risk of surveillance, repurposing, or access by law enforcement. Zero-knowledge proofs (ZKPs) – a cryptographic way to prove whether a statement like “I am older than 18” is true without revealing one’s exact age – can help people limit what information they share. Deploying a ZKP-based system that meets goals for veracity and privacy requires considerably more development in both technical and governance aspects than any government has been willing to support. Beyond technical investment, clear frameworks to limit the information companies can collect are needed.

The Australian approach sends a worrying signal: That mandatory age verification and blanket bans are magical solutions to complex societal challenges, regardless of their implications for fundamental rights online. We are convinced, however, that there are rights-respecting alternatives policymakers can pursue to empower young people online and improve their safety and well-being:

Young people have a right to privacy, safety and expression, as put forward by the UN Convention on the Rights of the Child. Policymakers should adopt a child rights-based approach to online safety that balances young people’s protection with their rights to societal participation, free expression, and access to media and information, and should adopt policies to allow young people to benefit from responsibly run online services.
Blanket age-based bans and mandatory age verification should be rejected. Instead, parents and caregivers should be empowered to set age-appropriate limitations for their child on their devices. Policymakers should implement programs that focus on supporting children by providing them with the tools to learn to manage online risks as they grow and learn. This includes developing tools that parents, guardians, and schools can use in teaching and supervision in support of children as they grow.
Rather than banning young people from accessing certain platforms, policymakers should create incentives, enforce existing laws and close regulatory gaps where necessary to address problematic practices that put all social media users’ privacy, wellbeing, and security at risk. This includes extractive data practices and profiling, manipulative advertising, addictive design and dark patterns, and other harmful practices.

In Australia and elsewhere, we are committed to work alongside policymakers to advance meaningful protections for everyone online, while upholding fundamental rights, accessibility and user choice.

With special thanks to Martin Thomson, Distinguished Engineer at Mozilla, for his contributions to this blog.

The post Australia’s Social Media Ban: Why Age Limits Won’t Fix What Is Wrong With Online Platforms appeared first on Open Policy & Advocacy.

by Svea Windwehr at December 19, 2025 08:59 AM

The Rust Programming Language Blog — What do people love about Rust?

Rust has been named Stack Overflow's Most Loved (now called Most Admired) language every year since our 1.0 release in 2015. That means people who use Rust want to keep using Rust¹--and not just for performance-heavy stuff or embedded development, but for shell scripts, web apps, and all kinds of things you wouldn't expect. One of our participants captured it well when they said, "At this point, I don't want to write code in any other language but Rust."

When we sat down to crunch the vision doc data, one of the things we really wanted to explain was: What is it that inspires that strong loyalty to Rust?² Based on the interviews, the answer is at once simple and complicated. The short version is that Rust empowers them to write reliable and efficient software. If that sounds familiar, it should: it's the slogan that we have right there on our web page. The more interesting question is how that empowerment comes about, and what it implies for how we evolve Rust.

What do people appreciate about Rust?

The first thing we noticed is that, throughout every conversation, no matter whether someone is writing their first Rust program or has been using it for years, no matter whether they're building massive data clusters or embedded devices or just messing around, there are a consistent set of things that they say they like about Rust.

The first is reliability. People love that "if it compiles, it works" feeling:

"What I really love about Rust is that if it compiles it usually runs. That is fantastic, and that is something that I'm not used to in Java." -- Senior software engineer working in automotive embedded systems

"Rust is one of those languages that has just got your back. You will have a lot more sleep and you actually have to be less clever." -- Rust consultant and open source framework developer

Another, of course, is efficiency. This comes up in particular at the extremes, both very large scale (data centers) and very small scale (embedded):

"I want to keep the machine resources there for the [main] computation. Not stealing resources for a watchdog." -- Software engineer working on data science platforms

"You also get a speed benefit from using Rust. For example, [..] just the fact that we changed from this Python component to a Rust component gave us a 100fold speed increase." -- Rust developer at a medical device startup

Efficiency comes up particularly often when talking to customers running "at-scale" workloads, where even small performance wins can translate into big cost savings:

"We have a library -- effectively it's like an embedded database -- that we deploy on lots of machines. It was written in Java and we recently rewrote it from Java to Rust and we got close to I think 9x to 10x performance wins." -- Distinguished engineer working on cloud infrastructure services

"I'm seeing 4x efficiency in the same module between Java code that loads a VM and Rust. That's a lot of money you save in data center cost." -- Backend engineering company founder specializing in financial services

At the other end of the spectrum, people doing embedded development or working at low-levels of abstraction highlight Rust's ability to give low-level control and access to system details:

"Rust was that replacement for C I'd been looking for forever." -- Backend engineering company founder specializing in financial services

"If you're going to write something new and you do kind of low-level systemsy stuff, I think Rust is honestly the only real choice." -- Distinguished engineer

Many people cite the importance of Rust's supportive tooling, which helps them get up and going quickly, and in particular the compiler's error messages:

"I think a big part of why I was able to succeed at learning Rust is the tooling. For me, getting started with Rust, the language was challenging, but the tooling was incredibly easy." -- Executive at a developer tools company

"The tooling really works for me and works for us. The number one way that I think I engage with Rust is through its tooling ecosystem. I build my code through Cargo. I test it through Cargo. We rely on Clippy for everything." -- Embedded systems engineer working on safety-critical robotics

"I think the error messages and suggestions from the Rust compiler are super helpful also." -- Professor specializing in formal verification

Finally, one of Rust's most important virtues is its extensibility. Both in the language itself and through the crates.io ecosystem, Rust is designed to let end-users create libraries and abstractions that meet their needs:

"The crate ecosystem combined with the stability guarantees and the semantic versioning mean that it's the best grab and go ecosystem I've ever seen." -- Computer science professor and programming language designer

"I think proc macros are a really big superpower for Rust." -- Creator and maintainer of Rust networking libraries

"Rust is incredibly good at making it very very easy to get started, to reuse things, just to experiment quickly with new tools, new libraries, all the rest of it... so for me, as an experimentation platform, it's great." -- Rust expert and consultant focused on embedded and real-time systems

But what they love is the sense of empowerment and versatility

Reliability, efficiency, tooling, ecosystem—these are all things that people appreciate about Rust. But what they love isn't any one of those things. It's the way the combination makes Rust a trusted, versatile tool that you can bring to virtually any problem:

"When I got to know about it, I was like 'yeah this is the language I've been looking for'. This is the language that will just make me stop thinking about using C and Python. So I just have to use Rust because then I can go as low as possible as high as possible." -- Software engineer and community organizer in Africa

"I wanted a language that works well from top to bottom in a stacking all the way from embedded to very fancy applications" -- Computer science professor and programming language designer

"If [Rust] is going to try and sort of sell itself more in any particular way, I would probably be saying high performance, highly expressive, general purpose language, with the great aspect that you can write everything from the top to the bottom of your stack in it." -- Rust expert and consultant focused on embedded and real-time systems

Each piece is necessary for the whole to work

Take away the reliability, and you don't trust it: you're second-guessing every deployment, afraid to refactor, hesitant to let junior developers touch the critical paths.

"Rust just lowers that bar. It's a lot easier to write correct Rust code. As a leader on the team, I feel a lot safer when we have less experienced engineers contributing to these critical applications." -- Distinguished engineer working on cloud infrastructure services

"My experience with writing Rust software tends to be once you've got it working, it stays working. That's a combination of a lot of care taken in terms of backwards compatibility with the language and a lot of care taken around the general ecosystem." -- Rust expert and consultant focused on embedded and real-time systems

Reliability also provides guardrails that help people enter new domains—whether you're a beginner learning the ropes or an expert venturing into unfamiliar territory:

"Rust introduces you to all these things, like match and all these really nice functional programming methods." -- Software engineer with production Rust experience

"I think Rust ownership discipline is useful both for regular Rust programmers and also for verification. I think it allows you to within the scope of your function to know very clearly what you're modifying, what's not being modified, what's aliased and what's not aliased." -- Professor specializing in formal verification

"I discovered Rust... and was basically using it just to give myself a little bit more confidence being like a solo firmware developer" -- Software engineer working on automotive digital cockpit systems

Take away the efficiency and low-level control, and there are places you can't go: embedded systems, real-time applications, anywhere that cost-per-cycle matters.

"The performance in Rust is nutty. It is so much better and it's safe. When we rewrote C++ and C libraries or C applications into Rust, they would end up being faster because Rust was better at laying out memory." -- Senior Principal Engineer leading consumer shopping experiences

"9 times out of 10, I write microcontroller code and I only test it through unit testing. I put it on real hardware and it just works the first time." -- Embedded systems engineer working on safety-critical robotics

"I can confidently build systems that scale." -- Engineering manager with 20 years experience in media and streaming platforms

Take away the tooling and ecosystem, and you can't get started: or you can, but it's a slog, and you never feel productive.

"For me, getting started with Rust, the language was challenging, but the tooling was incredibly easy... I could just start writing code and it would build and run, and that to me made a huge difference." -- Founder and CEO of company creating developer tools

"Cargo is an amazing package manager. It is probably the best one I've ever worked with. I don't think I ever run into issues with Cargo. It just works." -- Software engineer with production Rust experience

"The Rust compiler is fantastic at kind of the errors it gives you. It's tremendously helpful in the type of errors it produces for it. But not just errors, but the fact it also catches the errors that other languages may not catch." -- Distinguished engineer working on cloud infrastructure services

The result: Rust as a gateway into new domains

When all these pieces come together, something interesting happens: Rust becomes a gateway into domains that would otherwise be inaccessible. We heard story after story of people whose careers changed because Rust gave them confidence to tackle things they couldn't before:

"I was civil engineering and I studied front-end development on my own, self taught. I had no computer background. I got interested in Rust and distributed systems and designs and systems around it. I changed my major, I studied CS and Rust at the same time." -- Software engineer transitioning to cryptography research

"I've been working with arbitrary subsidiaries of [a multinational engineering and technology company] for the last 25 years. Always doing software development mostly in the Java space... two years ago I started peeking into the automotive sector. In that context it was a natural consequence to either start working with C++ (which I did not want to do) or take the opportunity to dive into the newly established Rust ecosystem." -- Senior software engineer working in automotive embedded systems

"I started in blockchain. Currently I'm doing something else at my day job. Rust actually gave me the way to get into that domain." -- Rust developer and aerospace community leader

"Before that, I had 10 years of programming on some dynamic programming languages, especially Ruby, to develop web applications. I wanted to choose some language which focuses on system programming, so I chose Rust as my new choice. It is a change of my career." -- Rust consultant and author working in automotive systems and blockchain infrastructure

But the balance is crucial

Each of Rust's attributes are necessary for versatility across domains. But when taken too far, or when other attributes are missing, they can become an obstacle.

Example: Complex APIs and type complexity

One of the most powerful aspects of Rust is the way that its type system allows modeling aspects of the application domain. This prevents bugs and also makes it easier for noobs to get started 3:

"Instead of using just a raw bit field, somebody encoded it into the type system. So when you'd have a function like 'open door', you can't pass an 'open door' if the door's already open. The type system will just kick that out and reject it." -- Software engineer working on automotive digital cockpit systems

"You can create contracts. For example, when you are allowed to use locks in which order." -- Senior embedded systems engineer working on automotive middleware development

The problem though is that sometimes the work to encode those invariants in types can create something that feels more complex than the problem itself:

"When you got Rust that's both async and generic and has lifetimes, then those types become so complicated that you basically have to be some sort of Rust god in order to even understand this code or be able to do it." -- Software engineer with production Rust experience

"Instead of spaghetti code, you have spaghetti typing" -- Platform architect at automotive semiconductor company

"I find it more opaque, harder to get my head around it. The types describe not just the interface of the thing but also the lifetime and how you are accessing it, whether it's on the stack or the heap, there's a lot of stuff packed into them." -- Software engineer working on data science platforms

This leads some to advocate for not using some of Rust's more complex features unless they are truly needed:

"My argument is that the hard parts of Rust -- traits, lifetimes, etc -- are not actually fundamental for being productive. There's a way to set up the learning curve and libraries to onboard people a lot faster." -- Creator and maintainer of Rust networking libraries

Example: Async ecosystem is performant but doesn't meet the bar for supportiveness

Async Rust has fueled a huge jump in using Rust to build network systems. But many commenters talked about the sense that "async Rust" was something altogether more difficult than sync Rust:

"I feel like there's a ramp in learning and then there's a jump and then there's async over here. And so the goal is to get enough excitement about Rust to where you can jump the chasm of sadness and land on the async Rust side." -- Software engineer working on automotive digital cockpit systems

"My general impression is actually pretty negative. It feels unbaked... there is a lot of arcane knowledge that you need in order to use it effectively, like Pin---like I could not tell you how Pin works, right?" -- Research software engineer with Rust expertise

For Rust to provide that "trusted tool that will help you tackle new domains" experience, people need to be leverage their expectations and knowledge of Rust in that new domain. With async, not only are there missing language features (e.g., async fn in traits only became available last year, and still have gaps), but the supportive tooling and ecosystem that users count on to "bridge the gap" elsewhere works less well:

"I was in favor of not using async, because the error messages were so hard to deal with." -- Desktop application developer

"The fact that there are still plenty of situations where you go that library looks useful, I want to use that library and then that immediately locks you into one of tokio-rs or one of the other runtimes, and you're like that's a bit disappointing because I was trying to write a library as well and now I'm locked into a runtime." -- Safety systems engineer working on functional safety for Linux

"We generally use Rust for services, and we use async a lot because a lot of libraries to interact with databases and other things are async. The times when we've had problems with this is like, um, unexplained high CPU usage, for example. The only really direct way to try to troubleshoot that or diagnose it is like, OK, I'm going to attach GDB and I'm gonna try to see what all of the threads are doing. GDB is -- I mean, this is not Rust's fault obviously -- but GDB is not a very easy to use tool, especially in a larger application. [..] And with async, it's, more difficult, because you don't see your code running, it's actually just sitting on the heap right now. Early on, I didn't actually realize that that was the case." -- Experienced Rust developer at a company using Rust and Python

Async is important enough that it merits a deep dive. Our research revealed a lot of frustration but we didn't go deep enough to give more specific insights. This would be a good task to be undertaken by the future User Research team (as proposed in our first post).

Example: The wealth of crates on crates.io are a key enabler but can be an obstacle

We mentioned earlier how Rust's extensibility is part of how it achieves versatility. Mechanisms like overloadable operators, traits, and macros let libraries create rich experiences for developers; a minimal standard library combined with easy package management encourage the creation of a rich ecosystem of crates covering needs both common and niche. However, particularly when people are first getting started, that extensibility can come at the cost of supportiveness, when the "tyranny of choice" becomes overwhelming:

"The crates to use are sort of undiscoverable. There's a layer of tacit knowledge about what crates to use for specific things that you kind of gather through experience and through difficulty. Everyone's doing all of their research." -- Web developer and conference speaker working on developer frameworks

"Crates.io gives you some of the metadata that you need to make those decisions, but it's not like a one stop shop, right? It's not like you go to crates.io and ask 'what I want to accomplish X, what library do I use'---it doesn't just answer that." -- Research software engineer

The Rust org has historically been reluctant to "bless" particular crates in the ecosystem. But the reality is that some crates are omnipresent. This is particular challenging for new users to navigate:

"The tutorial uses Result<Box<dyn Error>> -- but nobody else does. Everybody uses anyhow-result... I started off using the result thing but all the information I found has example code using anyhow. It was a bit of a mismatch and I didn't know what I should do." -- Software engineer working on data science platforms

"There is no clear recorded consensus on which 3P crates to use. [..] Sometimes it's really not clear---which CBOR crate do you use?[..] It's not easy to see which crates are still actively maintained. [..] The fact that there are so many crates on crates.io makes that a little bit of a risk." -- Rust team from a large technology company

Recommendations

Enumerate Rust's design goals and integrating them into our processes

We recommend creating an RFC that defines the goals we are shooting for as we work on Rust. The RFC should cover the experience of using Rust in total (language, tools, and libraries). This RFC could be authored by the proposed User Research team, though it's not clear who should accept it — perhaps the User Research team itself, or perhaps the leadership council.

This post identified how the real "empowering magic" of Rust arises from achieving a number of different attributes all at once -- reliability, efficiency, low-level control, supportiveness, and so forth. It would be valuable to have a canonical list of those values that we could collectively refer to as a community and that we could use when evaluating RFCs or other proposed designs.

There have been a number of prior approaches at this work that we could build on (e.g., this post from Tyler Mandry, the Rustacean Principles, or the Rust Design Axioms). One insight from our research is that we don't need to define which values are "most important". We've seen that for Rust to truly work, it must achieve all the factors at once. Instead of ranking, it may help to describe how it feels when you:

Don't achieve it (too little)
Get it right (the sweet spot)
Go overboard (too much)

This "goldilocks" framing helps people recognize where they are and course-correct, without creating false hierarchies.

Double down on extensibility

We recommend doubling down on extensibility as a core strategy. Rust's extensibility — traits, macros, operator overloading — has been key to its versatility. But that extensibility is currently concentrated in certain areas: the type system and early-stage proc macros. We should expand it to cover supportive interfaces (better diagnostics and guidance from crates) and compilation workflow (letting crates integrate at more stages of the build process).

Rust's extensibility is a big part of how Rust achieves versatility, and that versatility is a big part of what people love about Rust. Leveraging mechanisms like proc macros, the trait system, and the borrow checker, Rust crates are able to expose high-level, elegant interfaces that compile down to efficient machine code. At its best, it can feel a bit like magic.

Unfortunately, while Rust gives crates good tools for building safe, efficient abstractions, we don't provide tools to enable supportive ones. Within builtin Rust language concepts, we have worked hard to create effective error messages that help steer users to success; we ship the compiler with lints that catch common mistakes or enforce important conventions. But crates benefit from none of this. RFCs like RFC #3368, which introduced the diagnostic namespace and #[diagnostic::on_unimplemented], Rust has already begun moving in this direction. We should continue and look for opportunities to go further, particularly for proc-macros which often create DSL-like interfaces.

The other major challenge for extensibility is concerned with the build system and backend. Rust's current extensibility mechanisms (e.g., build.rs, proc-macros) are focused on the early stages of the compilation process. But many extensions to Rust, ranging from interop to theorem proving to GPU programming to distributed systems, would benefit from being able to integrate into other stages of the compilation process. The Stable MIR project and the build-std project goal are two examples of this sort of work.

Doubling down on extensibility will not only make current Rust easier to use, it will enable and support Rust's use in new domains. Safety Critical applications in particular require a host of custom lints and tooling to support the associated standards. Compiler extensibility allows Rust to support those niche needs in a more general way.

Help users get oriented in the Rust ecosystem

We recommend finding ways to help users navigate the crates.io ecosystem. Idiomatic Rust today relies on custom crates for everything from error-handling to async runtimes. Leaning on the ecosystem helps Rust to scale to more domains and allows for innovative new approaches to be discovered. But finding which crates to use presents a real obstacle when people are getting started. The Rust org maintains a carefully neutral stance, which is good, but also means that people don't have anywhere to go for advice on a good "starter set" crates.

The right solution here is not obvious. Expanding the standard library could cut off further experimentation; "blessing" crates carries risks of politics. But just because the right solution is difficult doesn't mean we should ignore the problem. Rust has a history of exploring creative solutions to old tradeoffs, and we should turn that energy to this problem as well.

Part of the solution is enabling better interop between libraries. This could come in the form of adding key interop traits (particularly for async) or by blessing standard building blocks (e.g., the http crate, which provides type definitions for HTTP libraries). Changes to coherence rules can also help, as the current rules do not permit a new interop trait to be introduced in the ecosystem and incrementally adopted.

Conclusion

To sum up the main points in this post:

What people love about Rust is the way it empowers them to tackle tough problems and new domains. This is not the result of any one attribute but rather a careful balancing act between many; if any of them are compromised, the language suffers significantly.
We make three recommendations to help Rust continue to scale across domains and usage levels
- Enumerate and describe Rust's design goals and integrate them into our processes, helping to ensure they are observed by future language designers and the broader ecosystem.
- Double down on extensibility, introducing the ability for crates to influence the develop experience and the compilation pipeline.
- Help users to navigate the crates.io ecosystem and enable smoother interop

In 2025, 72% of Rust users said they wanted to keep using it. In the past, Rust had a way higher score than any other language, but this year, Gleam came awfully close, with 70%! Good for them! Gleam looks awesome--and hey, good choice on the fn keyword. ;) ↩
And, uh, how can we be sure not to mess it up? ↩
...for experienced devs operating on less sleep, who do tend to act a lot like noobs. ↩

by Niko Matsakis at December 19, 2025 12:00 AM

December 18, 2025

The Mozilla Blog — Welcoming John Solomon as Mozilla’s new Chief Marketing Officer

Mozilla has always believed that technology should serve people — not the other way around. As we enter a moment of rapid change in how people experience the internet and AI, we’re focused on building products that are private, transparent, and put people in control. Today, we’re excited to take an important step forward in that work by welcoming John Solomon as Mozilla’s new Chief Marketing Officer.

