mozilla / cargo-vet

supply-chain security for Rust
Apache License 2.0
665 stars 46 forks source link

Add SecureDrop's aggregated audits to the registry #623

Closed legoktm closed 2 weeks ago

legoktm commented 3 months ago

From https://github.com/freedomofpress/securedrop-supply-chain.

--

We weren't sure if "securedrop" or "freedomofpress" would be preferred; so far all of our audits are specifically for SecureDrop and not other FPF projects.

bholley commented 3 months ago

Actually, @legoktm , can you confirm all of these audits correspond to full reviews of the relevant crates? Some of the notes indicate that they may be trusting based on source (e.g., "Rust project member"), in which case trusted declarations would be more appropriate.

legoktm commented 3 months ago

hi @bholley, I double checked and the "Rust Project member" comments only apply to [trusted] entries - let me know of course if we're doing that wrong :)

mystor commented 3 months ago

I did a quick scan over your audits, and noticed a few of them have notes mentioning parts of the crate were skipped when auditing (e.g. 1, 2, 3, 4, 5). Published audits should always apply to all code in the crate for all targets.

Perhaps that could be written out more explicitly in the safe-to-deploy built-in criteria description.

legoktm commented 3 months ago

Published audits should always apply to all code in the crate for all targets.

Got it, I think all of these are my own audits so I'll spend a bit of time reviewing the missing bits and updating those audits and then come back here.

Relatedly, I think https://github.com/mozilla/cargo-vet/issues/380 is what we're really looking for.

mystor commented 2 weeks ago

Closing this PR for now, but please feel free to re-open it once you've gotten around to updating those audits :-)