Open link2xt opened 3 months ago
Maybe this overlaps with https://github.com/mozilla/cargo-vet Essentially I want to have for each dependency a record saying some developer has checked that it is reproducible, or not reproducible but the differences are not important (Cargo.toml formatting etc.) and an issue has been filed.
Then in CI we can check that all packages from
Cargo.lock
have been tested and are included in one of these lists.
I'm not sure this really stands on the security side. What's stopping someone from sending a PR with all of the newly added dependencies marked as perfectly reproducible only to find out the file had been changed by hand?
Ok, maybe a list of known reproducible crates is not that useful and we can run not on every commit but when Cargo.lock changes, that it is manageable.
Feature request then is to create a cargo-goggles.lock file with a list of known non-reproducible crates on a first run. Then on rerun remove crates that are not in Cargo.lock anymore and complain if more non-reproducible crates are added to prevent upgrades from reproducible crates to non-reproducible.
cargo-goggles
needs a way to store a list of tested reproducible and tested non-reproducible crates next toCargo.lock
so it can be committed to the repository. Then in CI we can check that all packages fromCargo.lock
have been tested and are included in one of these lists. Locally developers can runcargo-goggles
to update the list, but likely not in CI on every commit because downloading git repositories for all dependencies is too slow and uses git hoster resources unnecessarily.