cargo-goggles: verify that crates.io releases can be reproduced from the git repository (crates.io)

submitted 5 months ago by PaoloBarbolini@lemmy.ml to c/rust@lemmy.ml

5 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[-] Vorpal@programming.dev 3 points 5 months ago

Yes, obviously there are more ways to hide malicious code.

As for the git commit ID, I didn't see you using it even when it was available though? But perhaps that could be a weakness, if the commit ID used does not match the tag in the repo, that would be a red flag too. That could be worth checking.

[-] PaoloBarbolini@lemmy.ml 2 points 5 months ago

I'm not completely sure what to do here because many crates seem to get published from the release PR branch, not the main one, so the commit id is usually unreliable anyway.

On one side I want something strict that can't be easily bypassed, on the other if everything's a red flag you'll just ignore it

[-] Vorpal@programming.dev 2 points 5 months ago* (last edited 5 months ago)

Hm, that is a fair point. Perhaps it would make sense to produce a table of checks: indicate which checks each dependency fails/passes, and then colour code them with severity.

Some experimentation on real world code is probably needed. I plan to try this tool on my own projects soon (after I manually verified that your crate match your git code (hah! Bootstrap problem), I already reviewed your code on github and it seemed to do what it claims).

this post was submitted on 01 Apr 2024

34 points (97.2% liked)

Rust Programming

7734 readers

2 users here now

founded 5 years ago

MODERATORS

nutomic@lemmy.ml

Joe@lemmy.ml

AgreeableLandscape@lemmy.ml