Skip to content

/crates.io

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Idea: Security advisories as part of crates.io metadata tools and infrastructure #406

Closed
untitaker opened this Issue Aug 22, 2016 · 8 comments

Comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
3 participants
@untitaker @alexcrichton @tarcieri
@untitaker
Copy link

untitaker commented Aug 22, 2016

I originally started this discussion at internals.rust-lang.org and recieved generally positive feedback. I was told by @Bascule and several people in IRC to open an issue on this tracker. Here's a revised/summarized proposal (not exactly the same as the original one):

  • A new command cargo vuln that marks all existing versions as vulnerable (API on crates.io required for this) and maybe also guides the user through requesting a CVE
  • Cargo would refuse to build such versions unless forced to do so through an override switch defined in the Cargo.toml of the depending crate. (Alternative proposal: Just show a warning)
  • Crates.io should offer an interface for crate authors to keep up-to-date on their dependencies' vulnerabilities.
    • For example, if a package gets marked as vulnerable, crates.io may notify all reverse dependencies' authors by email. This could be enabled by default, but turned off via a setting in the web interface.
    • Another idea would be to only offer a personalized RSS feed for each crate author.
@alexcrichton

This comment has been minimized.

Sign in to view
Copy link
Member

alexcrichton commented Aug 23, 2016

Thanks for the report! I'd love to see a feature like this myself, but I think we'd probably want to go the RFC route as it's such a major feature.
@untitaker

This comment has been minimized.

Sign in to view
Copy link
Author

untitaker commented Aug 24, 2016
edited

@alexcrichton I have the work-in-progress at https://github.com/untitaker/rfcs/blob/security-advisories/text/0000-security-advisories.md. The last three sections are not written yet, so I'll not file a PR yet.

  • I consider Summary, Motivation and Detailed Design to be complete for my standards, but I haven't given much thought to it yet. I don't think it has to be described how the Crates.io API should look, but I considered specifying the UX for this important. Unsure about the way I specified it though.
  • Drawbacks: Danger of duplicating CVEs maybe?
  • Alternatives: List similar concepts in other ecosystems: Ruby Advisory Database, npm deprecate, and why this command is specifically for vulnerabilities. Do I have to rationalize every UX decision?
  • Unresolved questions:
    • How tooling around this API should look like.
      • Should crates.io notify authors of reverse dependencies per email (scraped from GitHub)?
      • Should there be an RSS feed? (IMO no, as RSS is not a reliable notification system for technical reasons: If RSS reader updates seldomly, items may be missed).
      • How do we expose this API to third-party developers? Ideally they should not need to install cargo to use the API.
@untitaker

This comment has been minimized.

Sign in to view
Copy link
Author

untitaker commented Aug 24, 2016

I'll close this for now, let's continue discussion at Discourse.

@untitaker untitaker closed this Aug 24, 2016

@alexcrichton

This comment has been minimized.

Sign in to view
Copy link
Member

alexcrichton commented Aug 24, 2016

Ok!
@tarcieri

This comment has been minimized.

Sign in to view
Copy link
Contributor

tarcieri commented Sep 3, 2016

@untitaker where are you discussing this? I'd like to help.

I know I suggested cargo vuln originally, but now I'm thinking cargo advisory might make sense.
@untitaker

This comment has been minimized.

Sign in to view
Copy link
Author

untitaker commented Sep 3, 2016

The discourse forum, but I didn't do much since then.

On 4 September 2016 00:46:34 CEST, Tony Arcieri notifications@github.com wrote:

@untitaker where are you discussing this? I'd like to help.

I know I suggested cargo vuln originally, but now I'm thinking cargo advisory might make sense.

You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#406 (comment)

Sent from my Android device with K-9 Mail. Please excuse my brevity.
@tarcieri

This comment has been minimized.

Sign in to view
Copy link
Contributor

tarcieri commented Sep 3, 2016

@untitaker have you thought about publishing this on the Discourse forum as a pre-RFC? https://github.com/untitaker/rfcs/blob/security-advisories/text/0000-security-advisories.md
@untitaker

This comment has been minimized.

Sign in to view
Copy link
Author

untitaker commented Sep 3, 2016

It is unfinished and most likely will need a rewrite given that I can't sense a lot of support for having a dedicated command for vulnerability disclosure.

Also I'd rather centralize this discussion on Discourse.

On 4 September 2016 01:17:49 CEST, Tony Arcieri notifications@github.com wrote:

@untitaker have you thought about publishing this on the Discourse
forum as a pre-RFC?
https://github.com/untitaker/rfcs/blob/security-advisories/text/0000-security-advisories.md

You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#406 (comment)

Sent from my Android device with K-9 Mail. Please excuse my brevity.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.