Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    Jeremy Fitzhardinge
    @jsgf
    Konrad Borowski
    @KonradBorowski_gitlab
    if you specify a real package with exact version and a comment describing this is for RUSTSEC specifically, it should be clear enough i feel like
    if messing with dependencies is a concern, use a very old version of a 0.x library
    like so old that no new package would depend on it
    say safe-transmute 0.4.0 or something
    Tony Arcieri
    @tarcieri
    @jsgf what specifically are you looking to test? handling of new advisories in general? we've had quite a few recently due to the Safety Dance
    the latest RustSec crate supports informational advisories as well
    Jeremy Fitzhardinge
    @jsgf
    The problem I have right now is that none of the crates I'm managing have any advisories at all, so I don't necessarily know whether its working. It would be useful to have a canary to make sure things are working. Testing whether new advisories are working is a separate thing, but if we're OK with having test advisories at all, then publishing a test advisory - say - every month would help with that (you could alarm on not seeing an expected advisory indicating that something is wrong along the chain).
    @KonradBorowski_gitlab That's fine for a one-off test, but I'm looking at building out some infra for a large organization, and having special ad-hoc rules like "safe-transmute 0.4.0 isn't a real advisory" is hard to communicate effectively. It would be easier to say that "all advisories with the rustsec-test-advisory keyword and category are tests", because you could get a fair intuition about what it means just by looking
    and code/rules implementing that wouldn't look strange
    Tony Arcieri
    @tarcieri
    @jsgf I could potentially add one, with an associated test crate, that you could use to test. I don't think it makes sense to publish an unbounded number of them (in the same way there's only one EICAR string)
    if you want to test it periodically, you can add and remove the test dependency from your Cargo.toml
    Jeremy Fitzhardinge
    @jsgf
    Yeah, one is a good start
    Hanif Ariffin
    @hbina
    are there any crates that still publish a vulnerable version that have a non-vulnerable one? im trying to implement a cargo-audit fix but i dont have a test
    Tony Arcieri
    @tarcieri
    @hbina let me publish a test crate for this purpose
    svartalf
    @svartalf
    @tarcieri hey! Are there informational advisories I could see? I'm working on a some thing here and would love to see a live example of them :)
    Tony Arcieri
    @tarcieri
    we just published some of the first ones yesterday
    there's an example
    svartalf
    @svartalf
    Awesome, thanks!
    Tony Arcieri
    @tarcieri
    ooh awesome
    svartalf
    @svartalf
    :)
    I would love to hear your opinion about what data should be shown at the Check page at all
    Tony Arcieri
    @tarcieri
    what you have looks good. if it's an informational advisory you could add another column to that table with the informational advisory type
    svartalf
    @svartalf
    Yep, that's why I wanted to see an informational advisory
    Tony Arcieri
    @tarcieri
    cool
    Tony Arcieri
    @tarcieri
    FYI I just migrated all of the RustSec projects, including the advisory DB repo itself, over to GitHub Actions
    need to look into using it to automate things like publishing the web site from the git repo whenever it's changed
    svartalf
    @svartalf
    @tarcieri yeah, I saw it, we are basically done the full circle here now with the actions-rs -> rustsec -> actions-rs
    Tony Arcieri
    @tarcieri
    heh
    svartalf
    @svartalf
    There we some actions to publish data into the GH pages, yet I had not used them, so I could not recommend anything
    Tony Arcieri
    @tarcieri
    yeah that'd be the goal. I was thinking of moving it to a gh-pages branch of the advisory-db repo
    so after there's a successful build on master, there's a deploy step which installs the website generator tool, runs it, and if anything's changed makes a gh-pages commit and pushes it
    svartalf
    @svartalf
    Well, it is possible technically, problem is to find the right tools for that..
    Tony Arcieri
    @tarcieri
    yeah
    svartalf
    @svartalf
    https://github.com/actions-rs/audit-check/
    Alright, I'm done with a first version
    I even managed to make it work on a schedule, which is basically how it should be used :)
    Tony Arcieri
    @tarcieri
    @dbrgn thanks!
    @svartalf awesome!
    Danilo Bargen
    @dbrgn
    @svartalf nice! I usually integrate cargo audit into all my projects as a CircleCi pipeline step (also runing automatically every week). but having it directly on GitHub might be nice for certain projects.
    svartalf
    @svartalf
    @dbrgn thanks :)
    svartalf
    @svartalf
    I hope it would make people a bit more aware about security issues and the fact that CI does not ends with the "okay, it builds" step
    simlay
    @simlay
    Hi, if a crate's repo on github gets archived by the owner, would it be appropriate to file a advisory PR for the unmaintained attribute?
    simlay
    @simlay
    https://github.com/maidsafe/crust is the repo and crate in mind. Maybe it got moved to gitlab or something but the the crate didn't get edited or republished.
    Tony Arcieri
    @tarcieri
    @simlay sure, particularly if there are alternative crates which provide equivalent functionality you'd like to recommend current users switch to
    simlay
    @simlay
    I wish I had some more alternatives on the matter. I was actually exploring the topic of "peer-to-peer" communication and the crust crate claimed to do this nearly out of the box with some "security" built in.
    Anyway, I'll submit a PR about it being unmaintained.
    Tony Arcieri
    @tarcieri
    perhaps libp2p?