A consolidation week for the pure-Rust stack: the pieces that went public over the last fortnight grew teeth. rsurl picked up a BitTorrent engine and resumable transfers, puressh took a hard security pass (including one critical pre-auth fix), compcol got faster and grew QPACK, and fstool learned cross-filesystem metadata. Two more Go libraries arrived as Rust ports, and a new filesystem landed for AzusaOS.

rsurl: past curl, into BitTorrent

rsurl reached curl parity last week; this week it went past it (v0.0.6 → v0.0.9). The headline is a full BitTorrent engine: a concurrent swarm downloader, magnet metadata over BEP 9 / BEP 10, DHT peer discovery (BEP 5), endgame mode, inbound seeding with --seed/--share-ratio, --recheck re-hashing on resume, and per-peer diagnostics under -v. curl doesn't do torrents — this is rsurl using the same client spine for a protocol curl never covered.

Alongside it, downloads became resumable: a shared partial-file format, single-stream resume (-C -), and resumable parallel segments (-C - --parallel-segments). The HTTP path also picked up HTTP/2 PRIORITY weights with runtime pool sizing, TlsInfo + per-phase timing on h2/h3/pooled HTTPS, a caller-owned cert-validation hook, and a SameSite/CHIPS cookie surface.

puressh: one critical fix, and a broad pass

puressh (v0.0.5) spent the week on security, and one finding was critical: a pre-auth decode that accepted pad_len > packet_length, a remotely triggerable denial of service before authentication. That's fixed, along with a rekey-storm guard (epoch-relative sequence baseline, reset byte counters), a cap on authenticated shell stdout backlog (memory DoS), and a bounded deferred-rekey queue.

The rest was the kind of hardening that adds up: gating every session type through PAM at root before privilege drop, zeroizing derived session keys / HMAC integrity keys / cleartext passwords on drop, removing Clone from stateful AEAD/CTR ciphers (nonce-reuse hardening), encoding the ML-KEM hybrid shared secret as an SSH string rather than an mpint for the exchange hash, parsing known_hosts line-by-line so one bad UTF-8 byte can't empty the store, and sanitizing server-supplied SFTP/SCP names before they hit a TTY. The FFI layer also gained bytes-path variants throughout, so non-UTF-8 remote paths round-trip.

compcol: faster, plus QPACK and LZFSE v2

compcol (v0.6.2) took a broad throughput pass and added codecs. On speed: bulk match-copy across the LZ-family decode loops (lz4/lz5/lzo/snappy, RAR 1/2/3/5, LHA, zip implode/reduce/shrink), an in-place SA-IS recursion for the bzip2 BWT, several zstd inner-loop cuts (shared FSE loads, hoisted tables, faster Huffman literals), and a wider Brotli Huffman fast-path LUT (9 → 11 bits).

New formats: a real raw LZMA2 encoder (replacing the stub), the LZFSE bvx2 (v2) block decoder with general FSE table construction, and a QPACK (RFC 9204) implementation plus the standalone Huffman / range-coder / MTF / BWT building blocks it sits on — the HTTP/3 header codec that rsurl needs.

fstool: cross-filesystem metadata

fstool (v0.4.15 → v0.4.17) made metadata portable across its filesystem matrix. set_attrs is now implemented on FAT32, exFAT, NTFS, XFS, and HFS+ (each mapping chmod/chown/utimes onto whatever the format actually supports — e.g. exFAT's lone READ-ONLY bit), so a cross-filesystem chmod/chown through the shell or repack works uniformly. It also started storing and surfacing per-file modification times on FAT/exFAT/HFS+ (including on symlinks and device nodes), and took its own security pass — bounding attacker-controlled allocations on malformed images across ISO 9660 / GRF / DMG, checked LBA arithmetic on GPT, and .. stripping in the repack/merge path.

outscript + spotlib: two more Go ports

Two established Go libraries arrived as pure-Rust ports, both on purecrypto:

outscript (port of outscript) generates output scripts, parses/encodes addresses, and builds/signs transactions across networks: the Bitcoin family (p2pkh through p2tr taproot, plus BCH CashAddr, Litecoin, Dogecoin, Namecoin), EVM transactions with ABI encoding, and Solana (transactions, instructions, PDAs), with block-reward math on top.

spotlib (port of spotlib + spotproto, wire compatible with them) implements the Spot secure-messaging protocol — end-to-end encrypted messages routed through relay servers that only ever see ciphertext, addressed to key-based k.<hash> identities. The workspace splits into spotproto (the wire format) and spotlib (the client), and runs with no async runtime.

5fs: a filesystem for AzusaOS

5fs — "the 5OS FileSystem", read "go-F-S" (5 is go in Japanese, after Go-OS, the OS meant to boot in five seconds) — is a new filesystem built around two ideas: the filesystem is a movable, resizable object (block and inode addresses are allocation-group-relative virtual addresses, so relocating data never rewrites metadata), and adaptive mesh refinement as the single structural principle at every level — device map, allocator, extents, directories. It keeps the original 2015 goal too: the kernel lives in physically contiguous blocks at a superblock-recorded offset, so a bootloader can load it with raw block reads and no filesystem driver. The week landed the full v2 implementation (journaling, the refinement allocator, extent trees, hashed directories, online resize/relocation), a gofs Rust library with mkfs/fsck/debugfs tools, a read-write FUSE mount, and model-based + crash-recovery + stress test suites. The 2015 C++ prototype was removed.

OxideAV: toward Blu-ray

The framework's optical-disc path filled in around the DVD reader from W21: oxideav-aacs (clean-room AACS decryption — MKB / Unit_Key_RO parsing, Subset-Difference tree walk, VUK derivation, Title Key unwrap) and oxideav-mpegts (an MPEG-TS demuxer built to ingest Blu-ray .m2ts bytes) are the two pieces a Blu-ray remux needs. Also new this week: oxideav-riff (the RIFF chunk-walker under WAV and AVI) and oxideav-ifc (an IFC / ISO 16739 BIM reader via a STEP physical-file parser — building models, a long way from codecs).

Next week

rsurl settles the torrent engine and the resume format. puressh keeps closing findings. compcol's QPACK feeds back into rsurl's HTTP/3. 5fs grows its deferred features (L3 inode slots, truncate reclaim, the kernel boot region).