Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Repo info
Activity
  • 06:16

    dpc on master

    We don't need `threadpool` anym… (compare)

  • 06:08

    dpc on master

    Make dep graph dumber. Don't ca… Dependency graph works! Initial version of `--recursive… (compare)

  • Sep 14 05:42

    dpc on master

    Calculate dependency graph in `… Some comments (compare)

  • Sep 13 20:49
    rffrancon closed #243
  • Sep 13 20:49
    rffrancon commented #243
  • Sep 13 18:33
    dpc commented #244
  • Sep 13 18:28
    dpc commented #244
  • Sep 13 07:11
    rffrancon commented #244
  • Sep 13 07:11
    rffrancon closed #244
  • Sep 13 07:11
    rffrancon commented #244
  • Sep 12 23:56
    dpc commented #244
  • Sep 12 23:16
    dpc commented #244
  • Sep 12 23:13
    dpc commented #244
  • Sep 12 23:12
    dpc commented #244
  • Sep 12 23:11
    dpc commented #244
  • Sep 12 22:53
    rffrancon edited #244
  • Sep 12 22:51
    rffrancon review_requested #244
  • Sep 12 22:51
    rffrancon opened #244
  • Sep 12 16:49
    dpc commented #243
  • Sep 12 08:15

    Dylan-DPC on master

    Correct spelling and lint markd… Merge pull request #242 from rf… (compare)

