search

rust-secure-code / cargo-supply-chain

Gather author, contributor and publisher data on crates in your dependency graph.
Apache License 2.0
317 stars 19 forks source link

Authors are duplicated if the registry differs #24

Closed jyn514 closed 3 years ago

jyn514 commented 3 years ago 
$ cargo supply-chain authors
Alex Crichton <alex@alexcrichton.com>       local
Alex Crichton <alex@alexcrichton.com>       unknown registry
Guillaume Gomez <guillaume1.gomez@gmail.com>        local
Guillaume Gomez <guillaume1.gomez@gmail.com>        unknown registry
Manish Goregaokar <manishsmail@gmail.com>       local
Manish Goregaokar <manishsmail@gmail.com>       unknown registry

It might also be nice to deduplicate by the author name, but that's more risky since you don't actually know the same name is the same person. Deduplicating by email would be nice though:

Nicholas Cameron <ncameron@mozilla.com>     local
Nick Cameron <ncameron@mozilla.com>     local
Nick Cameron <ncameron@mozilla.com>     unknown registry
Shnatsel commented 3 years ago

I'd actually call it a feature. These are two different package sources after all, and it's important to highlight all the different accounts of those people that you have to trust (e.g. in several different package registries).