Solomon joins Mozilla this week and will lead our global marketing and communications teams. His arrival marks the next chapter in strengthening how we tell Mozilla’s story and how we bring our values to life in the products millions of people rely on every day.

Bringing more than two decades of experience building category-defining brands and leading global marketing teams, Solomon is a veteran brand builder with leadership roles at Therabody, Apple, and Beats by Dre. He was also named one of Forbes’ 50 Most Entrepreneurial CMOs for 2025. Solomon has a track record of turning products into cultural touchpoints and brands into household names. This experience is essential as Mozilla works to remind hundreds of millions of people around the world that they have real choice in the technology they use.

Solomon’s career spans companies that have shaped culture as much as they have shaped markets. At Therabody, he helped redefine and scale the company into a category-leading wellness brand with a mission to help people live healthier, happier lives longer. At Beats, he played a pivotal role in the brand’s global rise and its breakthrough cultural relevance, later joining Apple’s worldwide Marcom organization to launch some of the company’s most iconic hardware, software, and digital services. Earlier in his career, he founded and sold enoVate, a consumer insights and strategy firm based in Shanghai.

For Mozilla, John steps into the role at a moment when trust in technology is eroding and AI is reshaping how people navigate the internet. Our responsibility — and our opportunity — is to build products that are private, transparent, and put people in control. Marketing plays a central role in making that mission visible, accessible, and relevant to a global audience. John not only understands the importance of this moment but the impact it will have on future generations.

Solomon will lead Mozilla’s global marketing and communications teams, working closely with leaders across the company to build on the strong progress made this year.

Mozilla’s mission has always been to ensure the internet remains open, accessible, and driven by human agency. As we enter a new era shaped by AI and renewed debates over consumer agency, John’s experience — and his commitment to purpose-driven work — will help us meet this moment with clarity and ambition.

Please join us in welcoming John Solomon to Mozilla.

The post Welcoming John Solomon as Mozilla’s new Chief Marketing Officer appeared first on The Mozilla Blog.

by Mozilla at December 18, 2025 01:01 PM

Mozilla Thunderbird — Thunderbird 2025 Review: Building Stronger for the Future

2025 was an exciting year for Thunderbird. Many improvements were shipped throughout the year, from faster updates with a new release cadence, to a modernized codebase for the desktop app. We made big strides on our mobile apps and introduced the upcoming Thunderbird Pro to the world.

As we wrap up the year, a huge thank you to our community and volunteer contributors, and to our donors whose financial support keeps the lights on for the dedicated team working on Thunderbird. Here’s what we accomplished in 2025 and what’s to come in the new year.

A Stronger Core, Built to Last

This year marked the release of Thunderbird 140 “Eclipse”, our latest Extended Support Release. Eclipse was more than a visual refresh. It was a deep clean of Thunderbird’s core, removing long standing technical debt and modernizing large parts of the codebase.

The result is a healthier foundation that allows us to ship improvements more reliably and more often. Features like the new Account Hub, accessibility improvements, and cleaner visual controls are all part of this effort. They may look simple on the surface, but they represent significant behind the scenes progress that sets Thunderbird up for the long term.

Faster Updates, Delivered Monthly

Speaking of faster updates, in 2025 monthly releases became the default for Thunderbird desktop. This was a major shift from our focus on the annual cadence centered around the Extended Support Release.

Moving to monthly releases means new features land sooner, bug fixes arrive faster, and updates feel smoother instead of disruptive. Users no longer have to wait an entire year to benefit from improvements. Thunderbird now evolves continuously while maintaining the stability people expect.

Thunderbird Meets Exchange

One of the most requested features is finally here. Native Microsoft Exchange email support landed in Thunderbird’s monthly release channel with 145.0.

You can now connect Exchange accounts directly without relying on third party add-ons for email. Setup is simpler, syncing is more reliable, and Thunderbird works more naturally in Exchange based environments. Calendar and address book support are still in progress, but native email support marks an important milestone toward broader compatibility.

Mobile Moves Forward

Thunderbird’s mobile story continued to grow in 2025.

On Android, the team refined release processes, improved core experiences, and began breaking larger features into smaller, more frequently delivered updates. At the same time, Thunderbird for iOS took a major step forward with a basic developer testing app available via Apple TestFlight. This marked the first public signal that Thunderbird is officially expanding onto iOS, with active development well underway and headed toward iPhones in 2026.

Introducing Thunderbird Pro

In 2025, we announced Thundermail and Thunderbird Pro, the first ever email service from Thunderbird alongside new cloud based productivity features designed to work seamlessly with the app.

Thunderbird Pro will include:

Thundermail, an open source email service from Thunderbird
Appointment, a scheduling tool
Send, an end to end encrypted file sharing service

These services are built to respect user privacy, remain open source, and offer additional functionality by subscription for those who need it, without compromising the forever free and powerful Thunderbird desktop and mobile apps. Throughout the year, we made significant progress across all three services and launched the Thunderbird Pro website, marking a major step toward early access and testing. The Early Bird beta is set to kick off in the first part of 2026. Catch up on the full details in our latest update and, if you’re not on the waitlist yet, join in.

Looking Ahead to 2026

The work in 2025 set the stage for an even more ambitious year ahead.

In 2026, our desktop plans include updating our decades-old database, expanding Exchange and protocol support, and refreshing the Calendar UI. For Thunderbird Pro, we aim to release the Early Bird beta in the first part of the year. Our plans for Android focus on rearchitecture of old code, quality of life improvements, and a new UI. For iOS, we’re moving closer to an initial beta release with expanded protocol support. Be sure to follow this blog for updates on the desktop and mobile apps and Thunderbird Pro.

Thunderbird is moving faster, reaching more platforms, and building a more complete ecosystem while staying true to our values. Thanks for being part of the journey, and wishing all of you a fantastic 2026.
Thunderbird is moving faster, reaching more platforms, and building a more complete ecosystem while staying true to our values.

Thanks for being part of the journey, and wishing all of you a fantastic 2026!

All of our work is funded solely by individual donations from our users and community.
Help support the future of Thunderbird!
For other ways to get involved with the Thunderbird project, visit our participate page.

The post Thunderbird 2025 Review: Building Stronger for the Future appeared first on The Thunderbird Blog.

by Monica Ayhens-Madon and Natalie Ivanova at December 18, 2025 01:00 PM

Mozilla Localization (L10N) — Contributor Spotlight: Andika

About You

My name is Andika. I’m from Indonesia, and I speak Indonesian, Javanese, and English. I’ve been contributing to Mozilla localization for a long time, long enough that I don’t clearly remember when I started. I mainly focus on Firefox and Thunderbird, but I also contribute to many other open source projects.

Exploring Padar Island where Komodo dragons can be spotted.

Contributing to Mozilla Localization

Q: Can you tell us a bit about your background and how you found localization?

A: I started my open source journey in the 1990s. Early on, I helped others through mailing lists by troubleshooting problems and answering questions. I also tried filing bugs and maintaining packages, but over time I felt those contributions didn’t always have a lasting impact.

Around 2005, I started translating open source software. Translation felt different — it felt like a contribution that could last longer than the technology itself. When I saw poor translation quality online, I felt I could do better, and that motivated me to get involved. Localization became the most meaningful way for me to give back.

Q: What does your contribution to Mozilla localization look like today?

A: I primarily work on Firefox and Thunderbird. Over the years, I’ve translated tens of thousands of strings although some of those strings no longer exist in the codebase and remain only in translation memory. I also contribute to many other open source organizations, but Mozilla remains one of my main areas of focus.

Even though I don’t always use the products I localize — my professional work involves backend work, a lot of remote troubleshooting and maintenance — I stay connected to the quality of the translations through community collaboration and shared practices.

Workflow, Habits, and Collaboration

Q: How do you approach your localization work and collaborate with others?

A: Most of my localization work happens incrementally. I often carry unfinished translation files on my laptop so I can continue working offline, especially when the internet connection isn’t reliable. When I have multiple modules to choose from, I usually start with the ones that have the fewest untranslated strings. Seeing a module reach full translation gives me a lot of satisfaction.

To avoid burnout, I set small, realistic goals, sometimes something as simple as translating 50 strings before switching to another task. I tend to use small pockets of free time throughout the day, like waiting at a public transportation station or an appointment, and those fragments add up.

Collaboration plays a big role in maintaining quality. Within the Indonesian localization community, we use Telegram to discuss difficult or new terms and work toward consensus. Terminology and style guides are maintained together; it’s not a one-person responsibility.

I’ve also worked on localization in other projects like GNOME, where we translate module by module, we review each other’s work, and then commit changes as a group. Compared to Pontoon’s string-by-string approach, this workflow offers more flexibility, especially when working offline.

Perspective Across Open Source and Beyond

Q: You contribute to many open source projects. How does Mozilla localization compare, and what would you like to see improved?

A: For Indonesian localization, Mozilla is the most organized team I’ve worked with and has the largest active team. Some projects may appear larger on paper, but active participation matters more than numbers, and that’s where Mozilla really stands out.

One improvement I’d like to see is better support for offline translation in Pontoon. Another area is shortcut conflict detection — translators often can’t easily see whether keyboard shortcuts conflict unless all menu items or dialog elements are rendered together. Automated checks or rendered views of translated dialogs would make that process much easier.

That said, one thing Pontoon does very well, and that other projects could learn from, is the improving quality of online and AI-assisted translation suggestions.

Speaking at Fosdem in February 2024 on “Long Term Effort to Keep Translations Up-To-Date”

Professional Life and a Personal Note

Q: What do you do professionally, and how does it connect with your localization work?

A: I work as an IT security consultant. I started using a PC in 1984, learning to program in BASIC, Pascal, FORTRAN, Assembly, and C. C is my most favorite language up to now. I also tried various OSes from CP/M, DOS, OS/2, VMS, Netware, Windows, SCO, Solaris, then fell in love with Linux. I have been using Debian since version 1.3. Later I changed my focus from programming into IT security. My job requires staying up to date with security concepts and terminology, which helps when translating security-related strings. At the same time, localization sometimes introduces me to features I might later use professionally. The two areas complement each other in unexpected ways.

As for something more personal: I hate horror movies, I love cats, and I’ve had the chance to witness the rise and fall of many technologies over the years. I also maintain a personal wiki to keep track of my open source work though I keep telling myself I need to migrate it to GitHub one day.

by Peiying Mo at December 18, 2025 05:16 AM

Tarek Ziadé — Why Open Source Is Fundamental in AI (Essay)

Artificial intelligence is becoming a foundational layer of modern software. It is no longer confined to research labs, but embedded directly in everyday tools and user experiences.

As AI moves closer to users, openness becomes a question of power. Who can inspect these systems? Who can adapt them? And who ultimately controls how they evolve?

The web offers a useful reference point. Open source software and open standards turned the World Wide Web into shared infrastructure rather than a proprietary stack owned by a single company or government, even if many tried to enclose parts of it. That openness was not accidental. It shaped who could participate, compete, and be held accountable.

What Open Source AI Enables

Open source AI is often reduced to code availability. In practice, and as the Open Source Initiative (OSI) emphasizes in its Open Source AI Definition, it is about concrete freedoms.

An open source AI system can be used, studied, modified, and shared. Studying means inspecting behavior, limits, and failure modes. Modifying means adapting models to new domains, languages, or constraints. Sharing means deploying systems without being locked to a single vendor or API.

These freedoms must apply not only to code, but also to models, weights, and the tooling required to run them. Without that access, reuse is brittle and understanding remains shallow.

Open source enables verification, reproducibility, and portability. It allows systems to be audited, adapted, and redeployed independently. In a field defined by cost, scale, and complexity, these are not luxuries. They are prerequisites for agency.

Open access does not eliminate power imbalances. Compute, data, and expertise still matter. But it preserves the possibility of independent action, which is often the difference between participation and dependency.

Open Standards and Shared Infrastructure

Open source alone is not enough. Open standards define shared interfaces that allow independently built systems to work together.

The web proved this model at global scale. By separating interfaces from implementations, standards enabled competition without fragmentation. In AI, standards around model formats, inference interfaces, evaluation, and data documentation can lower switching costs and prevent ecosystems from hardening into silos controlled by a few gatekeepers.

Without standards, “openness” risks collapsing into a collection of incompatible artifacts, each tied to its own platform or service.

Looking Ahead

Some infrastructure works best when treated as a common good. The web’s resilience came from the fact that no single actor owned its foundations.

AI is on track to become similar infrastructure. The question is not whether it will be powerful, but whether it will be governable.

If core models, datasets, and interfaces are only accessible through proprietary APIs and cloud platforms, then “AI adoption” will mostly mean dependency. Choice will be limited to pricing tiers, usage caps, and terms of service.

Not everything should be owned and monetized by a small number of companies. Projects like Mozilla’s Common Voice show that shared assets can be built and maintained in the open, at meaningful scale.

Shared infrastructure also depends on shared spaces. Platforms like Hugging Face play a critical role by enabling collaboration around models, datasets, and tools, and by lowering the barrier to participation in open AI ecosystems.

Open source and open standards are not about nostalgia or ideology. They are about keeping the option to walk away. To inspect. To fork. To rebuild.

Once that option is gone, it is rarely recovered.

References

Open Source Initiative, Open Source AI Definition
W3C Machine Learning Working Group
Mozilla Common Voice
Hugging Face

by at December 18, 2025 12:00 AM

December 17, 2025

Mozilla Addons Blog — Presenting 2025 Firefox Extension Developer Award Recipients

Extensions have long been at the heart of the Firefox — providing users with powerful options to personalize their browsing experience. Nearly half of all Firefox users have installed at least one extension. These incredible tools and features are built by a community of more than 10,000 developers. While all developers contribute to the depth and diversity of our ecosystem, some of the most popular extensions provide significant global impact.

Today we celebrate our first cohort of notable developers. Below are this year’s recipients of the Firefox Extension Developer Award, presented to developers of some of the most popular Firefox extensions. The bespoke metal trophies were designed by Alper Böler, a California-based industrial designer and artist.

On behalf of Mozilla, and all Firefox users, thank you to all developers for your amazing contributions to the ecosystem!

Platinum

uBlock Origin — Ad blocker with 10M+ users. uBlock Origin has long been one of the most popular extensions for Firefox, providing a massive positive impact for users. This is a well-supported extension maintained by a passionate group of contributors, and we’d like to extend a special thank you to everyone who helps make this an exceptional extension.

(Reflecting astounding recent growth, uBlock Origin averaged 9.5M daily users when the awards were commissioned, which would have made it a Gold Award recipient; however it has since surpassed 10.5M daily users so we’ve elevated uBlock Origin to Platinum status.)

Silver

Ablock Plus — Debuted on Firefox all the way back in 2006.

Video DownloadHelper — Immensely capable media downloader.

Privacy Badger — “Privacy Badger is developed by the Electronic Frontier Foundation, a digital rights nonprofit with a 35-year history of defending online privacy. We created Privacy Badger over a decade ago to fight pervasive, nonconsensual tracking online. In the absence of strong privacy laws, surveillance has become the business model of the internet. Just browsing the web can expose sensitive data to advertisers, Big Tech companies, and data brokers. While we continue advocating for comprehensive privacy legislation, Privacy Badger gives people a quick, easy way to protect themselves. Privacy Badger is both a practical tool for individuals and part of EFF’s broader effort to end online surveillance for everyone.” – Lena Cohen, Staff Technologist at EFF

AdBlocker Ultimate — Also works beautifully on Firefox for Android.

AdGuard AdBlocker — Blocks ads and will also warn you about potentially malicious websites.

Dark Reader — “Working long hours in front of a bright computer screen made my eyes tired. LCD screens can feel like staring into a light bulb. Dark Reader started as a simple screen inverter to give my eyes a break. Over time, it evolved into a much more sophisticated tool, adapting to the growing needs of users.” – Alexander Shutau

AdBlock for Firefox — Arrived to the Firefox ecosystem in 2014.

DuckDuckGo Search & Tracker Protection — “At DuckDuckGo, we want to help people take back control of their personal information — whether that be when they’re making a search, using AI, emailing, or browsing. In 2017, we had a search engine, but we knew we wanted to extend privacy to the browsing experience. At that time we hadn’t built our own browser, so we bundled private search, tracking and fingerprinting protections, and more, into an easy-to-add web extension.” – Sam Macbeth

Bronze

Ghostery — “We wanted to create a truly user-focused ad blocker — one that doesn’t compromise on effectiveness, doesn’t maintain whitelists for advertisers, and gives people back control of their browsing experience. Many tools in the market were tied to ad industry interests, so our goal was to build a 100% independent, transparent solution. Ghostery was one of the first add-ons ever published on the Mozilla platform. Its original motivation was to bring transparency to the web.” – Krzysztof Modras

Return YouTube Dislike — “(I made it) for my own convenience. I wanted to use this feature myself, first and foremost. I think YouTube misses a lot by making dislike counts invisible.” – Dmitry Selivanov

Translate Web Pages — An effectively simple translation tool.

Bitwarden — “Back in 2015-’16, I was frustrated with the existing password management landscape. As a developer and engineer, I saw several problems that needed solving: complicated setup procedures, lack of cross-platform availability, and fragmented open source solutions that were hard to trust. I wanted to create a password manager that would meet the needs of someone like myself — a technologist who valued simplicity, transparency, and accessibility. The browser extension was one of the first components I built and it turned out to be crucial for Bitwarden since it made password management seamless for users across their daily web browsing.” – Kyle Spearrin

To Google Translate — “When I was at university, I started learning English on my own. I used to read articles in English about security and programming, and whenever I didn’t understand a word or was unsure about its pronunciation, I would copy and paste it into Google Translate to learn its meaning and how to say it. Over time, I realized this process was very manual and time-consuming, since I still had a lot of vocabulary to learn. That’s when I thought: ‘Is it possible to automate this to make it easier?’ That insight led me to build an add-on. In short, it started as a personal need, and later I realized that many others shared the same challenge. I never imagined the extension would reach and help so many people.” – Juan Escobar

IDM Integration Module — Companion extension to the popular desktop application.

Tampermonkey — “In 2008 I teamed up with a friend to develop a Greasemonkey userscript that automated parts of an online game. The script eventually grew into a full‑featured Firefox extension. When Chrome was released, I ported the extension to that browser and realized that the insights I gained about the WebExtension APIs could serve as the foundation for a new userscript manager. I later launched that manager, Tampermonkey, in May 2010. Firefox’s switch to WebExtensions in 2015 gave me an opportunity to bring Tampermonkey to Firefox as well.” – Jan Biniok

Grammarly: AI Writing and Grammar Checker — “When we first launched Grammarly, it was exclusively in our Grammarly editor, so users had to write directly into our web editor to get help with their writing. We realized there was so much more value in bringing Grammarly directly to where people write — in their browsers, on the sites they use every day for work and for school, and across 500,000 different apps and websites. Extensions became the natural way to meet people in their existing workflows rather than asking them to change how they already work, and it’s part of what makes Grammarly one of the top AI tools.” – Iryna Shamrai

Cisco Webex Extension — Companion extension for Cisco Webex Meetings or Webex App.

SponsorBlock – Skip Sponsorships on YouTube — “One of my favourite YouTube channels uploaded a video with a sponsor message that was deceptively placed into the video. It really made me frustrated. Then I had the idea that crowdsourcing sponsor timestamps could maybe just work.” – Ajay

ClearURLs — “The idea for the extension actually came up quite spontaneously during a lunch break at university. While studying computer science, a friend and I started talking about how frustrating all those tracking elements in URLs can be. We wondered if there was already a browser add-on that could automatically clean them up, but after some research we realized there really wasn’t anything like that out there.” – Kevin Röbert

The post Presenting 2025 Firefox Extension Developer Award Recipients appeared first on Mozilla Add-ons Community Blog.

by Alan Byrne at December 17, 2025 05:53 PM

Mozilla Thunderbird — Thunderbird Monthly Development Digest: November/December 2025

Hello again from the Thunderbird development team as we start to wind down for the holidays! Over the past several weeks, our sprints have been focused on delivery and consolidation to clear our plates for a fresh start in the New Year.

