Better code authentication on crates.io #18
Comments
Shnatsel
changed the title
|
Here's a proposal I wrote to use TUF for crates.io signing withoutboats/rfcs#7 |
|
I've yet to get through all of the prior work done so far in detail, but this will be a high priority through the rest of the year for me. I will say, there are a lot parallels here to Notary which I now help maintain. Notary uses TUF metadata in a way similar to what has been proposed, so there is some prior art to reference to also help ramp his effort back up. Are there any current items in progress? |
|
@heavypackets my linked proposal in the previous post is the last I know of to integrate TUF into crates.io. It’s something I’ve been meaning to work on when I have some spare cycles. |
# for free
to join this conversation on GitHub.
Already have an account?
# to comment
crates.io currently lacks a number of fairly basic security features, such as requiring signatures from several maintainers to issue a package release.
Designing a solution for this from scratch or gradually patching for more and more stuff sound like dubious undertakings. Fortunately, The Update Framework provides a fairly comprehensive solution that is not overly tedious for crate maintainers. A Rust implementation is in progress.
Discussion on crates.io issue tracker: rust-lang/crates.io#75
The text was updated successfully, but these errors were encountered: