Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a check for crates that do not match the referenced git repository state #644

Open
weiznich opened this issue Mar 30, 2024 · 2 comments
Labels
enhancement New feature or request

Comments

@weiznich
Copy link

Is your feature request related to a problem? Please describe.
The recent findings in xz-utils among other things have shown that backdoors or other vulnerabilities can be introduced by modifying the released source code only (as compared to the checked in source code in the git repositories).

cargo publish uses the local copy of the source code it is open for the same attack vector. crates.io does not perform any validation of the uploaded source code as far as I'm aware. This could be a huge issue, especially for things like proc-macros or build scripts.

Describe the solution you'd like

I would like to see an additional check in cargo deny that allows to check that the released .crates file contains the same source code than the referenced git repository. Cargo embeds this information via a .cargo_vcs_info.json file. It's likely useful to have additional options to configure an allow list and to deny crates without this information.

@weiznich weiznich added the enhancement New feature or request label Mar 30, 2024
@paolobarbolini
Copy link

We're doing it in https://crates.io/crates/cargo-goggles and I've heard lib.rs is also implementing it. crates.io might get it too at some point.

@Jake-Shadle
Copy link
Member

My first preference would be for crates.io to support it since then everyone would get the benefit rather than just cargo-deny users, in addition, cargo-deny is meant to complete quickly, where the only real bottleneck is cargo fetch and retrieving the advisory database, so there would need to be an acceleration mechanism to make this feasible for cargo-deny. That being said, I have already thought about having a git repo/DB so that licensing information for crates.io crates can be collated in one location so that users don't need to specify clarifications (as often) and can rather rely on them from machine reading as well as user curation, and part of that would be checksumming files in the source repo while finding the license information, so combining that in to one location would be feasible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants