Skip to content

docs: .cargo-checksum.json is not a security mechanism#16966

Merged
Muscraft merged 1 commit intorust-lang:masterfrom
weihanglo:comment
May 6, 2026
Merged

docs: .cargo-checksum.json is not a security mechanism#16966
Muscraft merged 1 commit intorust-lang:masterfrom
weihanglo:comment

Conversation

@weihanglo
Copy link
Copy Markdown
Member

@weihanglo weihanglo commented May 5, 2026
edited
Loading

What does this PR try to resolve?

In today's Cargo meeting, we agreed on adding at least a clarification on the .cargo-checksum.json not a security mechanism.

See #t-cargo > adding a comment on `.cargo-checksum.json`

A PR adding an inline comment in .cargo-checksum.json will be submitted separately.

@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented May 5, 2026

r? @ehuss

rustbot has assigned @ehuss.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

  • Owners of files modified in this PR: @ehuss, @epage, @weihanglo
  • @ehuss, @epage, @weihanglo expanded to ehuss, epage, weihanglo
  • Random selection from ehuss, epage

@rustbot rustbot added A-documenting-cargo-itself Area: Cargo's documentation S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 5, 2026
@weihanglo
Copy link
Copy Markdown
Member Author

weihanglo commented May 5, 2026

cc @emilyalbini

@weihanglo weihanglo mentioned this pull request May 6, 2026
Merged
Muscraft
Muscraft approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Muscraft Muscraft left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for doing this!

Since this was a request from wg-security-response, I think it would be best to wait for their review before merging to make sure they are happy with the wording and feel it will be helpful in reducing the false-positive report volume.

View changes since this review

samlh
samlh reviewed May 6, 2026
View reviewed changes
Comment thread src/doc/src/reference/source-replacement.md Outdated
the checksum of each file in the crate to protect against accidental
modifications.
Each crate in a directory source also has an associated metadata file
`.cargo-checksum.json` that only protects against accidental modifications.
Copy link
Copy Markdown

@samlh samlh May 6, 2026
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it reads better as "Each crate in a directory source also has an associated metadata file .cargo-checksum.json to protect against accidental modifications."

(the word "only" seems unnecessary and it reads a bit oddly to me - I think mentioning "accidental" modification is enough of a qualifier to make the purpose clear)

View changes since the review

Copy link
Copy Markdown
Member Author

@weihanglo weihanglo May 6, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Thanks for the suggestion!

emilyalbini
emilyalbini approved these changes May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@emilyalbini emilyalbini left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, either with the text as-is or with samlh's suggestion.

View changes since this review

pull Bot pushed a commit to quansat775-ux/cargo that referenced this pull request May 6, 2026
@Muscraft
fix(vendor): add $comment to .cargo-checksum.json (rust-lang#16967)
10262b6 
### What does this PR try to resolve?

Clarify it only protects against accidental modifications and is not a
security mechanism.

Cargo doesn't set `deny_unknown_fields` on the [`Checksum`] struct, so
older Cargo versions will just silently skip the `$comment` key. No
backward compat issue.
However, if external tools reject unknown fields they may have issues.

Also, this add source diff churn when running `cargo vendor` between
different toolchain versions even when dependencies have no changes.

[`Checksum`]:
https://github.com/rust-lang/cargo/blob/230e325f0b78128d6a005b8fa606b2854f5227db/src/cargo/sources/directory.rs#L68-L79

### How to test and review this PR?

cc rust-lang#16966

And see [#t-cargo > adding a comment on
`.cargo-checksum.json`](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/adding.20a.20comment.20on.20.60.2Ecargo-checksum.2Ejson.60/with/593120043)
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented May 6, 2026

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

@Muscraft Muscraft added this pull request to the merge queue May 6, 2026
Merged via the queue into rust-lang:master with commit 8c89c46 May 6, 2026
56 of 58 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label May 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@emilyalbini emilyalbini emilyalbini approved these changes

@Muscraft Muscraft Muscraft approved these changes

+1 more reviewer

@samlh samlh samlh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@ehuss ehuss

Labels

A-documenting-cargo-itself Area: Cargo's documentation

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@weihanglo @rustbot @samlh @emilyalbini @Muscraft @ehuss