Following our successful in-person work-week to discuss all things protocol, we’ve brought Exchange support (EWS) to our Monthly release channel, completed much of the final phases of the Account Hub experience, and laid the groundwork for what comes next. Alongside this feature work, the team has spent a significant amount of time adapting to upstream platform changes and supported our Services colleagues as we prepared for wider rollout. It’s been a period of steady progress, prioritization, and planning for the next major milestones.

Exchange Email Support

Since the last update, we’re so happy to finally announce that Exchange support for email has shipped to the Monthly release channel, accompanied by supporting blog posts, documentation and some fanfare. In the weeks leading up to and following that release, the team focused on closing out priority items, addressing stability issues, and ensuring the experience scales well as more users add their EWS-based Exchange accounts.

Work completed during this period includes:

NTLM authentication support and related request queueing
Fixes for crashes related to DNS resolution after in-depth investigation and collaboration with platform teams
Improvements to folder operations such as Empty Trash via EmptyFolder
Password-on-send prompting
Continued hardening of account setup and message handling paths

In parallel, the team has begun work on Graph API support for email, which is now moving rapidly through its early stages, thanks in large part to the solid foundation laid for EWS. It’s so nice when a plan comes together

This work represents the next major milestone for Exchange support and will inform broader architectural refactoring planned for future phases.

The Exchange team also met in person to plan out upcoming milestones. These sessions allowed us to break down future work and begin early research and prototyping for:

Graph API-based email support
Architectural refactoring
Copy and move operations
Incoming and outgoing configuration improvements
Longer-term work on Graph API Calendar and Address Book integration

Keep track of our Graph API implementation here.

Account Hub

A major focus during this period was completing the Email Account Hub Phase 3 milestone, with the final bugs landing and remaining items either completed or moved into maintenance. This work was prioritized to improve the experience for users setting up new accounts, particularly Exchange accounts.

Notable improvements and fixes include:

Increased robustness of the detection and setup flow
Improvements to error handling and recovery during account setup
Continued work on the manual configuration flow, developed in close collaboration with the Design team
Uplifts to ensure key fixes reached Beta and Monthly releases
Addition of telemetry to help us understand potential UX problems and improvements

With the primary Phase 3 goals now complete, the team has been able to shift attention back to other front-end initiatives while continuing to refine the Account Hub experience through targeted fixes and polish.

Follow progress in the meta bugs for phase 3 and telemetry

Calendar UI Rebuild

Calendar UI work progressed more slowly during this period due to competing priorities (hiring!), in-person meetups and planned time off, but planning and groundwork continued and development back underway. The team:

Restarted sprint planning for upcoming milestones
Assigned tasks and estimated work for the next phase
Continued preparation for adopting Redux-based state management, recently vendored into the codebase
With Account Hub milestones now largely wrapped up, Calendar UI work is ramping back up as we move into the next development cycle.

Stay tuned to our milestones here:

Maintenance, Upstream adaptations, Recent Features and Fixes

Throughout this period, the team also spent a considerable amount of time responding to upstream changes that affected build stability, tests, and CI. Sheriffing remained challenging, with frequent tree breakages requiring investigation to distinguish upstream regressions from local changes. In addition to these items, we’ve been blessed with help from the larger development community to deliver a variety of improvements over the past two months.

A very special shout out to a new contributor who worked with our senior team to solve a 19-year old problem relating to unread folders. Interactions like this are fuel for our team and we’re incredibly grateful for the help.

Icon cleanup
High contrast mode theme changes
16-year old bug in virtual folder move
Help with migrating strings to modern Fluent – searchWidget, news, nsMsgDBView
and many more which are listed in release notes for beta.

If you would like to see new features as they land, and help us find some early bugs, you can try running daily and check the pushlog to see what has recently landed. This assistance is immensely helpful for catching problems early.

—

Toby Pilling

Senior Manager, Desktop Engineering

The post Thunderbird Monthly Development Digest: November/December 2025 appeared first on The Thunderbird Blog.

by Monica Ayhens-Madon at December 17, 2025 05:23 PM

This Week In Rust — This Week in Rust 630

This Week in Rust is openly developed on GitHub and archives can be viewed at this-week-in-rust.org. If you find any errors in this week's issue, please submit a PR.

Want TWIR in your inbox? Subscribe here.

Updates from Rust Community

Official

Project/Tooling Updates

Observations/Thoughts

Rust Walkthroughs

Miscellaneous

Crate of the Week

This week's crate is logos, a modern lexer generator.

Thanks to Sam O'Brien for the (partial self-)suggestion!

Please submit your suggestions and votes for next week!

Calls for Testing

An important step for RFC implementation is for people to experiment with the implementation and give feedback, especially before stabilization.

No calls for testing were issued this week by Rust, Cargo, Rust language RFCs or Rustup.

Let us know if you would like your feature to be tracked as a part of this list.

Call for Participation; projects and speakers

CFP - Projects

Always wanted to contribute to open-source projects but did not know where to start? Every week we highlight some tasks from the Rust community for you to pick and get started!

Some of these tasks may also have mentors available, visit the task page for more information.

No Calls for participation were submitted this week.

If you are a Rust project owner and are looking for contributors, please submit tasks here or through a PR to TWiR or by reaching out on Bluesky or Mastodon!

CFP - Events

Are you a new or experienced speaker looking for a place to share something cool? This section highlights events that are being planned and are accepting submissions to join their event as a speaker.

RustWeek 2026 | CFP closes 2025-12-31 | Utrecht, The Netherlands | 2026-05-19 - 2026-05-20
RustConf 2026 | CFP closes 2026-02-16 | Montreal, Quebec, Canada | 2026-09-08 - 2026-09-10

If you are an event organizer hoping to expand the reach of your event, please submit a link to the website through a PR to TWiR or by reaching out on Bluesky or Mastodon!

Updates from the Rust Project

482 pull requests were merged in the last week

Compiler

Library

Cargo

Clippy

Rust-Analyzer

Rust Compiler Performance Triage

This week we saw several regressions, partly from the compiler doing more work. The remaining regressions are being investigated.

Triage done by @kobzol. Revision range: 55495234..21ff67df

Summary:

(instructions:u)	mean	range	count
Regressions ❌ (primary)	0.5%	[0.1%, 5.1%]	40
Regressions ❌ (secondary)	0.8%	[0.0%, 3.0%]	63
Improvements ✅ (primary)	-0.7%	[-1.5%, -0.1%]	35
Improvements ✅ (secondary)	-1.0%	[-7.4%, -0.0%]	73
All ❌✅ (primary)	-0.1%	[-1.5%, 5.1%]	75

3 Regressions, 2 Improvements, 5 Mixed; 2 of them in rollups 36 artifact comparisons made in total

Full report here.

Approved RFCs

Changes to Rust follow the Rust RFC (request for comments) process. These are the RFCs that were approved for implementation this week: * Adding a crates.io Security tab

Final Comment Period

Every week, the team announces the 'final comment period' for RFCs and key PRs which are reaching a decision. Express your opinions now.

Tracking Issues & PRs

Rust

Rust RFCs

build-std: context

Cargo

feat(index): Stabilize pubtime

Leadership Council

Add alumni policy

No Items entered Final Comment Period this week for Compiler Team (MCPs only), Language Team, Language Reference or Unsafe Code Guidelines.

Let us know if you would like your PRs, Tracking Issues or RFCs to be tracked as a part of this list.

New and Updated RFCs

RFC: Open up your enum with an unnamed variant

Upcoming Events

Rusty Events between 2025-12-17 - 2026-01-14 🦀

Virtual

2025-12-17 | Virtual (Girona, ES) | Rust Girona
- Sessió setmanal de codificació / Weekly coding session
2025-12-17 | Hybrid (Vancouver, BC, CA) | Vancouver Rust
- Rust Study/Hack/Hang-out
2025-12-18 | Virtual (Berlin, DE) | Rust Berlin
- Rust Hack and Learn
2025-12-23 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Fourth Tuesday
2025-12-25 | Virtual (Nürnberg, DE) | Rust Nuremberg
- Rust Nürnberg online
2026-01-01 | Virtual (Berlin, DE) | Rust Berlin
- Rust Hack and Learn
2026-01-03 | Virtual (Kampala, UG) | Rust Circle Meetup
- Rust Circle Meetup
2026-01-07 | Virtual (Indianapolis, IN, US) | Indy Rust
- Indy.rs - with Social Distancing
2026-01-08 | Virtual (Charlottesville, VA, US) | Charlottesville Rust Meetup
- Meet, swap, and learn!
2026-01-08 | Virtual (Nürnberg, DE) | Rust Nuremberg
- Rust Nürnberg online
2026-01-13 | Virtual (Dallas, TX, US) | Dallas Rust User Meetup
- Second Tuesday

Asia

2025-12-20 | Bangalore, IN | Rust Bangalore
- December 2025 Rustacean meetup
2026-01-06 | Tel Aviv-yafo, IL | Rust 🦀 TLV
- In person Rust January 2026 at AWS in Tel Aviv

Europe

2025-12-18 | London, UK | London Rust Project Group
- gcc backend
2025-12-19 | Lyon, FR | Rust Lyon
- Rust Lyon Meetup #11
2026-01-07 | Girona, ES | Rust Girona
- Rust Girona Hack & Learn 01 2026
2026-01-08 | Geneva, CH | Post Tenebras Lab
- Rust Meetup Geneva
2026-01-14 | Reading, UK | Reading Rust Workshop
- Reading Rust Meetup

North America

2025-12-17 | Austin, TX, US | Rust ATX
- Rust Lunch - Fareground
2025-12-17 | Hybrid (Vancouver, BC, CA) | Vancouver Rust
- Rust Study/Hack/Hang-out
2025-12-17 | Spokane, WA, US | Spokane Rust
- Year-End Social Meetup w/ Python, Rust, and Others Local User Groups
2025-12-20 | Boston, MA, US | Boston Rust Meetup
- Back Bay Rust Lunch, Dec 20
2025-12-25 | Mountain View, CA, US | Hacker Dojo
- RUST MEETUP at HACKER DOJO
2026-01-08 | Mountain View, CA, US | Hacker Dojo
- RUST MEETUP at HACKER DOJO

If you are running a Rust event please add it to the calendar to get it mentioned here. Please remember to add a link to the event too. Email the Rust Community Team for access.

Jobs

Please see the latest Who's Hiring thread on r/rust

Quote of the Week

I allow my code to be used for training AI on GitHub. Not because I fear AI taking our jobs—but because I’m confident my code will slow it down enough to save us all.

– 王翼翔 on rust-users

Thanks to Moy2010 for the suggestion!

Please submit quotes and vote for next week!

This Week in Rust is edited by:

Email list hosting is sponsored by The Rust Foundation

Discuss on r/rust

by TWiR Contributors at December 17, 2025 05:00 AM

Tarek Ziadé — rustnn - a Python and Rust Implementation of W3C WebNN aimed at Firefox

Over the past few weeks, I’ve been working on rustnn, a Rust implementation of the W3C WebNN specification.

What started as an experiment to gain a deeper understanding of WebNN quickly grew into something more substantial: a working implementation that is now very close to being a usable library.

I began this project after returning from TPAC, convinced that WebNN is the future of AI in the browser, and that Firefox needs to catch up with the work that has already been done in Chromium.

We are likely still months away from matching the level of maturity Chromium has achieved over several years of development. However, in just a few weeks I was able to make significant progress thanks to a few key factors:

The WebNN specification is clear and well written
The WPT conformance and validation tests are comprehensive
End-to-end JavaScript demos exercise WebNN in realistic scenarios
Chromium’s implementation has already surfaced many of the hard problems

Claude Code

All of these factors made it surprisingly easy to build the library quickly using Claude Code. Once I had enumerated the 95 operators that needed to be implemented, the workflow for each one was essentially the same:

use the specification to understand the operator
grab the relevant WPT tests
implement the operator in the CoreML and ONNX converters
validate it against the ONNX and CoreML executors
move on to the next operator

Claude consistently performed well. I was able to build a library that would normally have taken me months to write on my own. When something failed, narrowing down the problem was straightforward by iterating between the specification and the tests.

Because most of the work revolves around graph conversion and orchestrating existing inference libraries, the code generated by Claude is generally clean and easy to reason about.

The Chromium implementation was also a huge help when I started to get into weird corner cases, especially around CoreML. That code base has been developed over the years with people directly involved in the spec.

I have started adding performance tests, and there will likely be some manual follow-up work, but reaching a functional implementation so quickly is already a major milestone.

Why Rust?

These days, adding a new API to Firefox usually means creating a Rust library that is vendored into the tree and bound to Gecko using cbindgen, unless there is an existing C++ library that already fits the need.

This gradual “oxidation” of Firefox started years ago, and major features such as WebGPU have followed this model. Gecko is still a large C++ codebase, and integrating a Rust library is not trivial, but implementing something like WebNN outside the browser engine has a major advantage: it allows a much broader community to contribute. We are already seeing the benefits of this approach with wgpu.

I am not going to rehash the Rust vs. C++ debate. There is no shortage of material on why Rust has become an attractive choice for systems programming.

My first instinct was to see whether Chromium’s WebNN implementation could be reused. In practice, that turned out to be impractical. The code is deeply intertwined with Blink and its IPC layers, making it very difficult to extract reusable components in a clean way.

We also evaluated webnn-native, a C++ implementation developed within the Web Machine Learning community. While promising, the project had been effectively stalled for about two years and lacked support for the most recent inference backends. Extending it was an option, but it quickly became clear that a fresh Rust implementation would be both faster to iterate on and a better architectural fit for Gecko.

In the end, this is good news for the Web and for WebNN. An independent implementation helps validate the specification, exposes ambiguities earlier, and ultimately makes the standard stronger.

Finally, building the core in Rust makes it trivial to expose a Python API on top of it, which opens the door to experimentation and adoption by the broader ML community.

The architecture

rustnn follows a key principle: graph compilation creates a platform-independent representation; backend conversion happens at execution time.

This follows the same logic as Chromium and is a great way to make sure we can add more backends in the future.

flowchart TD
  RustNN["RustNN"]

  WebNNGraph["WebNN Graph"]
  Executors["Executors"]

  Converter["Converter"]

  ONNXRuntime["onnx runtime"]
  CoreMLExec["CoreML"]
  TensorRT["TensorRT"]

  ONNXGraph["ONNX Graph"]
  CoreMLGraph["CoreML Graph"]

  RustNN --> WebNNGraph
  RustNN --> Executors

  WebNNGraph --> Converter
  Converter --> ONNXGraph
  Converter --> CoreMLGraph

  Executors --> ONNXRuntime
  Executors --> CoreMLExec
  Executors --> TensorRT

In the library, we do an initial pass on the WebNN graph to produce an intermediate representation, then we pick a converter to turn that graph into another graph that can run with an AI library. And there are executors that can run the graph using those external libraries.

This is a very powerful design. For instance, I am playing with the TensorRT-RTX library that can be used to efficiently run AI on NVIDIA GPUs and that library has full support for ONNX graphs. This means we can run networks in rustnn using the ONNX converter combined with the TensorRT executor.

CoreML, ONNX and TensorRT

I picked CoreML and ONNX as my first target runtimes because I work on a MacBook, and because they are both implemented in Chromium.

Chromium uses ONNX on Windows because that library now ships with the latest Windows 11, and it falls back to DirectML. It also has a CoreML implementation on macOS.

So I went ahead and built both CoreML and ONNX as converters and executors until I could make the image classification demo work with the Python binding.

Next, I started to add TensorRT as an executor for Windows with NVIDIA GPUs. That one is a work in progress because I have to work on another Windows computer and I am slower in that environment. But it’s technically already working. I started the trtx-rs Rust library to bind TensorRT, since the existing Rust binding was 5 years old.

PyWebNN

rustnn exposes a Python binding (PyWebNN) that implements the W3C WebNN API on top of the Rust core. You can use it for graph validation, conversion (ONNX/CoreML) and execution of neural networks.

Installation:

# Install from PyPI with bundled ONNX Runtime (v0.4.0+)
pip install pywebnn

# Or build from source with all backends (ONNX + CoreML)
git clone https://github.com/tarekziade/rustnn.git
cd rustnn
make python-dev
source .venv-webnn/bin/activate

Version 0.4.0+ includes bundled ONNX Runtime for immediate execution support. No additional dependencies needed!

This is a very small example adapted from the repo example examples/python_matmul.py.

It shows the minimal flow:

create an ML instance and context
create a graph builder
define two constant tensors
build a matmul node
compile the graph
run it

Note: Use accelerated=False for CPU-only execution, or accelerated=True with power_preference="high-performance" for GPU acceleration.

# PyWebNN — tiny matmul example
import numpy as np
import webnn

# 1) create ML instance and context (CPU execution here)
ml = webnn.ML()
ctx = ml.create_context(power_preference="default", accelerated=False)

# 2) build a simple graph: Y = A @ B
builder = ctx.create_graph_builder()
A = np.array([[1., 2.], [3., 4.]], dtype=np.float32)
B = np.array([[5., 6.], [7., 8.]], dtype=np.float32)

a = builder.constant(A)    # constant input A
b = builder.constant(B)    # constant input B
y = builder.matmul(a, b)   # matmul node

graph = builder.build({"output": y})  # compile the graph

# 3) run the graph and print result
result = ctx.compute(graph, {})  # returns dict of outputs
print("Y =", result["output"])

What happens:

ML() creates the entry point following the W3C WebNN spec
create_context() creates a runtime context (choose CPU/GPU/NPU where supported)
create_graph_builder() constructs the WebNN graph using familiar ops (constant, matmul, etc.)
build() compiles the graph with named outputs (dict format)
compute() runs it and returns the outputs as a dict

Firefox

Paul Adenot is currently extending the Firefox AI Runtime platform to add a new specialized process to run against GPUs for the WebSpeech implementation, and the WebNN API will use it when it’s added in the browser.

In the meantime I have built a patch that adds the WebNN JS API in Firefox and executes it directly in the content process, which is a big security hole.

But it was a good way to start figuring out all the pieces, in particular how to bind the Rust library into the C++ layer using cbindgen, and how to create the WebIDL interface to provide the JS API.

The current series of patches is just a proof of concept, but I already have a fully functional demo of all basic operators, and a clone of the WebNN JS MobileNetV2 image classifier demo — see the video.

The WebNN implementation spans six distinct layers:

JavaScript API Layer — Web-facing API (navigator.ml, MLContext, MLGraphBuilder, MLGraph, MLOperand, MLTensor)
WebIDL Layer — Interface definition language defining the JavaScript API surface
C++ DOM Implementation — Core implementation in dom/webnn/
Rust FFI Bridge — Foreign Function Interface in dom/webnn/rustnn_bridge/
rustnn Library — Rust implementation in third_party/rust/rustnn/
Backend — Platform-specific backend (ONNX Runtime, CoreML, etc.) for neural network execution with hardware acceleration

… and has the following flow:

Graph Building Phase:

Web content calls navigator.ml.createContext()
C++ creates backend context via Rust FFI (ONNX Runtime or CoreML depending on platform)
Web content creates MLGraphBuilder and defines operations
Each operation creates an MLOperand representing the result
Web content calls builder.build() with output operands
C++ serializes operations to JSON and calls Rust FFI
Rustnn converts the graph to backend-specific format (ONNX or CoreML)
Backend creates an optimized execution session
Graph ID is returned to web content as MLGraph

sequenceDiagram
  participant JS as "JavaScript"
  participant CPP as "C++ (MLGraphBuilder)"
  participant FFI as "Rust FFI Bridge"
  participant RUST as "Rustnn Library"

  JS->>CPP: createContext()
  CPP->>FFI: rustnn_context_create()
  FFI->>RUST: Context::new()
  RUST-->>FFI: Context handle
  FFI-->>CPP: context_id
  CPP-->>JS: MLContext

  JS->>CPP: new MLGraphBuilder(context)
  CPP-->>JS: MLGraphBuilder

  JS->>CPP: input("x", shape, dataType)
  CPP-->>JS: MLOperand

  JS->>CPP: add(a, b)
  CPP-->>JS: MLOperand

  JS->>CPP: build({ output: operand })
  CPP->>FFI: rustnn_graph_build(ops_json)
  FFI->>RUST: GraphBuilder::build()

  Note right of RUST: Convert to backend format
  Note right of RUST: Create backend session

  RUST-->>FFI: Graph handle
  FFI-->>CPP: graph_id
  CPP-->>JS: MLGraph

Inference Phase:

Web content calls context.compute(graph, inputs, outputs)
C++ marshals input data and calls Rust FFI with graph ID
Rustnn retrieves the backend session and prepares input tensors
Backend (ONNX Runtime or CoreML) executes the computational graph
Hardware acceleration is automatically utilized when available
Output tensors are returned through Rust FFI
C++ copies output data to JavaScript-provided buffers
Promise resolves, indicating inference completion

sequenceDiagram
  participant JS as "JavaScript"
  participant CPP as "C++ (MLContext)"
  participant FFI as "Rust FFI Bridge"
  participant RUST as "Rustnn Library"
  participant BE as "Backend (ONNX/CoreML)"

  JS->>CPP: compute(graph, inputs, outputs)
  CPP->>FFI: rustnn_graph_compute(graph_id, inputs, outputs)
  FFI->>RUST: Graph::compute()
  RUST->>BE: session.run()

  Note right of BE: Execute operations

  BE-->>RUST: Output tensors
  RUST-->>FFI: Results
  FFI-->>CPP: Output data
  CPP-->>JS: Promise resolves

Again, this is not the final design since we need to run inference in a separate process and have an IPC layer between the C++ code and the Rust bridge.

