Closed legoktm closed 2 weeks ago
Actually, @legoktm , can you confirm all of these audits correspond to full reviews of the relevant crates? Some of the notes indicate that they may be trusting based on source (e.g., "Rust project member"), in which case trusted
declarations would be more appropriate.
hi @bholley, I double checked and the "Rust Project member" comments only apply to [trusted]
entries - let me know of course if we're doing that wrong :)
I did a quick scan over your audits, and noticed a few of them have notes mentioning parts of the crate were skipped when auditing (e.g. 1, 2, 3, 4, 5). Published audits should always apply to all code in the crate for all targets.
Perhaps that could be written out more explicitly in the safe-to-deploy
built-in criteria description.
Published audits should always apply to all code in the crate for all targets.
Got it, I think all of these are my own audits so I'll spend a bit of time reviewing the missing bits and updating those audits and then come back here.
Relatedly, I think https://github.com/mozilla/cargo-vet/issues/380 is what we're really looking for.
Closing this PR for now, but please feel free to re-open it once you've gotten around to updating those audits :-)
From https://github.com/freedomofpress/securedrop-supply-chain.
--
We weren't sure if "securedrop" or "freedomofpress" would be preferred; so far all of our audits are specifically for SecureDrop and not other FPF projects.