@svartalf nice! I usually integrate cargo audit into all my projects as a CircleCi pipeline step (also runing automatically every week). but having it directly on GitHub might be nice for certain projects.
@dbrgn thanks :)
I hope it would make people a bit more aware about security issues and the fact that CI does not ends with the "okay, it builds" step
Hi, if a crate's repo on github gets archived by the owner, would it be appropriate to file a advisory PR for the unmaintained attribute?
@simlay sure, particularly if there are alternative crates which provide equivalent functionality you'd like to recommend current users switch to
I wish I had some more alternatives on the matter. I was actually exploring the topic of "peer-to-peer" communication and the crust crate claimed to do this nearly out of the box with some "security" built in.
Anyway, I'll submit a PR about it being unmaintained.
hi. a stack overflow in a parsing library is a potential DoS source but nothing critical (in Rust), right?
so, a regular github bug report + maybe a RUSTSEC advisory, right?
@dbrgn heh yeah, I think that may have been the first unmaintained crate advisory
err I guess I was scrolled way up
thanks Gitter Desktop
Gitter is a bit awkward to use sometimes. Some Rust projects like crev and Rust Embedded use Matrix. It's not perfect, but so far it has worked quite well. Maybe that would be an option?
@dbrgn there’s a secure code WG group on Zulip
I’m not a super big fan of Zulip, but it exists...
a bunch of the domain working groups are on one of the two Rust discords, heh
I’m on Matrix for the Embedded WG
so many chat apps
Yep... I'm also on Telegram and Slack and Discord and on two Mattermost instances and on Threema (I work there, so that's a given).
For open source communities Matrix isn't too bad as an IRC successor, since the protocol itself is open and it can be used from different clients. That's not the case with most of the other systems like Gitter, Discord or Zulip. But I understand why Rust is using Discord (since you can create grouped channels).
I’ll care about the multi-client support when Seaglass is actually usable :stuck_out_tongue:
I’m an early Matrix user and I like what they’re trying to do. I have a few things located there too
the E2EE UX is unusably bad though
Agreed. E2EE as an afterthought does not work well. I was highly sceptical when they announced that they'd "add encryption later".
E2EE + Multidevice is a huge mostly unsolved problem. A single long-lived key is good for UX and for authentication but risky. Device keys are bad for UX and for authentication, since nobody will bother to authenticate.
That's why I view Matrix as a public chat network like IRC, then it's ok-ish :)
I'm currently using Riot on desktop and miniVector on Android. I tried Fractal a while ago, but it was still a bit buggy and missed a few features.
Would someone here (e.g. @tarcieri) be interested in holding a 15-30 minute talk about a rustsec related topic (e.g. cargo-audit and the rustsec advisories) at a virtual Rust Zürich meetup, together with another speaker that talks about cargo-crev?
(haha, "cargo-audit and the rustsec advisories" sounds like the name of a blues band...)