🦊 🦀 cargo-vet (Mozilla x Rust community)

[beyang]

Collab with Rust community and OpenSSF for Rust usage examples

• Initial call
• TJ's PR
• Working demo
• Mozilla Docs
• Video
• GitHub repo
• Crates page
• #Progress post
• https://twitter.com/jdorfman/status/1559692437777330176

Slack

• #packages
• #mozilla-x-sourcegraph

---

09-30-2022

• Updated Bobby with Eric's status
• Publish Monday?

08-24-2022

• Handed off to Ritza

08-15-2022

• #Progress post
• "Looks like the state of the local project you’re using there is inconsistent, which is causing cargo-vet to choke. Try running cargo update before running cargo vet."
• Fixed it

• regarding precise code intel — I still see search-based results for the handful of crates I’m spot-checking now. Is your expectation that I should now be seeing precise results for crates.io packages?

  • There is this PR to rust-analyzer which will allow us to do cross-repo ( https://github.com/rust-lang/rust-analyzer/pull/12976 ) but that doesn't affect whether every crate will get precise results on sourcegraph. I don't know that we have any current plans to index everything but I can talk to the team if that's the expectation. You can always kick off a job for a particular crate by scheduling one from the root

  • Rest of convo

• Work with "platform section of code Intel" regarding precise code intel on crates

08-11-2022

• Tried out 0.2.0 cli

07-29-2022

• Sent Bobby video of TJ demoing precise code intelligence.

07-28-2022

• Moved Slack channel to "connections" Mozilla // Sourcegraph

07-21-2022

• Fix deployed
• It works (demo)!
• Bobby:
  • "Nice! I just tested with a crate release 1 minute ago and seems to work"
  • "Our current thinking is to get one or two other big-name companies up and running with cargo-vet before we go live with the blog post. We’re working on getting it landed with X now, I’ll keep you posted. You should of course feel free to go ahead and announce the new Sourcegraph capabilities yourself in the interim."
  • Started blog

07-20-2022

• Bobby mentioning Sourcegraph
• https://sourcegraph.com/crates/forest-ds/-/compare/v0.1.3...v0.1.4 (works!)
• Asked Bobby to test it

  this appears to 404: https://sourcegraph.com/crates/xquo@v0.1.1
  (crate was added 2 minutes ago)
  is the generation on-demand rather than periodic?

• Fix https://github.com/sourcegraph/sourcegraph/pull/39179
• Posted to #progress

07-19-2022

• Olaf’s PR was merged 4 hours ago. sg live cloud says it hasn’t been deployed yet.
• https://sourcegraph.com/crates/vhost-user-backend/-/compare/v0.5.0...v0.5.1 (still 404s)

07-14-2022

• https://github.com/sourcegraph/sourcegraph/pull/38811
• Sent to Bobby
• SO CLOSE!!!

07-13-2022

• #Progress announcement
• https://github.com/sourcegraph/sourcegraph/pull/36047#issuecomment-1183020885
• wgpu-types not pulling latest version 0.13.1
• "Have we validated this is a blocking requirement for Mozilla?"
  • Sent #packages bugzilla link
  • https://github.com/mozilla/cargo-vet/issues/260

07-12-2022

• CDN Fix merged · https://github.com/sourcegraph/sourcegraph/pull/38074#pullrequestreview-1034672473
• Updated Bobby
• Olaf: https://github.com/sourcegraph/sourcegraph/issues/37921
• Bugzilla
• the version on crates.io is still a placeholder: https://mozilla.github.io/cargo-vet/install.html
• https://sourcegraph.com/crates/wgpu-types/-/compare/v0.12.0...v0.13.0 (still 404s)

07-11-2022 Update

• https://github.com/sourcegraph/sourcegraph/pull/36047#issuecomment-1180241992
• https://github.com/sourcegraph/sourcegraph/pull/36047#issuecomment-1180398993

---

Success criteria

• Inbound traffic
  • Mozilla blog post
  • Social
  • Show HN

[jdorfman]

Added:

• Working demo
• Feedback on Slack

[jdorfman]

@beyang Updated Feedback on Slack doc

[jdorfman]

@beyang Updated Feedback on Slack doc

[jdorfman]

Note: Olaf is covering for TJ while OOO

[jdorfman]

• "I started looking at TJ's branch yesterday and will continue working on it for the rest of this week."
• Updated Bobby on Slack

[jdorfman]

06-28-2022 updates

You can communicate with the Mozilla representative that we have implemented infrastructure to sync all published crates from github.com/rust-lang/crates.io-index It will take some time to sync all crates so it's normal that many crates don't exist yet. We're starting by adding only the 5k most downloaded crates to see that everything works as expected. You can see the total list of synced crates with the query repo:^crates/ https://sourcegraph.com/search?q=context:global+repo:%5Ecrates/ 900 crates synced now. I think we have too restrictive rate limits causing the slow sync

That’s awesome! Let me know when it’s fully synced and I’ll write a patch to turn it on in cargo-vet I decided against a live demo for tomorrow’s presentation but I’ll include a slide with a Sourcegraph screenshot

[jdorfman]

07-06-2022 updates

We haven't switched to the CDN link yet because we didn't know about it when we first made the PR. We can switch to that soon. (Olaf is out of office this week) — TJ

there is also a WIP PR (that olaf will finish when he's back) that greatly reduces the number of requests that we make which should speed up package syncing greatly (not just for crates), so that will be a major improvement as well (CDN or not) — TJ

well right now we have it set to sync every 12 hours or so I think. We could probably reduce that time after we fix the other items (CDN + less requests) so that within a few hours of being pushed to the git repo, it could be online. I don't think it'd be worth doing more engineering time than that on it yet. How close to real time are we talking? The other option would be if you run lsif-rust or soon scip-rust on a repo, it will automatically add it's deps as soon as possible. So that would be another option to ensure that immediately new versions are available on sg — TJ

cc @beyang

[jdorfman]

07-07-2022 updates

We haven't switched to the CDN link yet because we didn't know about it when we first made the PR. We can switch to that soon.
Almost at the finish line, thanks for your patience :slightly_smiling_face:

Bobby 👍

@Bobby
Could you add ?ref=cargo-vet to the end of each URL? That way in rare cases your users are reporting an issue we can dig in faster. 

• response