Conclusion

rustnn started as a way for me to really understand WebNN, but it quickly turned into a convincing proof that the specification is solid, implementable, and ready to grow beyond a single browser engine. Having an independent implementation is healthy for the Web, and rustnn shows that WebNN can be built as a reusable, backend-agnostic library rather than something deeply tied to a single browser architecture.

This project is also my first substantial experience with Claude Code, and it fundamentally changed the pace at which I could work. Implementing nearly a hundred operators, wiring multiple backends, and validating everything against WPT would normally be a multi-month effort. With a strong spec, good tests, and a capable AI agent, it became an iterative and surprisingly enjoyable process. The result is not throwaway code, but a clean foundation that can be extended, optimized, and reviewed by others.

I am very optimistic about WebNN’s future in Firefox and on the Web in general. With rustnn and pywebnn, my hope is to make it easier for browser engineers, ML practitioners, and researchers to experiment, contribute, and push the ecosystem forward. There is still a lot to do, especially around performance, security, and process isolation, but the path forward is now much clearer.

Resources

by Tarek Ziade at December 17, 2025 12:00 AM

December 16, 2025

Mozilla Attack & Defense — Attempting Cross Translation Unit Taint Analysis for Firefox

Preface

Browser security is a cutting edge frontier for exploit mitigations, addressing bug classes holistically, and identifying vulnerabilities. Not everything we try works, and we think it’s important to document our shortcomings in addition to our successes. A responsible project uses all available tools to find bugs and vulnerabilities before you ship. Besides many other tools and techniques, Firefox uses Clang Tidy and the Clang Static Analyzer, including many customized checks for enforcing the coding conventions in the project. To extend these tools, Mozilla contacted Balázs, as one of the maintainers of the Clang Static Analyzer, to help address problems encountered when exploring Cross Translation Unit (CTU) Static Analysis. Ultimately, we weren’t able to make as much headway with this project as we hoped, but we wanted to contribute our experience to the community and hopefully inspire future work. Be warned, this is a highly technical blog post.

The following sections describe some fundamental concepts, such as taint analysis, CTU, the Clang Static Analyzer engine. This will be followed by the problem statement and the solution. Finally, some closing words.

Disclaimer: The work described here was sponsored by Mozilla.

Static Analysis Fundamentals

Taint analysis

Vulnerabilities often root from using untrusted data in some way. Data from such sources is called “tainted” in static analysis, and “taint analysis” is the technique that tracks how such “tainted” values propagate or “flow” throughout the program.

In short, “Taint sources” introduce a flow, such as reading from a socket. If a tainted value reaches a “taint sink” then we should report an error. These “sources” and “sinks” are often configurable.

A YAML configuration file can be used with the Clang Static Analyzer configuring the taint rules.

Cross Translation Unit (CTU) analysis

The steps involved in bugs or vulnerabilities might cross file boundaries. Conventional static analysis tools that operate on a translation-unit basis would not find the issue. Luckily, the Clang Static Analyzer offers CTU mode that loads the relevant pieces of the required translation units to enhance the contextual view of the analysis target, thus increasing the covered execution paths. Running CTU needs a bit of setup, but luckily tools like scan-build or CodeChecker have built-in support.

Path-sensitive analysis

The Clang Static Analyzer implements a path-sensitive symbolic execution. Here is an excellent talk but let us give a refresher here.

Basically, it interprets the abstract syntax tree (AST) of the analyzed C/C++ program and builds up program facts statement by statement as it simulates different execution paths of the program. If it sees an if statement, it splits into two execution paths: one where the condition is assumed to be false, and another one where it’s assumed to be true. Loops are handled slightly differently, but that’s not the point of this post today.

When the engine sees a function call, it will jump to the definition of the callee (if available) and continue the analysis there with the arguments we had at the call-site. We call this “inlining” in the Clang Static Analyzer. This makes this engine inter-procedural, in other words, reason across functions. Of course, this only works if it knows the callee. This means that without knowing the pointee of a function pointer or the dynamic type of a polymorphic object (that has virtual functions), it cannot “inline” the callee, which in turn means that the engine must conservatively relax the program facts it gathered so far because they might be changed by the callee.

For example, if we have some allocated memory, and we pass that pointer to such a function, then the engine must assume that the pointer was potentially released, and not raise leak warnings after this point.

The conclusion here is that following the control-flow is critical, and virtual functions limit our ability to reason about this if we don’t know the dynamic type of objects.

So, taint analysis for Firefox?

Firefox has a lot of virtual functions!

We discussed that control-flow is critical for taint analysis, and virtual functions ruin the control-flow. A browser has almost every code pattern you can imagine, and it so happens that many of the motivating use cases for this analysis involve virtual functions that also happen to cross file boundaries.

Once upon a time…

It all started by Tom creating a couple of GitHub issues, like #114270 (which prompted a couple smaller fixes that are not the subject of this port), and #62663.

This latter one was blocked by not being able to follow the callees of virtual functions, kicking off this whole subject and the prototype.

Plotting against virtual functions

The idea

Let’s just look at the AST and build the inheritance graph. After that, if we see a virtual call to data(), we could check who overrides this method.

Let’s say only class A and B overrides this method in the translation unit. This means we could split the path into 2 and assume that on one path we call A::data() and on the other one B::data().

// class A... class B deriving from Base
void func(Base *p) {
  p->data(); // ‘p’ might point to an object A or B here.
}

This looks nice and simple, and the core of the idea is solid. However, there are a couple of problems:

One translation unit (TU) might define a class Derived, overriding data(), and then pass a Base pointer to the other translation unit. And when that TU is analyzed, it shouldn’t be sure that only class A and B overrides data() just because it didn’t see Derived from the other TU. This is the problem with inheritance, which is an “open-set” relation. One cannot be sure to see the whole inheritance graph all at once.
It’s not only that Derived might be in a different TU, but it might be in a 3rd party library, and dynamically loaded at runtime. In this case, assuming a finite set of callees for a virtual function would be wrong.

Refining the idea

Fixing problem (2) is easy, as we should just assume that the list of potential callees always has an extra unknown callee, to have an execution path where the call is conservatively evaluated and do the invalidations - just like before.

Fixing problem (1) is more challenging because we need whole-program analysis. We need to create the inheritance graphs of each TU and then merge them into a unified graph. Once we’ve built that, we can run the Clang Static Analyzer and start reasoning about the overriders of virtual functions in the whole project. Consequently, in the example we discussed before, we would know that class A, B and (crucially) Derived overrides data(). So after the call, we would have 4 execution paths: A, B, Derived and the last path is for the unknown case (like potentially dynamically loading some library that overrides this method).

It sounds great, but does it work?

It does! The analysis gives a list of the potential overriders of a virtual function. The Clang Static Analyzer was modified to do the path splits we discussed and remember the dynamic type constraints we learn on the way. There is one catch though.

Some taint flows cross file boundaries, and the Clang Static Analyzer has CTU to counter this, right?

CTU uses the “ASTImporter”, which is known to have infinite recursion, crashes and incomplete implementation in terms of what constructs it can import. There are plenty of examples, but one we encountered was #123093.

Usually fixing one of these is time consuming and needs a deep understanding of the ASTImporter. And even if you fix one of these, there will be plenty of others to follow.

This patch for “devirtualizing” virtual function calls didn’t really help with the reliability of the ASTImporter. As the interesting taint flows cross file boundaries, the benefits of this new feature are unfortunately limited by the ASTImporter for Firefox.

Is it available in the Clang Static Analyzer already?

Unfortunately no, and as the contract was over, it is unlikely that these patches would merge upstream without others splitting up the patches and doing the labor of proposing them upstream. Note that this whole program analysis is a brand new feature and it was just a quick prototype to check the viability.

Upstreaming would likely also need some wider consensus about the design.

Apparently, whole-project analyses could be important for other domains besides bug-finding, such as code rewriting tools, which was the motivation for a recently posted RFC. The proposed framework in that RFC could potentially also work for the use-case described in this blog post, but it’s important to highlight that this prototype was built before that RFC and framework, consequently it’s not using that.

Balázs shared that working on the prototype was really motivating at first, but as he started to hit the bugs in the ASTImporter - effectively blocking the prototype - development slowed down. All in all, the prototype proved that using project-level information, such as “overriders”, could enable better control-flow modeling, but CTU analysis as we have it in Clang today will show its weaknesses when trying to resolve those calls. Without resolving these virtual calls, we can’t track taint flows across file boundaries in the Clang Static Analyzer.

What does this mean for Firefox?

Not much, unfortunately. If the ASTImporter would work as expected, then finalizing the prototype would meaningfully improve taint analysis on code using virtual functions.

You can find the source code at Balázs’ GitHub repo as steakhal/llvm-project/devirtualize-for-each-overrider, which served well for exploring and rapid prototyping but it is far from production quality.

Bonus: We need to talk about the ASTImporter

From the cases Balázs looked at, it seems like qualified names, such as std in std::unique_ptr for example, will trigger the import of a std DeclContext, which in turn triggers the import of all the declarations within that lexical declaration context. In other words, we start importing a lot more things than strictly necessary to make the std:: qualification work. This in turn increases the chances of hitting something that causes a crash or just fails to import, poisoning the original AST we wanted to import into. This is likely not how it should work, and might be a good subject to discuss in the future.

Note that the ASTImporter can be configured to do so-called “minimal imports” which is probably what we should have for the Clang Static Analyzer, however, this is not set, and setting it would lead to even more crashes. Balázs didn’t investigate this further, but it might be something to explore in the future.

by Balázs Benics, Tom Ritter, Frederik Braun at December 16, 2025 09:06 AM

Tarek Ziadé — All I Want for Christmas is a Better Alt Text – Part 2

In Part 1, I explained why high-quality alt text matters, how modern vision–language models can help, and why balanced, carefully curated datasets are essential for training.

In this second part, I focus on architecture. I explain why I decided to move away from my initial design, what I learned from that first implementation, and why I ultimately settled on a prefix-conditioning + LoRA approach.

This choice is driven by practical constraints. For alt-text generation, the goal is not exhaustive visual understanding, but a short, reliable sentence that conveys the essence of an image to visually impaired users. Within that scope, prefix conditioning offers a much simpler model that is easier to train, easier to deploy, and better aligned with accessibility requirements.

More broadly, the PDF.js alt-text project aims to explore how far we can push small, efficient vision–language models for accessibility use cases. Rather than optimizing for peak benchmark scores, the focus is on reliability, fast iteration cycles, limited compute, and deployable models.

DistilViT is intentionally constrained. Smaller models, fewer trainable parameters, and simpler architectures make it possible to experiment rapidly, control bias more carefully through dataset curation, and realistically target on-device or near-device inference scenarios.

What I started with: a classic encoder–decoder model

My first implementation relied on Hugging Face’s VisionEncoderDecoderModel. Concretely, it paired:

a ViT-based vision encoder, and
a GPT-2–style decoder (distilgpt2),

trained end-to-end using Seq2SeqTrainer.

Conceptually, the architecture looked like this:

flowchart TD
    A[Image] --> B["Vision Encoder (ViT)"]
    B --> C[Encoder hidden states]
    C -->|Cross-attention| D["Decoder (GPT-2)"]
    D --> E[Caption]

This worked. GPT-2 generated captions, and the system was usable. I was inspired by The Illustrated Image Captioning Using Transformers, followed that recipe, and reduced the decoder size by using a distilled version of GPT-2.

What I did not fully appreciate at the time was what choosing GPT-2 implied under the hood.

Unlike T5 or BART, GPT-2 is a decoder-only language model. In its original architecture, it does not support cross-attention or encoder hidden states.

So why did this setup work?

Because VisionEncoderDecoderModel.from_encoder_decoder_pretrained() wraps GPT-2 and injects cross-attention layers. This effectively converts GPT-2 into a seq2seq-style decoder by adding encoder–decoder attention blocks and routing the vision encoder outputs through them.

That distinction matters. These cross-attention layers are initialized from scratch, require substantial training signal, and introduce additional state to manage at inference time. Exporting the model and handling caching also become more complex.

This approach is valid, but it turned out to be architecturally heavier than expected for the scale and goals of this project. Training was slower, GPU memory usage was higher, and deployment friction increased.

Models like T5 or BART avoid this injection step because they already contain pretrained cross-attention blocks. However, those blocks were trained to attend to text encoder states and still require fine-tuning to adapt properly to vision features.

At that point, I started looking for an alternative and came across prefix conditioning.

Cross-attention vs prefix conditioning

It is worth stepping back and comparing these two approaches without framing one as universally superior.

Cross-attention gives the decoder continuous access to visual features at every generation step. This is extremely powerful for tasks that require fine-grained spatial grounding, OCR, counting, or reasoning over multiple regions in an image.

Prefix conditioning, by contrast, injects visual information once, as a sequence of projected vision tokens prepended to the text embeddings at the beginning of the text. After that, the model relies entirely on standard self-attention.

This leads to clear trade-offs:

Cross-attention provides stronger and more precise grounding.
Prefix conditioning trades some of that precision for architectural simplicity.

For my use case, this trade-off is appropriate. The goal of alt text here is not to enumerate details or perform spatial reasoning, but to produce a single, concise sentence that conveys the overall content of an image to visually impaired users. Captions are short, factual, and descriptive, and they primarily require global visual context rather than continuous visual querying.

Under these conditions, prefix conditioning is often sufficient, while being far easier to train, debug, and deploy than a full encoder–decoder setup.

Prefix conditioning with LoRA

The architecture I use now looks like this:

flowchart TD
    A[Image] --> B["SigLIP Vision Encoder (frozen)"]
    B --> C["Projection Head (Linear / MLP)"]
    C --> D[Vision embeddings as prefix tokens]
    D --> E[Decoder-only LM with LoRA]
    E --> F["Caption (25–30 tokens)"]

Instead of asking the decoder to attend to an encoder, I inject the visual information directly into the decoder’s input space as prefix tokens.

No cross-attention
No encoder–decoder coupling
Just conditioning

The language model only needs standard causal self-attention. Any decoder-only LLM works out of the box, without architectural changes or special forward signatures.

This restores flexibility. I can swap language models freely without touching the vision side.

I apply LoRA adapters to the language model’s attention projection matrices.

The base language model remains frozen
The vision encoder remains frozen
Only the projection head and LoRA adapters are trained

In practice, this means:

~221M total parameters
~2.2M trainable parameters
Roughly 1 percent of the model updated

Training is faster, more stable, and far less memory-intensive. The risk of overfitting drops significantly when working with small datasets.

Deployment also becomes simpler.

The vision encoder exports cleanly to ONNX
The projection head is trivial
The decoder is a standard causal LM with past key values

There is no cross-attention graph, no encoder cache plumbing, and no exotic export logic. ONNX Runtime becomes a realistic target instead of a constant source of friction.

Summary

Cross-attention remains a powerful and sometimes necessary tool. For this project, however, it added complexity without delivering better alt text.

Prefix conditioning gives me:

a simpler architecture
faster iteration
better tooling compatibility
easier deployment
freedom to use modern decoder-only models

Initial experiments show that the new architecture produces alt text of comparable quality to the previous one, with only a 1 to 2 percent CLIP score difference when trained on the same datasets. The key difference is training speed, which is roughly five times faster.

Next, my goal is to surpass DistilViT’s current quality by improving the training dataset, while keeping an architecture that is simple, fast to train, and flexible enough to accommodate future decoder models.

References

Mokady et al., ClipCap: CLIP Prefix for Image Captioning, 2021
Li & Liang, Prefix-Tuning: Optimizing Continuous Prompts for Generation, 2021
Hu et al., LoRA: Low-Rank Adaptation of Large Language Models, 2021
Hugging Face, VisionEncoderDecoderModel documentation

Useful Links

by Tarek Ziade at December 16, 2025 12:00 AM

The Rust Programming Language Blog — Project goals update — November 2025

Flagship goals

"Beyond the `&`"

Continue Experimentation with Pin Ergonomics (rust-lang/rust-project-goals#389)

Progress
Point of contact	Frank King
Champions	compiler (Oliver Scherer), lang (TC)
Task owners	Frank King

1 detailed update available.

Comment by @frank-king posted on 2025-11-21:

Status update:

[x] pattern matching support of &pin const|mut T types, merged.
[x] &pin pattern and ref pin mut binding mode, merged.
[ ] Drop::pin_drop, waiting for review (new updates since the last review).
- Unresolved question: the current implementation requires changing the src/docs/book submodule, but the top repo and the sub repo must be changed together to pass the CI tests in both repos. It's because a default body is added to Drop::drop and it becomes a provided method instead of a required method in rustdoc. Is there any way to avoid that? (Possibly keep rustdoc treating Drop::drop as a required method?)
[ ] coercion between &pin const|mut T and &{mut} T, waiting for review (fresh).

Design a language feature to solve Field Projections (rust-lang/rust-project-goals#390)

Progress
Point of contact	Benno Lossin
Champions	lang (Tyler Mandry)
Task owners	Benno Lossin

TL;DR.

We have made lot's of progress with the novel place-based proposal made by @Nadrieril. Since the last update, he released his idea as a blog post and have had an immense amount of discussions on Zulip. There are still many open questions and problems left to solve. If you have any ideas, feel free to share them on Zulip.
At the beginning of this month, we explored moving projections and &own. We also looked into reducing the number of projection traits.
The PR https://github.com/rust-lang/rust/pull/146307 has been stale for this month, but will be picked up again in December.

3 detailed updates available.

Comment by @BennoLossin posted on 2025-11-01:

Moving Projections and `&own`

Moving projections are a third kind of projection that already exists in Rust today for Box as well as any local variable holding a struct. While we won't be including it in an MVP, we still want to make sure that we can extend the language with moving projections. Here is an example with Box:

fn destructure_box(mut b: Box<Struct>) -> Box<Struct> {
    let f1 = b.f1;
    b.f1 = F1::new();
    b
}

This projection moves the field out of the box, invalidating it in the process. To make it valid again, a new value has to be moved in for that field. Alternatively, the partially valid box can be dropped, this will drop all other fields of Struct and then deallocate the Box. Note that this last property is implemented by compiler magic today and moving projections would allow this special behavior for Box to be a library implementation instead.

To make this kind of projection available for all types, we can make it a proper operation by adding this trait:

pub unsafe trait ProjectMove: Projectable {
    type OutputMove<'a, F: Field<Base = Self::Target>>;
    
    unsafe fn project_move<'a, F: Field<Base = Self::Target>>(
        this: *mut Self,
    ) -> Self::OutputMove<'a, F>;
    
    unsafe fn drop_husk(husk: *mut Self);
}

Importantly, we also need a drop_husk function which is responsible for cleaning up the "husk" that remains when all fields have been move-projected. In the case of Box, it deallocates the memory. So for Box we could implement this trait like this:

impl<T> ProjectMove for Box<T> {
    type OutputMove<'a, F: Field<Base = T>> = F::Type;

    unsafe fn project_move<'a, F: Field<Base = T>>(
        this: *mut Self,
    ) -> F::Type {
        let ptr = unsafe { (*this).0.pointer.as_ptr() };
        ptr::read(unsafe {
            <*const T as Project>::project::<'a, F>(&raw const ptr)
        })
    }

    unsafe fn drop_husk(husk: *mut Self) {
        // this is exactly the code run by `Box::drop` today, as the compiler
        // drops the `T` before `Box::drop` is run.
        let ptr = (*husk).0;
        unsafe {
            let layout = Layout::for_value_raw(ptr.as_ptr());
            if layout.size() != 0 {
                (*husk).1.deallocate(From::from(ptr.cast()), layout);
            }
        }
    }
}

To support moving back into a value we have two options:

Add a ProjectMoveBack trait that declares an operation which accepts a value that is moved back into the projected one, or
Add &own references.

