PaoloBarbolini

@PaoloBarbolini@lemmy.ml

This profile is from a federated server and may be incomplete. For a complete list of posts, browse on the original instance.

cargo-goggles: verify that crates.io releases can be reproduced from the git repository ( crates.io )

PaoloBarbolini OP , 3 months ago

Correct. To be clear, the xz vulnerability shows that this is just a very small step, but it will at least make git repo audits more useful since you will then know that the crates.io release matches.

Unfortunately, the git commit isn't always available, either because of releases made with old versions of cargo, or because maintainers deliberately publish with cargo publish --allow-dirty or cargo hack --no-dev-deps

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...

PaoloBarbolini OP , 3 months ago

I'm not completely sure what to do here because many crates seem to get published from the release PR branch, not the main one, so the commit id is usually unreliable anyway.

On one side I want something strict that can't be easily bypassed, on the other if everything's a red flag you'll just ignore it

Reply

Report

Activity

Open original URL

Copy original URL

Copy Mbin URL

Loading...