Open Shnatsel opened 5 years ago
Here's a proposal I wrote to use TUF for crates.io signing https://github.com/withoutboats/rfcs/pull/7
I've yet to get through all of the prior work done so far in detail, but this will be a high priority through the rest of the year for me. I will say, there are a lot parallels here to Notary which I now help maintain. Notary uses TUF metadata in a way similar to what has been proposed, so there is some prior art to reference to also help ramp his effort back up. Are there any current items in progress?
@heavypackets my linked proposal in the previous post is the last I know of to integrate TUF into crates.io.
It’s something I’ve been meaning to work on when I have some spare cycles.
crates.io currently lacks a number of fairly basic security features, such as requiring signatures from several maintainers to issue a package release.
Designing a solution for this from scratch or gradually patching for more and more stuff sound like dubious undertakings. Fortunately, The Update Framework provides a fairly comprehensive solution that is not overly tedious for crate maintainers. A Rust implementation is in progress.
Discussion on crates.io issue tracker: https://github.com/rust-lang/crates.io/issues/75