Until now, we have explored the second option, because there are lot's of other applications for &own.

`&own` References

A small interlude on &own references.

An &'a own T is a special kind of exclusive reference that owns the value it points to. This means that if you drop an &own T, you also drop the pointee. You can obtain an &own T by constructing it directly to local variable &own my_local or by deriving it from an existing &own via field projections. Smart pointers generally also allow creating &own T from &own SmartPtr<T>.

One important difference to &mut T is that &own is not only temporally unique (i.e. there are no other references to that value not derived from it) but also unique for that value. In other words, one can create at most one &own T to a local variable.

let mut val = Struct { ... };
let x = &own val; //~ HELP: ownership transferred here
drop(x);
let y = &own val; //~ ERROR: cannot own `val` twice

Since the drop(x) statement drops val, the borrow checker must disallow any future access. However, we are allowed to move a value back into the memory of val:

let mut val = Struct { ... };
let x = &own val;
drop(x);
val = Struct { ... };
let y = &own val;

The lifetime 'a in &'a own T is that of the backing memory. It means that when 'a expires, the memory also is no longer valid (or rather it cannot be proven that it is valid after 'a). For this reason an &'a own T has to be dropped (or forgotten) before 'a expires (since after that it cannot be dropped any more).

&own T itself supports moving projections (another indicator that having them is a good idea). However only for types that don't implement Drop (similar to normal struct destructuring -- there are also talks about lifting this requirement, but no new issues arise from projecting &own).

`&own` and pinning

To make &pin own T with !(T: Unpin) sound in the face of panics, we have to add drop flags or have unforgettable types. We explored a design using drop flags below; there are separate efforts to experimenting with a Leak/Forget trait ongoing, I think it might be a better solution than drop flags at least for &own.

We need drop flags to ensure the drop guarantee of pinned values. The drop flag will be stored when the original &own is created and it will live on the stack of the function that created it. They are needed for the following scenario:

fn foo() {
    let x = Struct { ... };
    bar(&pin own x);
}

fn bar(x: &pin own Struct) {
    if random() {
        std::mem::forget(x);
    }
    if random() {
        panic!()
    }
}

Since x is pinned on the stack, it needs to be dropped before foo returns (even if it unwinds). When bar forgets the owned reference, the destructor is not run, if it now panics, the destructor needs to be run in foo. But since it gave away ownership of x to bar, it is possible that bar already dropped x (this is the case when the first random() call returns false). To keep track of this, we need a drop flag in the stack frame of foo that gets set to true when x is dropped.

There are several issues with drop flags:

we can't have &'static own T pointing to non-static values (for example coming from a Box::leak_owned function).
field projections complicate things: if we project to a field, then we could possibly forget one field, but drop another
- solution: just store drop flags not only for the whole struct, but also all transitive fields that implement Drop
there is different behavior between &own T and &pin own T, the former can be forgotten and the destructor will not run, the latter can also be forgotten, but the destructor runs regardless.

This last point convinces me that we actually want &pin own T: !Leak when T: !Leak; but IIUC, that wouldn't prevent the following code from working:

fn main() { 
    let x = Struct { ... };
    let x = &pin own x;
    Box::leak(Box::new(x));
}

`DerefMove`

The DerefMove operation & trait is something that has been discussed in the past (I haven't dug up any discussions on it though). It is the analogous operation of &own to Deref. We need to figure out the hierarchy wrt. Deref and DerefMut, but ignoring that issue for the moment, here is how DerefMove would look like:

trait DerefMove: DropHusk {
    trait Target: ?Sized;

    fn deref_move(&own self) -> &own Self::Target;
}

Note the super trait requirement DropHusk -- it provides a special drop operation for Self when the &own Self::Target reference has been dropped. Box<T> for example would deallocate the backing memory via DropHusk. Its definition looks like this:

pub unsafe trait DropHusk {
    unsafe fn drop_husk(husk: *mut Self);
}

We would of course also use this trait for ProjectMove. Implementing DropHusk on its own does nothing; implementing DerefMove or ProjectMove will make the compiler call drop_husk instead of Drop::drop when the value goes out of scope after it has been projected or DerefMove::deref_move has been called.

We observed that DerefMove is a lot more restrictive in its usability than Deref--- and we need projections to make it actually useful in the common case. The reason for this is that &own can only be created once, but one would like to be able to create it once per field (which is exactly what moving projections allow). Consider this example:

let b = Box::new(Struct { ... });
let field1 = &own b.field1; // desugars to `DerefMove::deref_move`
let field2 = &own b.field2; //~ ERROR: cannot own `b` twice

The "cannot own `b` twice error comes from the way the deref desugaring works:

let b = Box::new(Struct { ... });
let field1 = &own DerefMove::deref_move(&own b).f1;
let field2 = &own DerefMove::deref_move(&own b).f2;
//                                       ^^^ ERROR: cannot own `b` twice

Now it's clear that we're trying to create two &own to the same value and that can't work (the issue also arises for &mut, but that already is covered by ProjectExclusive).

We can write this instead:

let b = Box::new(Struct { ... });
let b = &own b;
let field1 = &own b.field1;
let field2 = &own b.field2;

But that's cumbersome.

We also note that ProjectMove is the correct projection for ArcRef, as it avoids any additional refcount updates. We can rely on the ergonomic refcounting proposal to provide ergonomic ways to clone the value & perform more projections.

Comment by @BennoLossin posted on 2025-11-02:

Having a single `Project` trait

The definition of the now 3 Project* traits are 100% verbatim the same (modulo renaming of course), so we spent some time trying to unify them into a single trait. While we cannot get rid of having to have three traits, we can merge them into a single one by adding a generic:

#[sealed]
pub trait ProjectKind {
    type Ptr<T: ?Sized>;
}

pub enum Shared {}
pub enum Exclusive {}

impl ProjectKind for Shared {
    type Ptr<T: ?Sized> = *const T;
}

impl ProjectKind for Exclusive {
    type Ptr<T: ?Sized> = *mut T;
}

pub trait Projectable {
    type Target;
}

pub unsafe trait Project<Kind: ProjectKind>: Projectable {
    type Output<'a, F: Field<Base = Self::Target>>;

    unsafe fn project<'a, F: Field<Base = Self::Target>>(
        this: Kind::Ptr<Self>,
    ) -> Self::Output<'a, F>;
}

We would need some more compiler magic to ensure that nobody implements this trait generically, so impl<K> Project<K> for MyType, to keep our approach extensible (this could be an attribute if it is also useful in other cases #[rustc_deny_generic_impls]).

The benefit of merging the definitions is that we only have one single trait that we need to document and we could also add documentation on the ProjectKind types. There are also ergonomic downsides, for example all output types are now called Output and thus need to be fully qualified if multiple projection impls exist (<MyType as Project<Exclusive>>::Output<'_, F> vs MyType::OutputExclusive<'_, F>).

To make this proposal compatible with moving projections, we also either need more compiler magic to ensure that if Kind = Move we require Self: DropHusk. Or we could use associated traits and add one to ProjectKind that's then used in Project (Kind = Shared would then set this to Pointee).

This approach also makes me think a bit more about the syntax, if we discover more projections in the future, it might make sense to go for an extensible approach, like @keyword expr{->,.@,.,~}ident (so for example @move x->y or @mut x.y).

Comment by @BennoLossin posted on 2025-11-06:

A new Perspective: Projections via Places

@Nadrieril opened this zulip thread with the idea that "The normal rust way to reborrow a field uses places". He then proceeded to brainstorm a similar design for field projections with a crucial difference: making places the fundamental building block. We had a very long discussion in that thread (exchanging the existing ideas about field projection and the novel place-involving ones) that culminated in this awesome writeup by @Nadrieril: https://hackmd.io/[@Nadrieril][]/HJ0tuCO1-e. It is a very thorough document, so I will only be able to summarize it partially here:

instead of the Project* traits, we have the Place* traits which govern what kind of place operations are possible on *x given x: MySmartPtr, those are reading, writing and borrowing.
we can allow custom smart pointer reborrowing possibly using the syntax @MySmartPtr <place-expr>
we need multi-projections to allow simultaneous existence of &mut x.field.a and &mut x.field.b

We still have many things to flesh out in this proposal (some of these pointed out by @Nadrieril):

how do FRTs still fit into the equation? And what are the types implementing the Projection trait?
What do we do about non-indirected place containers like MaybeUninit<T>, UnsafeCell<T> and ManuallyDrop<T>?
does BorrowKind work as a model for the borrow checker?
how do we make match ergonomics work nicely?
how do we get around the orphan rule limitations?
several smaller issues/questions...

This is a very interesting viewpoint and I'm inclined to make this the main proposal idea. The traits are not too different from the current field projection design and the special borrow checker behavior was also intended at least for the first level of fields. So this is a natural evolution of the field projection proposal. Thanks a lot to @Nadrieril for the stellar writeup!

Reborrow traits (rust-lang/rust-project-goals#399)

Progress
Point of contact	Aapo Alasuutari
Champions	compiler (Oliver Scherer), lang (Tyler Mandry)
Task owners	Aapo Alasuutari

1 detailed update available.

Comment by @aapoalas posted on 2025-11-11:

We've worked towards coherence checking of the CoerceShared trait, and have come to a conclusion that (at least as a first step) only one lifetime, the first one, shall participate in reborrowing. Problems abound with how to store the field mappings for CoerceShared.

"Flexible, fast(er) compilation"

build-std (rust-lang/rust-project-goals#274)

Progress
Point of contact	David Wood
Champions	cargo (Eric Huss), compiler (David Wood), libs (Amanieu d'Antras)
Task owners	Adam Gemmell, David Wood

1 detailed update available.

Comment by @davidtwco posted on 2025-11-22:

Our first RFC - rust-lang/rfcs#3873 - is in the FCP process, waiting on boxes being checked. rust-lang/rfcs#3874 and rust-lang/rfcs#3875 are receiving feedback which is being addressed.

Production-ready cranelift backend (rust-lang/rust-project-goals#397)

Progress
Point of contact	Folkert de Vries
Champions	compiler (bjorn3)
Task owners	bjorn3, Folkert de Vries, [Trifecta Tech Foundation]

No detailed updates available.

Promoting Parallel Front End (rust-lang/rust-project-goals#121)

Progress
Point of contact	Sparrow Li
Task owners	Sparrow Li

No detailed updates available.

Relink don't Rebuild (rust-lang/rust-project-goals#400)

Progress
Point of contact	Jane Lusby
Champions	cargo (Weihang Lo), compiler (Oliver Scherer)
Task owners	@dropbear32, @osiewicz

1 detailed update available.

Comment by @yaahc posted on 2025-11-21:

linking this here so people know why there hasn't been any progress on this project goal.

#t-compiler > 2025H2 Goal Review @ 💬

"Higher-level Rust"

Ergonomic ref-counting: RFC decision and preview (rust-lang/rust-project-goals#107)

Progress
Point of contact	Niko Matsakis
Champions	compiler (Santiago Pastorino), lang (Niko Matsakis)
Task owners	Niko Matsakis, Santiago Pastorino

2 detailed updates available.

Comment by @nikomatsakis posted on 2025-11-05:

Three new blog posts:

The most important conclusions from those posts are

Explicit capture clauses would be useful, I proposed one specific syntax but bikeshedding will be required. To be "ergonomic" we need the ability to refer to full places, e.g., move(cx.foo.clone()) || use(cx.foo).
We should consider Alias or Share as the name for Handle trait; I am currently leaning towards Alias because it can be used as both a noun and a verb and is a bit more comparable to clone -- i.e., you can say "an alias of foo" just like you'd say "a clone of foo".
We should look for solutions that apply well to clone and alias so that higher-level Rust gets the ergonomic benefits even when cloning "heavier-weight" types to which Alias does not apply.

Comment by @nikomatsakis posted on 2025-11-12:

New blog post:

https://smallcultfollowing.com/babysteps/blog/2025/11/10/just-call-clone/

Exploring one way to make things more ergonomic while remaining explicit, which is to make .clone() and .alias() (1) understood by move closure desugaring and (2) optimized away when redundant.

Stabilize cargo-script (rust-lang/rust-project-goals#119)

Progress
Point of contact	Ed Page
Champions	cargo (Ed Page), lang (Josh Triplett), lang-docs (Josh Triplett)
Task owners	Ed Page

1 detailed update available.

Comment by @epage posted on 2025-11-21:

Key developments

rust-lang/rust#148051

Blockers:

rustdoc deciding on and implementing how they want frontmatter handled in doctests

"Unblocking dormant traits"

Evolving trait hierarchies (rust-lang/rust-project-goals#393)

Progress
Point of contact	Taylor Cramer
Champions	lang (Taylor Cramer), types (Oliver Scherer)
Task owners	Taylor Cramer, Taylor Cramer & others

No detailed updates available.

In-place initialization (rust-lang/rust-project-goals#395)

Progress
Point of contact	Alice Ryhl
Champions	lang (Taylor Cramer)
Task owners	Benno Lossin, Alice Ryhl, Michael Goulet, Taylor Cramer, Josh Triplett, Gary Guo, Yoshua Wuyts

1 detailed update available.

Comment by @Darksonn posted on 2025-11-14:

On Nov 12th, there was a mini-design meeting organized by Xiangfei Ding on inplace initialization. The attendees were Xiangfei Ding, Alice Ryhl, Benno Lossin, Tyler Mandry, and Taylor Cramer.

We discussed this document: https://hackmd.io/@rust-for-linux-/H11r2RXpgl

Next-generation trait solver (rust-lang/rust-project-goals#113)

Progress
Point of contact	lcnr
Champions	types (lcnr)
Task owners	Boxy, Michael Goulet, lcnr

1 detailed update available.

Comment by @lcnr posted on 2025-11-13:

The new solver is now officially used by Rust Analyzer: https://rust-analyzer.github.io/thisweek/2025/10/27/changelog-299.html. A huge shoutout to Jack Huey Chayim Refael Friedman Shoyu Vanilla and Laurențiu Nicola for that work.

On the rustc end Rémy Rakic spent a lot of time triaging the most recent crater run. This uncovered a bunch of new edge cases, resulting in 6 new tracked issues.

We've also merged fixes for 4 minor issues over the last 3 weeks: https://github.com/rust-lang/rust/pull/148292 https://github.com/rust-lang/rust/pull/148173 https://github.com/rust-lang/rust/pull/147840. Thanks to Jana Dönszelmann, tiif and @adwinwhite for implementing these. @adwinwhite was also instrumental in diagnosing the underlying issue of https://github.com/rust-lang/trait-system-refactor-initiative/issues/245.

Going forward, we intend to continue the crater triage while fixing remaining issues until we're ready for stabilization :> the remaining issues are tracked in https://github.com/orgs/rust-lang/projects/61/views/1.

Stabilizable Polonius support on nightly (rust-lang/rust-project-goals#118)

Progress
Point of contact	Rémy Rakic
Champions	types (Jack Huey)
Task owners	Amanda Stjerna, Rémy Rakic, Niko Matsakis

1 detailed update available.

Comment by @lqd posted on 2025-11-25:

Key developments:

I prototyped building blocks to fix the liveness soundness issue, but this was deemed too brittle.
so we prepared a meeting for the types team to discuss the problem, and possible solutions.
it turns out the issue is related to another soundness issue for opaque types in the new trait solver, https://github.com/rust-lang/trait-system-refactor-initiative/issues/159, and that tiif is already working on. The same solution is needed for both issues: with the full implied bounds available for opaque types in liveness, we'll able to require all the regions outliving the opaque lower bound to be live, while ignoring the unrelated regions (that the hidden type cannot use anyway). There will be no relevant dead region through which loans flow, and code relying on unused lifetimes being dead (like a lot of ed2024 code with the default capture changes) will still compile
we prepared another types-team meeting to discuss polonius in general, and the alpha algorithm in particular, to share knowledge among the team. This will also be helpful to then on apply member constraints in a location-sensitive manner, since right now they're applied at the SCC level and we need to make sure these constraints with the choice regions are present in the localized subset graph.
niko and tiif have made a lot of progress on adding support for borrow checking in a-mir-formality, so I've also joined these meetings, since we'll also want to model the alpha.
I've looked into Prusti's Place Capability Graphs, and plan to see how to integrate the alpha there, and if possible with the fuzzing capabilities mentioned in the paper, with the usual goal to expand testing as we've mentioned many times
we also had some discussion for a possible masters' student project, and thought about different practical and theoretical topics

Goals looking for help

Other goal updates

Add a team charter for rustdoc team (rust-lang/rust-project-goals#387)

Progress
Point of contact	Guillaume Gomez
Champions	rustdoc (Guillaume Gomez)

1 detailed update available.

Comment by @GuillaumeGomez posted on 2025-11-21:

Done in https://github.com/rust-lang/rust-forge/pull/852.

Borrow checking in a-mir-formality (rust-lang/rust-project-goals#122)

Progress
Point of contact	Niko Matsakis
Champions	types (Niko Matsakis)
Task owners	Niko Matsakis, tiif

3 detailed updates available.

Comment by @nikomatsakis posted on 2025-11-05:

tiif and I have been meeting weekly here and pushing changes to the living-large branch of a-mir-formality/nikomatsakis.

We are making progress, we have a minirust type checker and the start of a borrow checker. We've decided to try to use a "judgment-like" approach rather than modeling this as dataflow, as I believe it will give greater insight into the "structure" of the trait checker.

Comment by @nikomatsakis posted on 2025-11-12:

tiif, Jack Huey, and I met today and did more work on the "living-large" branch. The borrow checker judgments are taking shape. My expectation is that we will walk the CFG, tracking the sets of borrows that have occurred so far. At each statement, we will have a judgment that looks at (a) the subtyping relations generated by the type check (flow-insensitive, like NLL); (b) the loans issued so far and not killed; and (c) the live places that may be accessed later. We'll require then that if you are accessing a place P, then there are no loans accessible from a live place that have borrowed P in an incompatible way.

Comment by @nikomatsakis posted on 2025-11-19:

Continued work this week:

Elaborated some on the definition of the when an access or a statement is valid. We are working our way towards what we believe will be a "largely accurate" model of today's NLL -- obviously we'll then want to test it and compare behavior around various edge cases.

C++/Rust Interop Problem Space Mapping (rust-lang/rust-project-goals#388)

Progress
Point of contact	Jon Bauman
Champions	compiler (Oliver Scherer), lang (Tyler Mandry), libs (David Tolnay)
Task owners	Jon Bauman

1 detailed update available.

Comment by @baumanj posted on 2025-11-26:

Key developments: What has happened since the last time. It's perfectly ok to list "nothing" if that's the truth, we know people get busy.

Nothing! This is the first update and I have yet to focus attention on the project goal. For context, I am employed by the Rust Foundation leading the C++ Interoperability initiative and so far have been executing against the strategy detailed in the problem statement. Owing to greater than anticipated success and deadlines related to WG21 meetings, I've been focusing on the Social Interoperability strategy recently. I have just reached a point where I can turn more attention to the other strategies and so expect to make progress on this goal soon.

Blockers: List any Rust teams you are waiting on and what you are waiting for.

None; I'm getting excellent support from the Project in everything I'm doing. My successes thus far would not have been possible without them, and there are too many to enumerate in this space. There will be a blog post coming soon detailing the past year of work in the initiative where I intend to go into detail. Watch this space for updates.

Help wanted: Are there places where you are looking for contribution or feedback from the broader community?

I am always interested in contribution and feedback. If you're interested, please reach out via interop@rustfoundation.org or t-lang/interop.

Comprehensive niche checks for Rust (rust-lang/rust-project-goals#262)

Progress
Point of contact	Bastian Kersting
Champions	compiler (Ben Kimock), opsem (Ben Kimock)
Task owners	Bastian Kersting], Jakob Koschel

No detailed updates available.

Const Generics (rust-lang/rust-project-goals#100)

Progress
Point of contact	Boxy
Champions	lang (Niko Matsakis)
Task owners	Boxy, Noah Lev

2 detailed updates available.

Comment by @BoxyUwU posted on 2025-11-05:

Since the lang meeting most progress on this project goal has been unrelated to adt_const_params.

