Open kayabaNerve opened 1 year ago
Tools I've identified as potentially worthwhile:
https://github.com/aquasecurity/trivy https://github.com/davidlattimore/cackle https://github.com/rust-secure-code/cargo-supply-chain
I'd also like to write code, potentially as a cargo deny
extension, for https://github.com/EmbarkStudios/cargo-deny/issues/348. If the commit is available, ideally it's also checked to be on the default branch to ensure visibility.
Our lockfile massively over-reports due to pulling in crates for features unused (it includes blake3 due to cid despite never importing cid with the blake3 feature, and a bunch of garbage thanks to webrtc). I'd appreciate seeing a list of packages based on actual use, so we only have to establish trust levels for those.
We have roughly 1000 dependencies in the Serai node, all which we have to be sure of.
One of the main things I want to prioritize is reduction of that amount of dependencies, primarily via reduction of Substrate itself (tracked in #28).
If we want to remove all dependency duplication, we're looking at extensive patch sections, or even a MITM git proxy which will auto-patch as we want.
315 would be a great first step to ensuring the actual integrity of crates.
We also need to make sure all crates have their source properly published.
wyz
, a dalek dependency, was unpublished on GH for almost a year.And then Substrate hasn't been audited...
If we can't be confident in our supply chain, we probably want to implement a rate limiter to outbound transactions (possibly of independent interest).