wg icon indicating copy to clipboard operation
wg copied to clipboard
verified publisher icon rust-secure-code

Better code authentication on crates.io

Open Shnatsel opened this issue 7 years ago • 3 comments

crates.io currently lacks a number of fairly basic security features, such as requiring signatures from several maintainers to issue a package release.

Designing a solution for this from scratch or gradually patching for more and more stuff sound like dubious undertakings. Fortunately, The Update Framework provides a fairly comprehensive solution that is not overly tedious for crate maintainers. A Rust implementation is in progress.

Discussion on crates.io issue tracker: https://github.com/rust-lang/crates.io/issues/75

Shnatsel avatar Jan 08 '19 01:01 Shnatsel

Here's a proposal I wrote to use TUF for crates.io signing https://github.com/withoutboats/rfcs/pull/7

tarcieri avatar Jan 08 '19 17:01 tarcieri

I've yet to get through all of the prior work done so far in detail, but this will be a high priority through the rest of the year for me. I will say, there are a lot parallels here to Notary which I now help maintain. Notary uses TUF metadata in a way similar to what has been proposed, so there is some prior art to reference to also help ramp his effort back up. Are there any current items in progress?

heavypackets avatar Jul 12 '19 07:07 heavypackets

@heavypackets my linked proposal in the previous post is the last I know of to integrate TUF into crates.io.

It’s something I’ve been meaning to work on when I have some spare cycles.

tarcieri avatar Jul 12 '19 16:07 tarcieri