Dawid Ciężarkiewicz
@dpc
Yeah, once people actually have to review their dependency, they will get conscious about it.
We had the discussion about it on r/rust, I think. I have issues open to provide some better recursive metrics etc.
Andrew Gallant
@BurntSushi
yeah, right. i'm still super skeptical to be honest, but i'm giving it an earnest try.
RE: "With reviewing own crates - there's also a value in it, especially if the credentials to github repo and crates.io are shared. These way you rubber stamp that you approve the crate, and it's not eg. someone maliciously uploading something without main author noticing it." --- this sounds interesting. could you say more about it? how would someone verify the relationship between github and crates.io?
Dawid Ciężarkiewicz
@dpc
There is no relationship like this right now. What I say is - your crate on crates.io can have shared ownership between 4 people, each of who could get compromised and try to publish a malicious version. The fact that you yourself has reviewed it (if I have you in my WoT) means that you are at least aware of it being published, and maybe you even compared with your local copy etc.
The crates.io is a side-feature to help with initial bootstrapping. There is a list of "known crates.io owners" (distinct from the WoT) and one can edit it and filter-out crates that are from known authors. This way you can focus on stuff from less trustworthy authors first, if so you desire.
Since we can't get the whole ecosystem reviewed in one go, we can at least look at the most suspicious crates first.
Ones with high geiger count, unknown authors, custom build scripts and so on.
Andrew Gallant
@BurntSushi
yeah the bootstrapping stuff makes total sense. i get that. i think i grok the other stuff too.
it would be nice if cargo crev could require or at least display whether the user has 2FA enabled for wherever they are hosting their proofs
Dawid Ciężarkiewicz
@dpc
If crates.io provides 2fa info for each user, we could easily do that.
Andrew Gallant
@BurntSushi
no 2FA is probably an immediate downgrade in trust
for me anyway
i think crates.io relies on github, and github provides 2FA. i don't know if it's queryable or not though.
Dawid Ciężarkiewicz
@dpc
The hosting their proofs is a tricker one, since we don't have a relationship of crates.io user - crev id/url
Andrew Gallant
@BurntSushi
yeah, i guess the extra key from crev makes this hard to exploit.
Dawid Ciężarkiewicz
@dpc
If the username is the same in both, we could do mapping, potentially. Donno. Maybe it's doable. On the other hand - it's a very specific and hardcoded datapoint, that could get broken in many ways. Also - would be nice to support other registries.
Andrew Gallant
@BurntSushi
even if an attacker gets access to someone's github account, the worst they could do is upload a new version of a package to crates.io with potentially malicious code in it. but they couldn't publish a review unless they also had that user's crev key.
Dawid Ciężarkiewicz
@dpc
So too much hardcoding for github.com can backfire.
Andrew Gallant
@BurntSushi
yeah makes sense
Dawid Ciężarkiewicz
@dpc
Exactly. Also crev is supposed to require some redundancy, eventually, if there is enough people actually providing proofs.
Andrew Gallant
@BurntSushi
yeah
Dawid Ciężarkiewicz
@dpc
So if you're paranoid, you can just require two or more reviews. Which makes this system rather solid rather quickly.
Andrew Gallant
@BurntSushi
yeah
Dawid Ciężarkiewicz
@dpc
Got to go now. I should be around later today. Please share your crev publish repo, so I can add it to my WoT. :)
Andrew Gallant
@BurntSushi
thanks for answering my questions! i'm headed to bed soon. here are my proofs so far: https://github.com/BurntSushi/crev-proofs
my goal is to get ripgrep into a state where it's fully trusted.
Dawid Ciężarkiewicz
@dpc
I've pushed the parallel dependency scanning. It's much, much faster now.
Dawid Ciężarkiewicz
@dpc
Also the unclean stuff should be better.
Dawid Ciężarkiewicz
@dpc
dpc/crev#230 cargo crev recomend idea.
Dawid Ciężarkiewicz
@dpc
Ehhh... This new id subcommand is bugging me by its inconsistency. I agree that it is probably more discoverable, but the fact that everything is verb noun and this one is none verb is so meh. :D
matrixbot
@matrixbot
dpc https://github.com/crev-dev - and so we move into github organization; expect some links and stuff like this to be potentially borked for a while.
Masaki Hara
@qnighy
Hi, I wrote a Japanese article introducing cargo-crev https://qiita.com/qnighy/items/34bed9dbd826dc76d3ba -- perhaps no one here is interested in the article itself but I hope it results in more people's involvement.
matrixbot
@matrixbot
dpc That is so awesome!
dpc I'll check Google translate on this later today.
Masaki Hara
@qnighy
My friend also tried cargo-crev and found a bug during review: Robbepop/string-interner#9
matrixbot
@matrixbot
dpc That's a serious bug. So great to see people finding bugs.
matrixbot
@matrixbot
dpc Probably a good idea to fill rustsec advisory and crev one too.
matrixbot
@matrixbot
programmerjake hey, I started a thread evaluating crev on the libre-riscv-dev@lists.libre-riscv.org mailing list: http://lists.libre-riscv.org/pipermail/libre-riscv-dev/2019-August/002562.html
programmerjake you might find that interesting. Luke initially mistakes crev for a code signing and distribution mechanism, so a lot of it may not be useful
matrixbot
@matrixbot
programmerjake feel free to join the conversation on the mailing list if you like: http://lists.libre-riscv.org/mailman/listinfo/libre-riscv-dev
Andrew Gallant
@BurntSushi
that initial response from Luke pretty much makes me want to run in the opposite direction of that mailing list. sorry.
matrixbot
@matrixbot
Andrew Gallant
@BurntSushi
yeah, i read the rest of the thread. sorry, do not want to waste my time talking to someone like that.
matrixbot
@matrixbot
programmerjake ok, well, I tried
Andrew Gallant
@BurntSushi
someone else might though
matrixbot
@matrixbot
programmerjake thanks for taking the time to read the messages anyway
matrixbot
@matrixbot

dpc > <@programmerjake:matrix.org> hey, I started a thread evaluating crev on the libre-riscv-dev@lists.libre-riscv.org mailing list: http://lists.libre-riscv.org/pipermail/libre-riscv-dev/2019-August/002562.html

That is sooo interesting! :D

matrixbot
@matrixbot

dpc BTW. I love the ortodox security community... priding themselves in chasing down a rabit hole of inventing more and more complex beurocracies, and procedures as riddicolous as signing ceremonies with passports. :D

there's absolutely no links to whitepapers, no links to design documentation, no links to reviews, no links to design reviews or
design discussions.

:D

Thanks to how much idiotic their dogma is, they failed to produce anything actually usuable in real world, making themselves just a bunch of "old man yieling at the cloud", while the whole world consider them irrelevant.