There's been a large amount of work on min_generic_const_args, specifically Noah Lev's PR (rust-lang/rust#139558) which once landed the core of the impl work for the feature will be done. I've reviewed it together with Oliver Scherer and it's pretty much ready to go other than some small reviews.

Once this PR lands I'm hoping that there should be a fair amount of "smallish" PRs that can be made which could be a good set of PRs to mentor new-ish contributors on.

Comment by @BoxyUwU posted on 2025-11-29:

Once again most progress here has been on min_generic_const_args.

Noah Lev's PR (rust-lang/rust#139558) has now landed, as well as an additional PR of his: rust-lang/rust#148716. Between the two of these the core impl should be "mostly done" now, atleast with no additional feature gates enabled :).

The next big step is to make the min_generic_const_args prototype work well with adt_const_params which I've implemented myself in rust-lang/rust#149136 and rust-lang/rust#149114. These PRs still need to be reviewed but the bulk of the impl work there is now done. These PRs allow for constructing ADTs where the field values may themselves be const parameters or non-concrete uses of type_consts (ie the values are const argument positions).

Once my PRs have landed I would consider mgca as a prototype to be truly "done" though not done as an actual feature. Huge thanks to camelid for sticking through a bunch of fairly painful PRs to get us to this point.

Continue resolving `cargo-semver-checks` blockers for merging into cargo (rust-lang/rust-project-goals#104)

Progress
Point of contact	Predrag Gruevski
Champions	cargo (Ed Page), rustdoc (Alona Enraght-Moony)
Task owners	Predrag Gruevski

2 detailed updates available.

Comment by @obi1kenobi posted on 2025-11-02:

Status update as of November 1

Key developments:

Draft PR for exposing implied bounds in rustdoc JSON: https://github.com/rust-lang/rust/pull/148379
A concrete plan for how that new info turns into dozens of new lints covering many kinds of bounds

Linting ?Sized and 'static bounds turned out to be quite a bit more complex than I anticipated. The key issue is that seeing T: Foo + ?Sized does not guarantee that T can be unsized, since we might have Foo: Sized which renders the ?Sized relaxation ineffective. Similarly, seeing T: Foo might also non-obviously imply T: 'static via a similar implied bound.

Failure to correctly account for implied bounds would lead to catastrophic false-positives and false-negatives. For example, changing T: Foo to T: Foo + 'static could be a major breaking change or a no-op, depending on whether we have Foo: 'static (either directly or implicitly via other trait bounds).

We cannot determine implied bounds using information present in rustdoc JSON today, so the rustdoc team and I have been iterating on the best way to compute and include that information in rustdoc JSON. Assuming something similar to the aforementioned PR becomes part of rustdoc JSON, cargo-semver-checks stands to gain several dozen new lints covering these tricky cases over trait associated types, generic type parameters, and APIT/RPIT/RPITIT.

Comment by @obi1kenobi posted on 2025-11-23:

Google Summer of Code 2025 is complete + finally some movement on cross-crate linting! 🚀

Key developments

Two students had a successful conclusion of Google Summer of Code working on cargo-semver-checks — find more details here!
rustdoc JSON now includes rlib information, following the design for cross-crate rustdoc JSON info created at RustWeek 2025: https://github.com/rust-lang/rust/pull/149043
A cargo issue was discovered that prevents this rlib info from being used; it's currently being triaged: https://github.com/rust-lang/cargo/issues/16291
Once that's resolved, we'll have enough here for a basic prototype. Getting features right in dependencies will likely require more work due to having many more cargo-related edge cases.

Develop the capabilities to keep the FLS up to date (rust-lang/rust-project-goals#391)

Progress
Point of contact	Pete LeVasseur
Champions	bootstrap (Jakub Beránek), lang (Niko Matsakis), spec (Pete LeVasseur)
Task owners	Pete LeVasseur, Contributors from Ferrous Systems and others TBD, `t-spec` and contributors from Ferrous Systems

2 detailed updates available.

Comment by @PLeVasseur posted on 2025-11-05:

Meeting minutes from meeting held on 2025-10-31 (thank you to Tomas Sedovic 🥰)

Top-level:

Keep high quality bar, merge small, well-vetted changes when possible
Need concentrated effort to get the 1.90 FLS updates merged
- Hristian Kirtchev and Tshepang Mbambo are navigating this currently with TC
Once 1.90 merged, we attempt first go as a team at 1.91

Discussion:

Suggest that everyone read the Glossary as a starting point
How to best triage / handle incoming issues?
- TC and Pete LeVasseur moved labels onto FLS repo that were needed
- Pete LeVasseur created issue template, that's in review, to help focus triage

Comment by @PLeVasseur posted on 2025-11-21:

Meeting notes here: 2025-11-14 - t-fls Meeting

Key developments: PR merged for 1.90 update of the FLS. We're preparing now to work on the 1.91 update of the FLS. Blockers: None currently Help wanted: Anyone that's familiar with the Rust Reference is more than encouraged to read through the FLS to get a sense of it and where further alignment may be possible. Feel free to open issues on the FLS repo as you find things.

Emit Retags in Codegen (rust-lang/rust-project-goals#392)

Progress
Point of contact	Ian McCormack
Champions	compiler (Ralf Jung), opsem (Ralf Jung)
Task owners	Ian McCormack

1 detailed update available.

Comment by @icmccorm posted on 2025-11-11:

We've posted a pre-RFC for feedback, and we'll continue updating and expanding the draft here. This reflects most of the current state of the implementation, aside from tracking interior mutability precisely, which is still TBD but is described in the RFC.

Expand the Rust Reference to specify more aspects of the Rust language (rust-lang/rust-project-goals#394)

Progress
Point of contact	Josh Triplett
Champions	lang-docs (Josh Triplett), spec (Josh Triplett)
Task owners	Amanieu d'Antras, Guillaume Gomez, Jack Huey, Josh Triplett, lcnr, Mara Bos, Vadim Petrochenkov, Jane Lusby

1 detailed update available.

Comment by @joshtriplett posted on 2025-11-12:

We're putting together a prototype/demo of our reference changes at https://rust-lang.github.io/project-goal-reference-expansion/ . This includes a demonstration of tooling changes to provide stability markers (both "documenting unstable Rust" and "unstable documentation of stable Rust").

Finish the libtest json output experiment (rust-lang/rust-project-goals#255)

Progress
Point of contact	Ed Page
Champions	cargo (Ed Page)
Task owners	Ed Page

1 detailed update available.

Comment by @epage posted on 2025-11-21:

Key developments:

libtest2:
- #[test] macro added
- Support for should_panic
- Support for ignore
- Support for custom error types
- compile-fail tests for macros

Blockers

None

Help wanted:

Round out libtest compatibility

Finish the std::offload module (rust-lang/rust-project-goals#109)

Progress
Point of contact	Manuel Drehwald
Champions	compiler (Manuel Drehwald), lang (TC)
Task owners	Manuel Drehwald, LLVM offload/GPU contributors

1 detailed update available.

Comment by @ZuseZ4 posted on 2025-11-19:

Automatic Differentiation

Time for the next update. By now, we've had std::autodiff for around a year in upstream rustc, but not in nightly. In order to get some more test users, I asked the infra team to re-evaluate just shipping autodiff as-is. This means that for the moment, we will increase the binary size of rustc by ~5%, even for nightly users who don't use this feature. We still have an open issue to avoid this overhead by using dlopen, please reach out if you have time to help. Thankfully, my request was accepted, so I spent most of my time lately preparing that release.

As part of my cleanup I went through old issues, and realized we now partly support rlib's! That's a huge improvement, because it means you can use autodiff not only in your main.rs file, but also in dependencies (either lib.rs, or even rely on crates that use autodiff). With the help of Ben Kimock I figured out how to get the remaining cases covered, hopefully the PR will land soon.
I started documentation improvements in https://github.com/rust-lang/rust/pull/149082 and https://github.com/rust-lang/rust/pull/148201, which should be visible on the website from tomorrow onwards. They are likely still not perfect, so please keep opening issues if you have questions.
We now provide a helpful error message if a user forgets enabling lto=fat: https://github.com/rust-lang/rust/pull/148855
After two months of work, @sgasho managed to add Rust CI to enzyme! Unfortunately, Enzyme devs broke and disabled it directly, so we'll need to talk about maintaining it as part of shipping Enzyme in nightly.

I have the following elements on my TODO list as part shipping AD on nightly

Re-enable macOS build (probably easy)
Talk with Enzyme Devs about maintenance
Merge rlib support (under review)
upstream ADbenchmarks from r-l/enzyme to r-l/r as codegen tests (easy)
Write a block post/article for https://blog.rust-lang.org/inside-rust/

GPU offload

The llvm dev talk about GPU programming went great, I got to talk to a lot of other developers in the area of llvm offload. I hope to use some of the gained knowledge soon. Concrete steps planned are the integration of libc-gpu for IO from kernels, as well as moving over my code from the OpenMP API to the slightly lower level liboffload API.
We confirmed that our gpu offload prototype works on more hardware. By now we have the latest AMD APU generation covered, as well as an MI 250X and an RTX 4050. My own Laptop with a slightly older AMD Ryzen 7 PRO 7840U unfortunately turned out to be not supported by AMD drivers.
The offload intrinsic PR by Marcelo Domínguez is now marked as ready, and I left my second round of review. Hopefully, we can land it soon!
I spend some time trying to build and potentially ship the needed offload changes in nightly, unfortunately I still fail to build it in CI: https://github.com/rust-lang/rust/pull/148671.

All in all, I think we made great progress over the last month, and it's motivating that we finally have no blockers left for flipping the llvm.enzyme config on our nightly builds.

Getting Rust for Linux into stable Rust: compiler features (rust-lang/rust-project-goals#407)

Progress
Point of contact	Tomas Sedovic
Champions	compiler (Wesley Wiser)
Task owners	(depending on the flag)

2 detailed updates available.

Comment by @tomassedovic posted on 2025-11-19:

Update from the 2025-11-05 meeting.

`-Zharden-sls` / rust#136597

Wesley Wiser left a comment on the PR, Andr

-Zno-jump-tables / rust#145974

Merged, expected to ship in Rust 1.93. The Linux kernel added support for the new name for the option (-Cjump-tables=n).

Comment by @tomassedovic posted on 2025-11-28:

Update form the 2025-11-19 meeting:

`-Zharden-sls` / rust#136597

Andrew addressed the comment and rebased the PR. It's waiting for a review again.

`#![register_tool]` / rust#66079

Tyler Mandry had an alternative proposal where lints would be defined in an external crate and could be brought in via use or something similar: https://rust-lang.zulipchat.com/#narrow/channel/213817-t-lang/topic/namespaced.20tool.20attrs.

A concern people had was the overhead of having to define a new crate and the potential difficulty with experimenting on new lints.

Tyler suggested adding this as a future possibility to RFC#3808 and FCPing it.

Getting Rust for Linux into stable Rust: language features (rust-lang/rust-project-goals#116)

Progress
Point of contact	Tomas Sedovic
Champions	lang (Josh Triplett), lang-docs (TC)
Task owners	Ding Xiang Fei

2 detailed updates available.

Comment by @tomassedovic posted on 2025-11-19:

Update from the 2025-11-05 meeting.

`Deref`/`Receiver`

Ding Xiang Fei posted his reasoning for the trait split in the Zulip thread and suggested adding a second RFC to explain.

TC recommended writing a Reference PR. The style forces one to explain the model clearly which should then make writing the RFC easier.

The lang experiment PR for arbitrary self types have feature gates for the two options we're exploring.

Arbitrary Self Types and `derive(CoercePointee)` / tracking issue #44874

theemathas opened an issue derive(CoercePointee) accepts ?Sized + Sized #148399. This isn't a critical issue, just an error that arguably should be a lint.

Boxy opened a fix for a derive(CoercePointee) blocker: Forbid freely casting lifetime bounds of dyn-types .

RFC #3851: Supertrait Auto-impl

Ding Xiang Fei is working on the implementation (the parser and HIR interface for it). Ding's also working on a more complete section dedicated to questions raised by obi1kenobi

Field projections

Benno Lossin has been posting super detailed updates on the tracking issue

We've discussed the idea of virtual places (see Zulip thread where they were proposed).

Inlining C code into Rust code

Matt Mauer had an idea to compile C code into LLVM bytecode (instead of object file) and then the llvm-link tool to merge them together and treat everything in the second bytecode file as a static inlined function. Matt suggested we could integrate this into the rustc passes.

This would make it easy to inline certain functions into Rust code without full LTO.

Relevant Zulip thread.

This sounds like a good candidate for the next Project Goals period.

Comment by @tomassedovic posted on 2025-11-28:

Update from the 2025-11-19 meeting.

`rustdoc` checking for private and hidden items (rust##149105 & rust#149106)

Miguel proposed Rust Doc checking for invalid links to items that are hidden or private even if no docs are built for them. This can help catch typos or dead links because the docs became out of date.

Guillaume was much more open to this being a toggle, lolbinarycat opened a PR here: https://github.com/rust-lang/rust/pull/141299

`unsafe_op_in_unsafe_fn` not respected in imported declarative macros rust#112504

This lint doesn't trigger when importing a declarative macro that's calling unsafe code without having an unsafe block and without a SAFETY comment.

The lint is only triggered when the macro was actually used.

Fix for `imports_granularity` is not respected for `#[cfg]`'d items / rustfmt#6666

Ding opened a PR to fix this: https://github.com/rust-lang/rustfmt/issues/6666

rustfmt trailing comma hack

Ding and Manish were talking about writing up a proper fix for the vertical layout that's currently being solved by the , //, hack

`TypeId` layout

This has been discussed in https://github.com/rust-lang/rust/pull/148265 and https://rust-lang.zulipchat.com/#narrow/channel/213817-t-lang/topic/TypeID.20design/near/560189854.

Apiraino proposed a compiler design meeting here: https://github.com/rust-lang/compiler-team/issues/941. That meeting has not been scheduled yet, though.

`Deref` / `Receiver`

Following TC's recommendation, Ding is drafting the Reference PR.

Arbitrary Self Types and `derive(CoercePointee)`

Ding opened a PR to fix unsoundness in the DispatchFromDyn trait: https://github.com/rust-lang/rust/pull/149068

Theemathas opened a question on whether Receiver should by dyn-compatible: https://github.com/rust-lang/rust/issues/149094

RFC #3848: Pass pointers to `const` in assembly

Merged!

In-place initialization

Benno noted that Effects and In-place Init are not compatible with each other: https://rust-lang.zulipchat.com/#narrow/channel/528918-t-lang.2Fin-place-init/topic/Fundamental.20Issue.20of.20Effects.20and.20In-place-init/with/558268061

This is going to affect any in-place init proposal.

Benno proposes fixing this with keyword generics. This is a topic that will receive a lot of discussion doing forward.

Alice has been nominated and accepted as `language-advisor`. Fantastic news and congratulations!

Implement Open API Namespace Support (rust-lang/rust-project-goals#256)

Progress
Point of contact
Champions	cargo (Ed Page), compiler (b-naber), crates-io (Carol Nichols)
Task owners	b-naber, Ed Page

No detailed updates available.

MIR move elimination (rust-lang/rust-project-goals#396)

Progress
Point of contact	Amanieu d'Antras
Champions	lang (Amanieu d'Antras)
Task owners	Amanieu d'Antras

1 detailed update available.

Comment by @Amanieu posted on 2025-11-15:

An RFC draft covering the MIR changes necessary to support this optimization has been written and is currently being reviewed by T-opsem. It has already received one round of review and the feedback has been incorporated in the draft.

Prototype a new set of Cargo "plumbing" commands (rust-lang/rust-project-goals#264)

Progress
Point of contact
Task owners	, Ed Page

No detailed updates available.

Prototype Cargo build analysis (rust-lang/rust-project-goals#398)

Progress
Point of contact	Weihang Lo
Champions	cargo (Weihang Lo)
Task owners	Weihang Lo, Weihang Lo

2 detailed updates available.

Comment by @weihanglo posted on 2025-11-04:

Instead of using a full-fledged database like SQLite, we switched to a basic JSONL-based logging system to collect build metrics. A simple design doc can be found here: https://hackmd.io/K5-sGEJeR5mLGsJLXqsHrw.

Here are the recent pull requests:

https://github.com/rust-lang/cargo/pull/16150
https://github.com/rust-lang/cargo/pull/16179

To enable it, set CARGO_BUILD_ANALYSIS_ENABLED=true or set the Cargo config file like this:

[build.analysis]
enabled = true

As of today (nightly-2025-11-03), it currently emits build-started and timing-info two log events to $CARGO_HOME/log/ (~/.cargo/log/ by default). The shape of timing-info JSON is basically the shape of the unstable --timing=json. I anticipate when this is stabilized we don't need --timing=json.

The build.analysis.enable is a non-blocking unstable feature. Unless bugs, should be able to set unconditionally even on stable toolchain. When not supported, it would just warn the unknown config merely.

Comment by @weihanglo posted on 2025-11-24:

Key developments: Started emitting basic fingerprint information, and kicked off the refactor of rendering HTML timing report for future report replay through cargo report timings command.

https://github.com/rust-lang/cargo/pull/16203
https://github.com/rust-lang/cargo/pull/16282

Blockers: no except my own availability

Help wanted: Mendy on Zulip brought up log compression (#t-cargo > build analysis log format @ 💬) but I personally don't have time looking at it durnig this period. Would love to see people create an issue in rust-lang/cargo and help explore the idea.

reflection and comptime (rust-lang/rust-project-goals#406)

Progress
Point of contact	Oliver Scherer
Champions	compiler (Oliver Scherer), lang (Scott McMurray), libs (Josh Triplett)
Task owners	oli-obk

1 detailed update available.

Comment by @nikomatsakis posted on 2025-11-12:

Another related PR:

https://github.com/rust-lang/rust/pull/148820

Rework Cargo Build Dir Layout (rust-lang/rust-project-goals#401)

Progress
Point of contact	Ross Sullivan
Champions	cargo (Weihang Lo)
Task owners	Ross Sullivan

1 detailed update available.

Comment by @ranger-ross posted on 2025-11-21:

Status update November 21, 2025

October was largely spent working out design details of the build cache and locking design.

https://github.com/rust-lang/cargo/pull/16155 was opened with an initial implementation for fine grain locking for Cargo's build-dir however it needs to be reworked after the design clarifications mentioned above.

In November I had a change of employer so I my focus was largely on that. However, we did make some progress towards locking in https://github.com/rust-lang/cargo/pull/16230 which no longer lock the artifact-dir for cargo check. This is expected to land in 1.93.0.

I'm hoping to push fine grain locking forward later this month and in December.

Run more tests for GCC backend in the Rust's CI (rust-lang/rust-project-goals#402)

Progress
Point of contact	Guillaume Gomez
Champions	compiler (Wesley Wiser), infra (Marco Ieni)
Task owners	Guillaume Gomez

1 detailed update available.

Comment by @GuillaumeGomez posted on 2025-11-19:

This project goal has been completed. I updated the first issue to reflect it. Closing the issue then.

Rust Stabilization of MemorySanitizer and ThreadSanitizer Support (rust-lang/rust-project-goals#403)

Progress
Point of contact	Jakob Koschel
Task owners	[Bastian Kersting](https://github.com/1c3t3a), [Jakob Koschel](https://github.com/jakos-sec)

1 detailed update available.

Comment by @jakos-sec posted on 2025-11-21:

We've had a bunch of discussions and I opened a MCP (link, zulip).

I think the final sentiment was creating new targets for the few sanitizers and platforms that are critical. I'm in the process of prototyping something to get new feedback on it.

Rust Vision Document (rust-lang/rust-project-goals#269)

Progress
Point of contact	Niko Matsakis
Task owners	vision team

1 detailed update available.

Comment by @nikomatsakis posted on 2025-11-05:

Update:

Jack Huey has been doing great work building out a system for analyzing interviews. We are currently looking at slicing the data along a few dimensions:

What you know (e.g., experience in other languages, how much experience with Rust)
What you are trying to do (e.g., application area)
Where you are trying to do it (e.g., country)

and asking essentially the same set of questions for each, e.g., what about Rust worked well, what did not work as well, what got you into Rust, etc.

Our plan is to prepare a draft of an RFC with some major conclusions and next steps also a repository with more detailed analysis (e.g., a deep dive into the Security Critical space).

rustc-perf improvements (rust-lang/rust-project-goals#275)

Progress
Point of contact	James
Champions	compiler (David Wood), infra (Jakub Beránek)
Task owners	James, Jakub Beránek, David Wood

1 detailed update available.

