Merging RustSec + Secure Code WG

[tarcieri]

I currently operate and am sole contributor to RustSec, a crates.io vulnerability tracking project:

https://rustsec.org https://github.com/RustSec

During some of the calls we discussed merging RustSec with this group, as I think vulnerability tracking is important to my current understanding of the group's charter.

If you're participating in this WG and would also like to volunteer to be a part of RustSec, please leave a comment in this thread (or if you just want to be a part of RustSec).

Responsibilities (feel free to volunteer for any particular one) are reviewing and curating the vulnerability database, developing the software, potentially taking on tracking of Rust Core vulnerability cataloguing, and working to upstream RustSec into cargo.

[tarcieri]

Regarding this, here's an issue about RustSec cataloguing standard library vulns:

https://github.com/RustSec/cargo-audit/issues/46

[alex]

I'm happy to take on finding historical std vulnerabilities.

On Sun, Oct 14, 2018 at 6:04 PM Tony Arcieri notifications@github.com wrote:

Regarding this, here's an issue about RustSec cataloguing standard library vulns:

RustSec/cargo-audit#46 https://github.com/RustSec/cargo-audit/issues/46

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/rust-secure-code/wg/issues/4#issuecomment-429667141, or mute the thread https://github.com/notifications/unsubscribe-auth/AAADBI8J_srWzik5IcC5Mi1EZnjJLB-Vks5uk7TTgaJpZM4XbWg7 .

-- All that is necessary for evil to succeed is for good people to do nothing.

[vi]

Shall it sill have the name "RustSec" even after merger? I.e "RustSec is how Rust's security working group named".

[tarcieri]

The official name of the working group is the Secure Code Working Group.

I would suggest keeping RustSec's name the same, but using that as the name of the advisory database and tool. Among other things it's in the name of the vulnerability IDs.

[frewsxcv]

Tangential thought – we should reach out to GitHub to see if we can get their security alerts feature working on Rust projects via RustSec

[tarcieri]

My understanding is GitHub is working on some first-class vulnerability database functionality. I've requested beta access to this when available, but it seems like the easiest way to integrate with something like that going forward.

[DevQps]

Since there hasn't been any new response for a while maybe it's best to close this issue now? Maybe it's best to create this issue on the RustSec project itself, or we could try to get people to participate using Zulip or the rustsec.org website?

[DevQps]

Just an idea that came to my mind, but can we not move the Rustsec repositories to the rust-secure-code group? That way we would probably create a lot more visibility for these projects since all people inside this working group would likely to be seeing them. But it's just a suggestion though!

[tarcieri]

@DevQps you're right we can probably close this issue as several WG members now regularly participate in RustSec.

I can consider moving the RustSec repos to this org rather than RustSec, but I'm not sure it actually makes sense. I'd agree it would improve overall discoverability, but I think there are other more high value things we could do on that front where time would be better spent, like integrating RustSec into cargo.

The drawback is it has the potential to cause a lot of disruption (e.g. the advisory DB URL is hardcoded into the RustSec crate) and while GitHub has automatic redirection to a point I would hate to wind up leaning on that as a crutch accidentally only to have something forgotten accidentally break because it wasn't properly updated.

[DevQps]

@tarcieri Some good points there! I agree with you that it's probably better to focus on other area's. Thanks for linking the Pre-RFC! I will go take a look (Y).