Update the websec-check Rust checklist

mozilla-services / autopush-rs

Push Server in Rust

Mozilla Public License 2.0

197 stars 15 forks source link

Update the websec-check Rust checklist #355

Open data-sync-user opened 1 year ago

data-sync-user commented 1 year ago

Not specific to PushBackend but we should update https://github.com/mozilla-services/websec-check/blob/main/rust.md

Particularly the Recommended crates could use an update (e.g. add tracing along with slog, remove hyper or specify it’s lower level, etc). We could link to our Actix-web Project skeleton but it’s a little out of date currently.

┆Issue is synchronized with this Jira Task

data-sync-user commented 1 year ago

➤ Philip Jenvey commented:

We could link to common-rs repo as a good place for smaller crates shared between different services

Alternatively we could pull the crate recommendations out into a separate doc, linked from the checklist.

data-sync-user commented 1 year ago

➤ Philip Jenvey commented:

We could also begin using cargo vet and maintaining our own audit list.

Mozilla maintains one ( https://github.com/mozilla/supply-chain ) already but it’s oriented towards client Rust code.

Google’s also recently published theirs ( https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html ).