Rust Programming
cargo-goggles: verify that crates.io releases can be reproduced from the git repository
Jump
PaoloBarbolini 6 months ago • 100%
I'm not completely sure what to do here because many crates seem to get published from the release PR branch, not the main one, so the commit id is usually unreliable anyway.
On one side I want something strict that can't be easily bypassed, on the other if everything's a red flag you'll just ignore it
2
Rust Programming
cargo-goggles: verify that crates.io releases can be reproduced from the git repository
Jump
PaoloBarbolini 6 months ago • 100%
Correct. To be clear, the xz vulnerability shows that this is just a very small step, but it will at least make git repo audits more useful since you will then know that the crates.io release matches.
Unfortunately, the git commit isn't always available, either because of releases made with old versions of cargo, or because maintainers deliberately publish with cargo publish --allow-dirty
or cargo hack --no-dev-deps
4