-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better code authentication on crates.io #18
Comments
Here's a proposal I wrote to use TUF for crates.io signing withoutboats/rfcs#7 |
I've yet to get through all of the prior work done so far in detail, but this will be a high priority through the rest of the year for me. I will say, there are a lot parallels here to Notary which I now help maintain. Notary uses TUF metadata in a way similar to what has been proposed, so there is some prior art to reference to also help ramp his effort back up. Are there any current items in progress? |
@heavypackets my linked proposal in the previous post is the last I know of to integrate TUF into crates.io. It’s something I’ve been meaning to work on when I have some spare cycles. |
crates.io currently lacks a number of fairly basic security features, such as requiring signatures from several maintainers to issue a package release.
Designing a solution for this from scratch or gradually patching for more and more stuff sound like dubious undertakings. Fortunately, The Update Framework provides a fairly comprehensive solution that is not overly tedious for crate maintainers. A Rust implementation is in progress.
Discussion on crates.io issue tracker: rust-lang/crates.io#75
The text was updated successfully, but these errors were encountered: