Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
    svartalf
    @svartalf
    Awesome, thanks!
    Tony Arcieri
    @tarcieri
    ooh awesome
    svartalf
    @svartalf
    :)
    I would love to hear your opinion about what data should be shown at the Check page at all
    Tony Arcieri
    @tarcieri
    what you have looks good. if it's an informational advisory you could add another column to that table with the informational advisory type
    svartalf
    @svartalf
    Yep, that's why I wanted to see an informational advisory
    Tony Arcieri
    @tarcieri
    cool
    Tony Arcieri
    @tarcieri
    FYI I just migrated all of the RustSec projects, including the advisory DB repo itself, over to GitHub Actions
    need to look into using it to automate things like publishing the web site from the git repo whenever it's changed
    svartalf
    @svartalf
    @tarcieri yeah, I saw it, we are basically done the full circle here now with the actions-rs -> rustsec -> actions-rs
    Tony Arcieri
    @tarcieri
    heh
    svartalf
    @svartalf
    There we some actions to publish data into the GH pages, yet I had not used them, so I could not recommend anything
    Tony Arcieri
    @tarcieri
    yeah that'd be the goal. I was thinking of moving it to a gh-pages branch of the advisory-db repo
    so after there's a successful build on master, there's a deploy step which installs the website generator tool, runs it, and if anything's changed makes a gh-pages commit and pushes it
    svartalf
    @svartalf
    Well, it is possible technically, problem is to find the right tools for that..
    Tony Arcieri
    @tarcieri
    yeah
    svartalf
    @svartalf
    https://github.com/actions-rs/audit-check/
    Alright, I'm done with a first version
    I even managed to make it work on a schedule, which is basically how it should be used :)
    Tony Arcieri
    @tarcieri
    @dbrgn thanks!
    @svartalf awesome!
    Danilo Bargen
    @dbrgn
    @svartalf nice! I usually integrate cargo audit into all my projects as a CircleCi pipeline step (also runing automatically every week). but having it directly on GitHub might be nice for certain projects.
    svartalf
    @svartalf
    @dbrgn thanks :)
    svartalf
    @svartalf
    I hope it would make people a bit more aware about security issues and the fact that CI does not ends with the "okay, it builds" step
    simlay
    @simlay
    Hi, if a crate's repo on github gets archived by the owner, would it be appropriate to file a advisory PR for the unmaintained attribute?
    simlay
    @simlay
    https://github.com/maidsafe/crust is the repo and crate in mind. Maybe it got moved to gitlab or something but the the crate didn't get edited or republished.
    Tony Arcieri
    @tarcieri
    @simlay sure, particularly if there are alternative crates which provide equivalent functionality you'd like to recommend current users switch to
    simlay
    @simlay
    I wish I had some more alternatives on the matter. I was actually exploring the topic of "peer-to-peer" communication and the crust crate claimed to do this nearly out of the box with some "security" built in.
    Anyway, I'll submit a PR about it being unmaintained.
    Tony Arcieri
    @tarcieri
    perhaps libp2p?
    Danilo Bargen
    @dbrgn
    hi. a stack overflow in a parsing library is a potential DoS source but nothing critical (in Rust), right?
    so, a regular github bug report + maybe a RUSTSEC advisory, right?
    Danilo Bargen
    @dbrgn
    Tony Arcieri
    @tarcieri
    if there’s remote DoS via stack overflow in Prost I think that’s worth an advisory
    Tony Arcieri
    @tarcieri
    @dbrgn worse, stack overflow is a soundness violation on e.g. ARM rust-lang/rust#43241
    so it’s memory corruption / potential RCE :grimacing:
    Danilo Bargen
    @dbrgn
    good point!
    by the way, should "undefined behavior" be a separate advisory category, since it could or could not lead to memory corruption / RCE?
    Tony Arcieri
    @tarcieri
    yeah. I mean ideally we’d move to the CWE categories, but I haven’t had time to make a crate for it
    svartalf
    @svartalf
    Hey! Is there any "yanked" warnings in the advisory db I could test on?
    Tony Arcieri
    @tarcieri
    @svartalf I used prost 6.0.0 in the example image
    there was a recently yanked version of the log crate
    it’s more or less pick any yanked crate and put it in your Cargo.lock
    svartalf
    @svartalf
    @tarcieri aha, rustsec is smart, okay :) I thought that there should an advisory for that
    Tony Arcieri
    @tarcieri
    yeah, it uses crates-index to check the crates.io index
    svartalf
    @svartalf
    Alright, thanks. I almost finished fixing audit-check action and it is time to test now
    Tony Arcieri
    @tarcieri
    nice
    svartalf
    @svartalf
    Tony Arcieri
    @tarcieri
    awesome