Comment by @Kobzol posted on 2025-11-19:

The new system has been running in production without any major issues for a few weeks now. In a few weeks, I plan to start using the second collector, and then announce the new system to Project members to tell them how they can use its new features.

Stabilize public/private dependencies (rust-lang/rust-project-goals#272)

Progress
Point of contact
Champions	cargo (Ed Page)
Task owners	, Ed Page

No detailed updates available.

Stabilize rustdoc `doc_cfg` feature (rust-lang/rust-project-goals#404)

Progress
Point of contact	Guillaume Gomez
Champions	rustdoc (Guillaume Gomez)
Task owners	Guillaume Gomez

No detailed updates available.

SVE and SME on AArch64 (rust-lang/rust-project-goals#270)

Progress
Point of contact	David Wood
Champions	compiler (David Wood), lang (Niko Matsakis), libs (Amanieu d'Antras)
Task owners	David Wood

2 detailed updates available.

Comment by @nikomatsakis posted on 2025-11-05:

Notes from our meeting today:

Syntax proposal: `only` keyword

We are exploring the use of a new only keyword to identify "special" bounds that will affect the default bounds applied to the type parameter. Under this proposal, T: SizeOfVal is a regular bound, but T: only SizeOfVal indicates that the T: const Sized default is suppressed.

For the initial proposal, only can only be applied to a known set of traits; one possible extension would be to permit traits with only supertraits to also have only applied to them:

trait MyDeref: only SizeOfVal { }
fn foo<T: only MyDeref>() { }

// equivalent to

trait MyDeref: only SizeOfVal { }
fn foo<T: MyDeref + only SizeOfVal>() { }

We discussed a few other syntactic options:

A ^SizeOfVal sigil was appealing due to the semver analogy but rejected on the basis of it being cryptic and hard to google.
The idea of applying the keyword to the type parameter only T: SizeOfVal sort of made sense, but it would not compose well if we add additional families of "opt-out" traits like Destruct and Forget, and it's not clear how it applies to supertraits.

Transitioning target

After testing, we confirmed that relaxing Target bound will result in significant breakage without some kind of transitionary measures.

We discussed the options for addressing this. One option would be to leverage "Implementable trait aliases" RFC but that would require a new trait (Deref20XX) that has a weaker bound an alias trait Deref = Deref20XX<Target: only SizeOfVal>. That seems very disruptive.

Instead, we are considering an edition-based approach where (in Rust 2024) a T: Target bound is defaulted to T: Deref<Target: only SizeOfVal> and (in Rust 20XX) T: Target is defaulted to T: Deref<Target: only Pointee>. The edition transition would therefore convert bounds to one of those two forms to be fully explicit.

One caveat here is that this edition transition, if implemented naively, would result in stronger bounds than are needed much of the time. Therefore, we will explore the option of using bottom-up analysis to determine when transitioning whether the 20XX bound can be used instead of the more conservative 2024 bound.

Supertrait bounds

We explored the implications of weakening supertrait bounds a bit, looking at this example

trait FooTr<T: ?Sized> {}

struct Foo<T: ?Sized>(std::marker::PhantomData<T>);

fn bar<T: ?Sized>() {}

trait Bar: FooTr<Self> /*: no longer MetaSized */ {
  //       ^^^^^^^^^^^ error!
    // real examples are `Pin` and `TypeOf::of`:
    fn foo(&self, x: Foo<Self>) {
        //        ^^^^^^^^^^^^ error!
        bar::<Self>();
        // ^^^^^^^^^^ error!
          
      
        // real examples are in core::fmt and core::iter:
        trait DoThing {
            fn do_thing() {}
        }
        
        impl<T: ?Sized> DoThing for T {
            default fn do_thing() {}
        }
        
        impl<T: Sized> DoThing for T {
            fn do_thing() {}
        }
        
        self.do_thing();
        // ^^^^^^^^^^^^^ error!
        // specialisation case is not an issue because that feature isn't stable, we can adjust core, but is a hazard with expanding trait hierarchies in future if stabilisation is ever stabilised
    }
}

The experimental_default_bounds work originally added Self: Trait bounds to default methods but moved away from that because it could cause region errors (source 1 / source 2). We expect the same would apply to us but we are not sure.

We decided not to do much on this, the focus remains on the Deref::Target transition as it has more uncertainty.

Comment by @davidtwco posted on 2025-11-22:

No progress since [Niko Matsakis's last comment](https://github.com/rust-lang/rust-project-goals/issues/270#issuecomment-3492255970) - intending to experiment with resolving challenges with Deref::Target and land the SVE infrastructure with unfinished parts for experimentation.

Type System Documentation (rust-lang/rust-project-goals#405)

Progress
Point of contact	Boxy
Champions	types (Boxy)
Task owners	Boxy, lcnr

2 detailed updates available.

Comment by @BoxyUwU posted on 2025-11-05:

A bit late on this update but I've sat down with lcnr a little while back and we tried to come up with a list of topics that we felt fell under type system documentation. This is an entirely unordered list and some topics may already be adequately covered in the dev guide already.

Regardless this effectively serves as a "shiny future" for everything I'd like to have documentation about somewhere (be it dev guide or in-tree module level documentation):

opaque types
- non defining vs defining uses
- member constraints (borrowck overlap)
- checking item bounds
- high level normalization/opaque type storage approach (new solver)
- normalization incompleteness
- method/function incompleteness
- how does use<...> work
- 'erased regions causes problems with outlives item bounds in liveness
- consistency across defining scopes
- RPITIT inference? does this have special stuff
- capturing of bound vars in opaques under binders, Fn bounds are somewhat special in relation to this
- opaques inheriting late bound function parameters
non opaque type, impl Trait
- RPITIT in traits desugaring
- impl Trait in bindings
- APIT desugaring impl details
const generics
- anonymous constants
- ConstArgHasType
- TSVs vs RVs and generally upstream doc from lang meeting to dev guide
- deterministic CTFE requirement
HIR typeck
- expectations (and how used incorrectly :3)
- method lookup + assorted code cleanups
- coercions
- auto-deref/reborrows (in coercions/method selection)
- closure signature inference
- fudge_inference_if_ok :>
- diverging block handling :3
- fallback :3
MIR borrowck
- MIR typeck
  - why do we want two typecks
  - region dependent goals in new solver (interaction with lack-of region uniquification)
- overlaps with opaque types
- compute region graph
- closure requirements
- borrowck proper
compare predicate entailment :>
- param env jank
- implied bounds handling
trait objects: recent FCPs :3
- dyn compatibility soundness interactions (see coerce pointee/arbitrary self types stuff)
- dyn compatibility for impl reasons (monomorphization)
- projection bounds handling
- args not required for wf
ty::Infer in ty overview
generalization
coroutines
- deferred coroutine obligations
- witness types?
- why -Zhigher-ranked-assumptions exists
binders and universes existsA forallB A == B
- build more of an intuition than current docs :thinking_face:
talk about hr implied bounds there/be more explicit/clear in https://rustc-dev-guide.rust-lang.org/traits/implied-bounds.html?highlight=implied#proving-implicit-implied-bounds
incompleteness
- what is it
- what kinds are OK (not entirely sure yet. small explanation and add a note)
trait solving
- cycles
- general overview of how trait solving works as a concept (probably with example and handwritten proof trees)
  - important: first go "prove stuff by recursively proving nested requirements", then later introduce candidates
  - clauses/predicates
- running pending goals in a loop
- what kinds of incompleteness (overlap with opaques)
- builtin impls and how to add them
hir to ty lowering :>
- itemctxt vs fnctxt behaviours
- normalization in lowering
- lowering should be lossy
- idempotency(?)
- cycles from param env construction
- const generics jank about Self and no generic parameters allowed
well formedness checking + wf disambiguation page
normalization & aliases
- be more clear about normalizing ambig aliases to infer vars :thinking_face:
- normalize when equating infer vars with aliases (overlap with generalization?)
- item bounds checking
- interactions with implied bounds (overlap with implied bounds and hir ty lowering)
variance

Since making this list I've started working on writing documentation about coercions/adjustments. So far this has mostly resulted in spending a lot of time reading the relevant code in rustc. I've discovered a few bugs and inconsistencies in behaviour and made some nice code cleanups which should be valuable for people learning how coercions are implemented already. This can be seen in #147565

I intend to start actually writing stuff in the dev guide for coercions/adjustments now as that PR is almost done.

I also intend to use a zulip thread (#t-compiler/rustc-dev-guide > Type System Docs Rewrite) for more "lightweight" and informal updates on this project goal, as well as just miscellaneous discussion about work relating to this project goal

Comment by @BoxyUwU posted on 2025-11-29:

I've made a tracking issue on the dev guide repo for this project goal: rust-lang/rustc-dev-guide#2663. I've also written documentation for coercions: rust-lang/rustc-dev-guide#2662. There have been a few extra additions to the list in the previous update.

Unsafe Fields (rust-lang/rust-project-goals#273)

Progress
Point of contact	Jack Wrenn
Champions	compiler (Jack Wrenn), lang (Scott McMurray)
Task owners	Jacob Pratt, Jack Wrenn, Luca Versari

No detailed updates available.

by Tomas Sedovic at December 16, 2025 12:00 AM

December 15, 2025

Wladimir Palant — Unpacking VStarcam firmware for fun and profit

One important player in the PPPP protocol business is VStarcam. At the very least they’ve already accumulated an impressive portfolio of security issues. Like exposing system configuration including access password unprotected in the Web UI (discovered by multiple people independently from the look of it). Or the open telnet port accepting hardcoded credentials (definitely discovered by lots of people independently). In fact, these cameras have been seen used as part of a botnet, likely thanks to some documented vulnerabilities in their user interface.

Is that a thing of the past? Are there updates fixing these issues? Which devices can be updated? These questions are surprisingly hard to answer. I found zero information on VStarcam firmware versions, available updates or security fixes. In fact, it doesn’t look like they ever even acknowledged learning about the existence of these vulnerabilities.

No way around downloading these firmware updates and having a look for myself. With surprising results. First of all: there are lots of firmware updates. It seems that VStarcam accumulated a huge number of firmware branches. And even though not all of them even have an active or downloadable update, the number of currently available updates goes into hundreds.

And the other aspect: the variety of update formats is staggering, and often enough standard tools like binwalk aren’t too useful. It took some time figuring out how to unpack some of the more obscure variants, so I’m documenting it all here.

Warning: Lots of quick-and-dirty Python code ahead. Minimal error checking, use at your own risk!

ZIP-packed incremental updates

These incremental updates don’t contain an image of the entire system, only the files that need updating. They always contain the main application however, which is what matters.

Recognizing this format is easy, the files start with the 32 bytes www.object-camera.com.by.hongzx. or www.veepai.com/design.rock-peng. (the old and the new variant respectively). The files end with the same string in reverse order. Everything in between is a sequence of ZIP files, with each file packed in its own ZIP file.

Each ZIP file is preceded by a 140 byte header: 64 byte directory name, 64 byte file name, 4 byte ZIP file size, 4 byte timestamp of some kind and 4 zero bytes. While binwalk can handle this format, having each file extracted into a separate directory structure isn’t optimal. A simple Python script can do better:

#!/usr/bin/env python3
import datetime
import io
import struct
import os
import sys
import zipfile


def unpack_zip_stream(input: io.BytesIO, targetdir: str) -> None:
    targetdir = os.path.normpath(targetdir)
    while True:
        header = input.read(0x8c)
        if len(header) < 0x8c:
            break

        _, _, size, _, _ = struct.unpack('<64s64sLLL', header)
        data = input.read(size)

        with zipfile.ZipFile(io.BytesIO(data)) as archive:
            for member in archive.infolist():
                path = os.path.normpath(
                    os.path.join(targetdir, member.filename)
                )
                if os.path.commonprefix((path, targetdir)) != targetdir:
                    raise Exception('Invalid target path', path)

                try:
                    os.makedirs(os.path.dirname(path))
                except FileExistsError:
                    pass

                with archive.open(member) as member_input:
                    data = member_input.read()
                with open(path, 'wb') as output:
                    output.write(data)

                time = datetime.datetime(*member.date_time).timestamp()
                os.utime(path, (time, time))


if __name__ == '__main__':
    if len(sys.argv) != 3:
        print(f'Usage: {sys.argv[0]} in-file target-dir', file=sys.stderr)
        sys.exit(1)

    if os.path.exists(sys.argv[2]):
        raise Exception('Target directory exists')

    with open(sys.argv[1], 'rb') as input:
        header = input.read(32)
        if (header != b'www.object-camera.com.by.hongzx.' and
                header != b'www.veepai.com/design.rock-peng.'):
            raise Exception('Wrong file format')
        unpack_zip_stream(input, sys.argv[2])

VStarcam pack system

This format is pretty simple. There is an identical section starting with VSTARCAM_PACK_SYSTEM_HEAD and ending with VSTARCAM_PACK_SYSTEM_TAIL at the start and at the end of the file. This section seems to contain a payload size and its MD5 hash.

There are two types of payload here. One is a raw SquashFS image starting with hsqs. These seem to be updates to the base system: they contain an entire Linux root filesystem and the Web UI root but not the actual application. The matching application lives on a different partition and is likely delivered via incremental updates.

The other variant seems to be used for hardware running LiteOS rather than Linux. The payload here starts with a 16 byte header: compressed size, uncompressed size and an 8 byte identification of the compression algorithm. The latter is usually gziphead, meaning standard gzip compression. After uncompressing you get a single executable binary containing the entire operating system, drivers, and the actual application.

So far binwalk can handle all these files just fine. I found exactly one exception, firmware version 48.60.30.22. It seems to be another LiteOS-based update but the compression algorithm field is all zeroes. The actual compressed stream has some distinct features that make it look like none of the common compression algorithms.

Screenshot of a hexdump showing the first 160 and the last 128 bytes of a large file. The file starts with the bytes 30 c0 fb 54 and looks random except for two sequences of 14 identical bytes: ef at offset 0x24 and fb at offset 0x43. The file ending also looks random except for the closing sequence: ff ff 0f 00 00.

Well, I had to move on here, so that’s the one update file I haven’t managed to unpack.

VeePai updates

This is a format that seems to be used by newer VStarcam hardware. At offset 8 these files contain a firmware version like www.veepai.com-10.201.120.54. Offsets of the payload vary but it is a SquashFS image, so binwalk can be used to find and unpack it.

Normally these are updates for the partition where the VStarcam application resides in. In a few cases these are updating the Linux base system however, no application-specific files from what I could tell.

Ingenic updates

This format seems to be specific to the Ingenic hardware platform, and I’ve seen other hardware vendors use it as well. One noticeable feature here is the presence of a tag partition containing various data sections, e.g. the CMDL section encoding Linux kernel parameters.

In fact, looking for that tag partition within the update might be helpful to recognize the format. While the update files usually start with the 11 22 33 44 magic bytes, they sometimes start with a different byte combination. There is always the firmware version at offset 8 in the file however.

The total size of the file header is 40 bytes. It is followed by a sequence of partitions, each preceded by a 16 byte header where bytes 1 to 4 encode the partition index and bytes 9 to 12 the partition size.

Binwalk can recognize and extract some partitions but not all of them. If you prefer having all partitions extracted you can use a simple Python script:

#!/usr/bin/env python3
import io
import struct
import os
import sys


def unpack_ingenic_update(input: io.BytesIO, targetdir: str) -> None:
    os.makedirs(targetdir)

    input.read(40)
    while True:
        header = input.read(16)
        if len(header) < 16:
            break

        index, _, size, _ = struct.unpack('<LLLL', header)
        data = input.read(size)
        if len(data) < size:
            raise Exception(f'Unexpected end of data')

        path = os.path.join(targetdir, f'mtdblock{index}')
        with open(path, 'wb') as output:
            output.write(data)


if __name__ == '__main__':
    if len(sys.argv) != 3:
        print(f'Usage: {sys.argv[0]} in-file target-dir', file=sys.stderr)
        sys.exit(1)

    with open(sys.argv[1], 'rb') as input:
        unpack_ingenic_update(input, sys.argv[2])

You will find some partitions rather tricky to unpack however.

LZO-compressed partitions

Some partitions contain a file name at offset 34, typically rootfs_camera.cpio. These are LZO-compressed but lack the usual magic bytes. Instead, the first four bytes contain the size of compressed data in this partition. Once you replace these four bytes by 89 4c 5a 4f (removing trailing junk is optional) the partition can be uncompressed with the regular lzop tool and the result fed into cpio to get the individual files.

Ingenic’s jzlzma compression

Other Ingenic root partitions are more tricky. These also start with the data size but it is followed by the bytes 56 19 05 27 (that’s a uImage signature in reversed byte order). After that comes a compressed stream that sort of looks like LZMA but isn’t LZMA. What’s more: while binwalk will report that the Linux kernel is compressed via LZ4, it’s actually the same strange compression mechanism. The bootloader of these systems pre-dates the introduction of LZ4, so the same compression algorithm identifier was used for this compression mechanism that was later assigned to LZ4 by the upstream version of the bootloader.

What kind of compression is this? I’ve spent some time analyzing the bootloader but it turned out to be a red herring: apparently, the decompression is performed by hardware here, and the bootloader merely pushes the data into designated memory areas. Ugh!

At least the bootloader told me how it is called: jzlzma, which is apparently Ingenic’s proprietary LZMA variant. An LZMA header starts with a byte encoding some compression properties (typically 5D), a 4 byte dictionary size and an 8 byte uncompressed size. Ingenic’s header is missing compression properties, and the uncompressed size is merely 4 bytes. But even accounting for these differences the stream cannot be decompressed with a regular LZMA decoder.

Luckily, with the algorithm name I found tools on Github that are meant to create firmware images for the Ingenic platform. These included an lzma binary which turned out to be an actual LZMA tool from 2005 hacked up to produce a second compressed stream in Ingenic’s proprietary format.

As I found, Ingenic’s format has essentially two differences to regular LZMA:

Bit order: Ingenic encodes bits within bytes in reverse order. Also, some of the numbers (not all of them) are written to the bit stream in reversed bit order.
Range coding: Ingenic doesn’t do any range coding, instead encoding all numbers verbatim.

That second difference essentially turns LZMA into LZ77. Clearly, the issue here was the complexity of implementing probabilistic range coding in hardware. Of course, that change makes the resulting algorithm produce considerably worse compression ratios than LZMA and even worse than much simpler LZ77-derived algorithms like deflate. And there is plenty of hardware to do deflate decompression. But at least they managed to obfuscate the data…

My original thought was “fixing” their stream and turning it into proper LZMA. But range coding is not only complex but also context-dependent, it cannot be done without decompressing. So I ended up just writing the decompression logic in Python which luckily was much simpler than doing the same thing for LZMA proper.

Note: The following script is minimalistic and wasn’t built for performance. Also, it expects a file that starts with a dictionary size (typically the bytes 00 00 01 00), so if you have some header preceding it you need to remove it first. It will also happily “uncompress” any trailing junk you might have there.

#!/usr/bin/env python3
import sys

kStartPosModelIndex, kEndPosModelIndex, kNumAlignBits = 4, 14, 4


def reverse_bits(n, bits):
    reversed = 0
    for i in range(bits):
        reversed <<= 1
        if n & (1 << i):
            reversed |= 1
    return reversed


def bit_stream(data):
    for byte in data:
        for bit in range(8):
            yield 1 if byte & (1 << bit) else 0


def read_num(stream, bits):
    num = 0
    for _ in range(bits):
        num = (num << 1) | next(stream)
    return num


def decode_length(stream):
    if next(stream) == 0:
        return read_num(stream, 3) + 2
    elif next(stream) == 0:
        return read_num(stream, 3) + 10
    else:
        return read_num(stream, 8) + 18


def decode_dist(stream):
    posSlot = read_num(stream, 6)
    if posSlot < kStartPosModelIndex:
        pos = posSlot
    else:
        numDirectBits = (posSlot >> 1) - 1
        pos = (2 | (posSlot & 1)) << numDirectBits
        if posSlot < kEndPosModelIndex:
            pos += reverse_bits(read_num(stream, numDirectBits), numDirectBits)
        else:
            pos += read_num(stream, numDirectBits -
                            kNumAlignBits) << kNumAlignBits
            pos += reverse_bits(read_num(stream, kNumAlignBits), kNumAlignBits)
    return pos


def jzlzma_decompress(data):
    stream = bit_stream(data)
    reps = [0, 0, 0, 0]
    decompressed = []
    try:
        while True:
            if next(stream) == 0:           # LIT
                byte = read_num(stream, 8)
                decompressed.append(byte)
            else:
                size = 0
                if next(stream) == 0:       # MATCH
                    size = decode_length(stream)
                    reps.insert(0, decode_dist(stream))
                    reps.pop()
                elif next(stream) == 0:
                    if next(stream) == 0:   # SHORTREP
                        size = 1
                    else:                   # LONGREP[0]
                        pass
                elif next(stream) == 0:     # LONGREP[1]
                    reps.insert(0, reps.pop(1))
                elif next(stream) == 0:     # LONGREP[2]
                    reps.insert(0, reps.pop(2))
                else:                       # LONGREP[3]
                    reps.insert(0, reps.pop(3))

                if size == 0:
                    size = decode_length(stream)

                curLen = len(decompressed)
                start = curLen - reps[0] - 1
                while size > 0:
                    end = min(start + size, curLen)
                    decompressed.extend(decompressed[start:end])
                    size -= end - start
    except StopIteration:
        return bytes(decompressed)


if __name__ == '__main__':
    if len(sys.argv) != 3:
        print(f'Usage: {sys.argv[0]} in-file.jzlzma out-file', file=sys.stderr)
        sys.exit(1)

    with open(sys.argv[1], 'rb') as input:
        data = input.read()
    data = jzlzma_decompress(data[8:])
    with open(sys.argv[2], 'wb') as output:
        output.write(data)

The uncompressed root partition can be fed into the regular cpio tool to get the individual files.

