tarcieri
commented
5 years ago Here's a proposal I wrote to use TUF for crates.io signing https://github.com/withoutboats/rfcs/pull/7
Open Shnatsel opened 5 years ago
tarcieri
commented
5 years ago Here's a proposal I wrote to use TUF for crates.io signing https://github.com/withoutboats/rfcs/pull/7
heavypackets
commented
5 years ago I've yet to get through all of the prior work done so far in detail, but this will be a high priority through the rest of the year for me. I will say, there are a lot parallels here to Notary which I now help maintain. Notary uses TUF metadata in a way similar to what has been proposed, so there is some prior art to reference to also help ramp his effort back up. Are there any current items in progress?
tarcieri
commented
5 years ago @heavypackets my linked proposal in the previous post is the last I know of to integrate TUF into crates.io.
It’s something I’ve been meaning to work on when I have some spare cycles.
crates.io currently lacks a number of fairly basic security features, such as requiring signatures from several maintainers to issue a package release.
Designing a solution for this from scratch or gradually patching for more and more stuff sound like dubious undertakings. Fortunately, The Update Framework provides a fairly comprehensive solution that is not overly tedious for crate maintainers. A Rust implementation is in progress.
Discussion on crates.io issue tracker: https://github.com/rust-lang/crates.io/issues/75