Exotic Ingenic update

There was one update using a completely different format despite also being meant for the Ingenic hardware. This one started with the bytes a5 ef fe 5a and had a SquashFS image at offset 0x3000. The unpacked contents (binwalk will do) don’t look like any of the other updates either: this definitely isn’t a camera, and it doesn’t have a PPPP implementation. Given the HDMI code I can only guess that this is a Network Video Recorder (NVR).

But what about these security issues?

As to those security issues I am glad to report that VStarcam solved the telnet issue:

export PATH=/system/system/bin:$PATH
#telnetd
export LD_LIBRARY_PATH=/system/system/lib:/mnt/lib:$LD_LIBRARY_PATH
mount -t tmpfs none /tmp -o size=3m

/system/system/bin/brushFlash
/system/system/bin/updata
/system/system/bin/wifidaemon &
/system/system/bin/upgrade &

Yes, their startup script really has telnetd call commented out. At least that’s usually the case. There are updates from 2018 that are no longer opening the telnet port. There are other updates from 2025 that still do. Don’t ask me why. From what I can tell the hardcoded administrator credentials are still universally present but these are only problematic with the latter group.

It’s a similar story with the system.ini file that was accessible without authentication. Some firmware versions had this file moved to a different directory, others still have it in the web root. There is no real system behind it, and I even doubt that this was a security-induced change rather than an adjustment to a different hardware platform.

Tarek Ziadé — All I Want for Christmas is a Better Alt Text – Part 1

Context: Improving Alt Text for Firefox

Earlier this year, I built the backend for the local alt text generation feature in Firefox. Nearly half of the images on the web still lack alternative text, creating a major accessibility barrier for screen reader users. The goal of this work is straightforward but ambitious: generate high-quality alt text entirely on device, preserving user privacy while improving access to visual content.

The first implementation focused on PDF.js, primarily as a controlled environment to validate the approach. Now that the runtime performance is good enough, the next step is to generalize this capability across the entire browser so that all web images can benefit from meaningful descriptions. Before that generalization, however, improving accuracy is essential.

From a modeling perspective, the system pairs a Vision Transformer (ViT) with DistilGPT-2, a 182-million-parameter language model that fits under 200 MB once quantized. Improving this system involves multiple, often competing dimensions: bias reduction, description accuracy, and inference speed. This post focuses on the data side of the problem, specifically dataset quality and bias. Part 2 will look at model-level improvements for accuracy and performance.

First Round: Removing Bias with GPT-4o

The original image captions contained several recurring issues:

Gender bias: skateboarders described as “men”, nurses as “women”
Age stereotyping: unnecessary or reductive age descriptors
Offensive or outdated language: culturally insensitive terms that no longer belong in a modern dataset

To address this, I used GPT-4o to systematically transform captions from Flickr30k and COCO, removing demographic descriptors that were not visually required. The resulting datasets are available on Hugging Face (Mozilla/flickr30k-transformed-captions-gpt4o) and were used to train the current Firefox local alt text model.

For more background on this initial effort, see the Mozilla Hacks post and the Firefox blog announcement. This is the model that is currently shipping in Firefox.

Second Round: Measuring What Actually Improved

Qualitative panel testing showed that the transformed captions were generally better received by humans, but that only answered part of the question. What exactly improved, by how much, and what problems remained hidden in the data?

This post documents the second round of work, which focused on building systematic measurement tools to:

Quantify how much bias was actually removed
Verify that transformed captions still describe the images accurately
Identify class imbalance and other structural issues
Lay the groundwork for targeted fixes, including synthetic data generation

When training vision-language models, dataset quality is often treated as a secondary concern compared to architecture or training tricks. In practice, the data is the foundation. If the dataset is biased, noisy, or unbalanced, no amount of fine-tuning will fully compensate.

The Problem Space

After the GPT-4o transformation, several open questions remained:

Did bias removal actually work in a measurable way?
Was semantic meaning preserved during transformation?
Did image–text alignment degrade or improve?
Are some visual concepts severely underrepresented?
Can these checks be repeated reliably for future dataset versions?

Answering these questions requires more than a single score or benchmark.

A Multi-Metric Quality Analysis

I built a dataset quality analysis tool that evaluates four complementary dimensions. The emphasis is on improving the training data itself, rather than compensating for data issues at model time.

1. Image–Text Alignment (CLIP Score)

CLIP provides a convenient proxy for how well a caption matches its corresponding image. By embedding both modalities and computing cosine similarity, I obtain a rough but useful alignment score.

A key improvement in this round was upgrading from CLIP ViT-B/32 to ViT-L/14 @ 336 px. The larger model produces lower absolute scores, but it is significantly more discriminative, making it easier to separate strong alignments from weak ones.

Interpretation guidelines:

Excellent: ≥ 0.35
Good: 0.30–0.35
Fair: 0.25–0.30
Poor: < 0.25

On the transformed dataset, I observe scores of 0.311 with ViT-B/32 (Good) and 0.284 with ViT-L/14 @ 336 px (Fair but more informative).

2. Caption Fidelity (BERTScore)

Removing bias should not come at the cost of semantic drift. To verify this, I used BERTScore with a RoBERTa-large backbone to compare original and transformed captions.

Scores above 0.90 generally indicate that the core meaning is preserved. The transformed dataset achieves 0.904, which falls comfortably in the “excellent” range.

3. Bias Detection Before and After

Bias reduction is only meaningful if it can be measured. I tracked mentions of protected attributes across seven categories, including gender, race or ethnicity, nationality, age, religion, sexual orientation, and disability.

By comparing original and transformed captions on the same samples, I can directly quantify the effect of the transformation. On a 1 000-sample evaluation set, gender mentions dropped from 70 percent to zero, race and ethnicity mentions dropped by 97 percent, and nationality mentions were completely eliminated. Age-related terms remain more common, largely because they are often visually relevant, for example when describing children.

4. Object Distribution and Imbalance

Finally, I analyzed object frequency to identify long-tail problems. Using metrics such as the Gini coefficient and Shannon entropy, the tool highlights severe imbalance: thousands of objects appear only a handful of times.

This analysis automatically produces lists of rare objects and sampling weights that can be used for rebalancing during training.

Using CLIP as a Training Signal

Beyond evaluation, CLIP can also be used to guide training directly. I experimented with a combined loss that adds a CLIP-based alignment term to the standard cross-entropy loss for caption generation.

The intuition is simple: encourage the model to generate captions that are not only fluent, but also visually grounded. Early results suggest modest but consistent gains in CLIP score, at the cost of slower training and higher memory usage.

Running the Quality Analysis

The quality analysis tool integrates directly into the project’s Makefile:

# Quick test (100 samples)
make quality-report-quick

# Full analysis on test split
make quality-report SPLIT=test

# Custom analysis
make quality-report SPLIT=train MAX_SAMPLES=1000 OUTPUT_DIR=./my_reports

Example Dataset Quality Report

Below is an excerpt from the generated quality report for the full Flickr30k transformed dataset. It illustrates how the metrics come together in practice.

================================================================================
                             DATASET QUALITY REPORT
================================================================================

Dataset: Mozilla/flickr30k-transformed-captions-gpt4o
Samples: 31 014

IMAGE–TEXT ALIGNMENT (CLIP)
Score: 0.274 ± 0.036   Assessment: FAIR

CAPTION FIDELITY (BERTScore)
Score: 0.899 ± 0.023   Assessment: GOOD

BIAS DETECTION (Original → Transformed)
Gender:         67% → 0%
Race/Ethnicity: 27% → 1%
Nationality:     1% → 0%
Age:            19% → 17%

OBJECT DISTRIBUTION
Gini coefficient: 0.889
Rare classes (<50 samples): 6 210
================================================================================

The report confirms that the GPT-4o transformation is highly effective at removing demographic bias while preserving meaning. At the same time, it surfaces two remaining issues: only fair image–text alignment and severe class imbalance.

Output Files

The analysis produces the following artifacts:

Directory: quality_reports/
  • summary.json                 - Aggregate metrics in JSON format
  • quality_report.txt           - Human-readable summary report
  • per_example_scores.csv       - Per-sample CLIP, BERT, and bias scores
  • ranked_by_combined.csv       - Samples ranked by combined quality score
  • object_counts.csv            - Object frequency distribution
  • objects_below_50.csv         - Rare / underrepresented objects (≤50 samples)
  • reweighting_probs.csv        - Sampling probabilities for balanced training
  • lorenz_curve.png             - Object distribution inequality visualization
  • top_failures/                - Top failure cases with images and captions

These artifacts make it easy to audit dataset quality, compare runs, and target specific weaknesses.

Key Takeaways

Dataset quality cannot be captured by a single metric
Bias removal can be measured and verified quantitatively
Larger CLIP models are more useful for discrimination, even if absolute scores are lower
Alignment-aware training objectives show promise
Class imbalance remains a major, and solvable, issue

What Comes Next

None of these improvements are shipping yet. They are preparatory steps that make future work safer and more predictable. With solid metrics in place, the next phase is to train improved models, validate gains rigorously, and continue reducing long-tail failures.

The long-term goal remains unchanged: provide high-quality, privacy-preserving alt text for the large fraction of web images that still lack it, and do so in a way that is fair, transparent, and measurable.

References and Resources

Background

Datasets

Metrics

Code

by Tarek Ziade at December 15, 2025 12:00 AM

The Servo Blog — November in Servo: monthly releases, context menus, parallel CSS parsing, and more!

Landing in Servo 0.0.3 and our November nightly builds, we now have context menus for links, images, and other web content (@atbrakhi, @mrobinson, #40434, #40501), vsync on Android (@mrobinson, #40306), light mode for the new tab page (@arihant2math, #40272), plus several web platform features:

<video controls> (@rayguo17, #40578)
<use> in SVG (@WaterWhisperer, #40684)
☢️ ‘font-optical-sizing’ (@simonwuelker, #40829, #40861, #40884)
‘brotli’ in CompressionStream and DecompressionStream (@Taym95, #40842)
‘display-p3-linear’ in CSS color() and color-mix() (@Loirooriol, #40525)
calc() now works in grid layout (@nicoburns, #34846)
ResizeObserver is now enabled by default (@jdm, #40378)

Servo 0.0.3 showing new support for <use> in SVG, <details name>, and context menus

Font variations are now applied in ‘font-weight’ and ‘font-stretch’ (@simonwuelker, #40867), fixing a rendering issue in the Web Engines Hackfest website.

@kkoyung has landed some huge improvements in the SubtleCrypto API, including some of the more modern algorithms in this WICG draft, and a fix for constant-time base64 (@kkoyung, #40334). We now have full support for SHA3-256, SHA3-384, SHA3-512 (@kkoyung, #40765), cSHAKE128, cSHAKE256 (@kkoyung, #40832), Argon2d, Argon2i, Argon2id, ChaCha20-Poly1305, ECDH, ECDSA, and X25519:

Algorithm	deriveBits	exportKey	generateKey	importKey	sign	verify
Argon2d	#40936	n/a	n/a	#40932	n/a	n/a
Argon2i	#40936	n/a	n/a	#40932	n/a	n/a
Argon2id	#40936	n/a	n/a	#40932	n/a	n/a
ChaCha20-Poly1305	n/a	#40948	n/a	#40948	n/a	n/a
ECDH	#40333	#40298	#40305	#40253	n/a	n/a
ECDSA	n/a	#40536	#40553	#40523	#40591	#40557
X25519	#40497	#40421	#40480	#40398	n/a	n/a

<details> now fires ‘toggle’ events (@lukewarlow, #40271), and <details name> is now exclusive, like radio buttons (@simonwuelker, #40314). InputEvent, which represents ‘input’ and ‘beforeinput’ events, now has composed, data, isComposing, and inputType properties (@excitablesnowball, #39989).

(instructions:u)	mean	range	count
Regressions ❌ (primary)	0.4%	[0.1%, 4.3%]	111
Regressions ❌ (secondary)	0.4%	[0.1%, 2.2%]	97
Improvements ✅ (primary)	-1.0%	[-1.3%, -0.7%]	2
Improvements ✅ (secondary)	-0.2%	[-0.3%, -0.0%]	9
All ❌✅ (primary)	0.4%	[-1.3%, 4.3%]	113

target	notes
`aarch64-unknown-linux-musl`	ARM64 Linux with musl 1.2.5
`powerpc64le-unknown-linux-musl`	PPC64LE Linux (kernel 4.19, musl 1.2.5)
`x86_64-unknown-linux-musl`	64-bit Linux with musl 1.2.5

target	std	notes
`arm-unknown-linux-musleabi`	✓	Armv6 Linux with musl 1.2.5
`arm-unknown-linux-musleabihf`	✓	Armv6 Linux with musl 1.2.5, hardfloat
`armv5te-unknown-linux-musleabi`	✓	Armv5TE Linux with musl 1.2.5
`armv7-unknown-linux-musleabi`	✓	Armv7-A Linux with musl 1.2.5
`armv7-unknown-linux-musleabihf`	✓	Armv7-A Linux with musl 1.2.5, hardfloat
`i586-unknown-linux-musl`	✓	32-bit Linux (musl 1.2.5, original Pentium)
`i686-unknown-linux-musl`	✓	32-bit Linux with musl 1.2.5 (Pentium 4)
`riscv64gc-unknown-linux-musl`	✓	RISC-V Linux (kernel 4.20+, musl 1.2.5)

target	std	host	notes
`hexagon-unknown-linux-musl`	✓		Hexagon Linux with musl 1.2.5
`mips-unknown-linux-musl`	✓		MIPS Linux with musl 1.2.5
`mips64-openwrt-linux-musl`	?		MIPS64 for OpenWrt Linux musl 1.2.5
`mips64-unknown-linux-muslabi64`	✓		MIPS64 Linux, N64 ABI, musl 1.2.5
`mips64el-unknown-linux-muslabi64`	✓		MIPS64 (little endian) Linux, N64 ABI, musl 1.2.5
`mipsel-unknown-linux-musl`	✓		MIPS (little endian) Linux with musl 1.2.5
`powerpc-unknown-linux-musl`	?		PowerPC Linux with musl 1.2.5
`powerpc-unknown-linux-muslspe`	?		PowerPC SPE Linux with musl 1.2.5
`powerpc64-unknown-linux-musl`	✓	✓	PPC64 Linux (kernel 4.19, musl 1.2.5)
`riscv32gc-unknown-linux-musl`	?		RISC-V Linux (kernel 5.4, musl 1.2.5 + RISCV32 support patches)
`s390x-unknown-linux-musl`	✓		S390x Linux (kernel 3.2, musl 1.2.5)
`thumbv7neon-unknown-linux-musleabihf`	?		Thumb2-mode Armv7-A Linux with NEON, musl 1.2.5
`x86_64-unikraft-linux-musl`	✓		64-bit Unikraft with musl 1.2.5

Double bottom line	In the world	In Mozilla
Mission	Empower people with tech that promotes agency and choice – make AI for and about people.	Build AI that puts humanity first. 100% of Mozilla orgs building AI that advances the Mozilla Manifesto.
Money	Decentralize the tech industry – and create an tech ecosystem where the ‘people part’ of AI can flourish.	Radically diversify our revenue. 20% yearly growth in non-search revenue. 3+ companies with $25M+ revenue.

Open source AI — for developers	Public interest AI — by and for communities	Trusted AI experiences — for everyone
Focus: grow a decentralized open source AI ecosystem that matches the capabilities of Big AI — and that enables people everywhere to build with AI on their own terms.	Focus: work with communities everywhere to build technology that reflects their vision of who AI and tech should work, especially where the market won’t build it for them.	Focus: create trusted AI-driven products that give people new ways to interact with the web — with user choice and openness as guiding principles.
Early examples: Mozilla.ai’s Choice First Stack, a unified open-source stack that simplifies building and testing modern AI agents. Also, llamafile for local AI.	Early examples: the Mozilla Data Collective, home to Common Voice, which makes it possible to train and tune AI models in 300+ languages, accents and dialects.	Early examples: recent Firefox AI experiments, which will evolve into AI Window in early 2026 — offering an opt-in way to choose models and add AI features in a browser you trust.

Feature area	Supported now	Not yet supported
Email – account setup & folder access	Creating accounts via auto-config with EWS, server-side folder manipulation	–
Email – message operations	Viewing messages, sending, replying/forwarding, moving/copying/deleting	–
Email – attachments	Attachments can be saved and displayed with detach/delete support.	–
Search & filtering	Search subject and body, quick filtering	Filter actions requiring full body content are not yet supported.
Accounts hosted on Microsoft 365	Domains using the standard Microsoft OAuth2 endpoint	Domains requiring custom OAuth2 application and tenant IDs will be supported in the future.
Accounts hosted on-premise	Password-based Basic authentication	Password-based NTLM authentication and OAuth2 for on-premise servers are on the roadmap.
Calendar support	–	Not yet implemented – calendar syncing is on the roadmap.
Address book / contacts support	–	Not yet implemented – address book support is on the roadmap.
Microsoft Graph support	–	Not yet implemented – Microsoft Graph integration will be added in the future.

January 07, 2026

Mozilla Localization (L10N) — Mozilla Localization in 2025

A Year in Data

Pontoon Development

Community

What’s coming in 2026

Thank you!

Ludovic Hirlimann — Are mozilla's fork any good?

Wladimir Palant — Backdoors in VStarcam cameras

Contents

How to recognize affected cameras

Downloading the firmware

Caveats of this survey

VStarcam’s authentication approach

Endpoint protection

Unauthenticated log access

Explicit password leaking via logs

Log uploading

Password-leaking backdoor

Establishing a timeline

The impact

Coordinated disclosure attempt

Recommendations

January 05, 2026

Jonathan Almeida — Rebase all WIPs to the new main

Wladimir Palant — Analysis of PPPP “encryption”

Contents

Mapping keys to effective keys

Redundancies within the effective key

ASCII to the rescue

How large is n?

How many ciphertexts is that?

Understanding the response

Jonathan Almeida — Update jj bookmarks to the latest revision

The Rust Programming Language Blog — Project goals update — December 2025

Canonical Projections

Reasoning

Non-Indirected Containers

Field-by-Field Projections vs One-Shot Projections

Wiki Project

Purpose

Update

autodiff

offload

autodiff:

offload:

Deref / Receiver

derive(CoercePointee)

In-place initialization

Field projections

Updates

Blockers

Status update December 23, 2025

December 31, 2025

This Week In Rust — This Week in Rust 632

December 24, 2025

This Week In Rust — This Week in Rust 631

December 20, 2025

Tarek Ziadé — all the code are belong to claude*

Claude as a serious coding partner

Tuning CLAUDE.md

The slippery slope

Reducing costs

Memory across sessions actually matters

Final thoughts

References

December 19, 2025

Mozilla Privacy Blog — Behind the Manifesto: Moments that Mattered in our Fight for the Open Web (2025)

Firefox Nightly — Closing out 2025 Strong – These Weeks in Firefox: Issue 193

Highlights

Friends of the Firefox team

Volunteers that fixed more than one bug

New contributors (🌟 = first patch)

Project Updates

Add-ons / Web Extensions

Addon Manager & about:addons

WebExtension APIs

DevTools

WebDriver

`Deref` / `Receiver`

`derive(CoercePointee)`