Skip to content

Adding a crates.io Security tab #3872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 8 commits into
base: master
Choose a base branch
from
Open

Adding a crates.io Security tab #3872

wants to merge 8 commits into from
+155 −0

Conversation

@djc
Copy link
Contributor

@djc djc commented Oct 27, 2025
edited by rustbot
Loading

Summary

This RFC proposes that crates.io should provide insight into vulnerabilities and unsound
API surface based on the RustSec advisory database.

Rendered

@djc djc added the T-crates-io Relevant to the crates.io team, which will review and decide on the RFC. label Oct 27, 2025
@djc djc force-pushed the crates-io-security branch from 8017e12 to 0202b53 Compare October 27, 2025 12:16
@djc djc force-pushed the crates-io-security branch from 0202b53 to 80e534c Compare October 27, 2025 12:18
epage
epage reviewed Oct 27, 2025
View reviewed changes
@epage
Copy link
Contributor

epage commented Oct 27, 2025

FYI while I'm a fan of force-pushing, I'd recommend against it for RFCs as the commits regularly get referenced.

epage
epage reviewed Oct 27, 2025
View reviewed changes
epage
epage reviewed Oct 27, 2025
View reviewed changes
text/3872-crates-io-security.md
are about the desirability of the feature, the implementation approach, and the governance
of the source data.

# Future possibilities
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reporting on provenance is related: https://lawngno.me/blog/2024/06/10/divine-provenance.html

The challenge there is setting the right tone of "there are divergences, this needs further investigation" rather than "this is bad!". Unsure if that can be satisfied on a Security tab, or if it needs to be a Health tab or maybe an Insights tab?

@djc
Copy link
Contributor Author

djc commented Oct 27, 2025

FYI while I'm a fan of force-pushing, I'd recommend against it for RFCs as the commits regularly get referenced.

Yes, will stop doing so as I address feedback -- figured getting the RFC number in place was fine for force-pushing.

madsmtm
madsmtm reviewed Oct 27, 2025
View reviewed changes
jieyouxu
jieyouxu reviewed Oct 27, 2025
View reviewed changes
@Turbo87 Turbo87 moved this to For next meeting in crates.io team meetings Oct 31, 2025
carols10cents
carols10cents approved these changes Oct 31, 2025
View reviewed changes
Copy link
Member

@carols10cents carols10cents left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In general, I'm in favor! I think this RFC could be even stronger and more compelling with a few tweaks though :)

fintelia
fintelia reviewed Nov 4, 2025
View reviewed changes
text/3872-crates-io-security.md
Comment on lines +20 to +21
The RustSec advisory database is a curated database of security advisories for Rust crates,
which tracks known vulnerabilities, unsound code, and maintenance status of crates.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One aspect of RustSec is that it's setup to be able to issue advisories without crate author consent and potentially even when the crate author specifically asks not to. By contrast, my impression is that the project has worked hard to avoid "picking winners" or otherwise making value value judgements about crates beyond removing obvious spam/malware. There's currently a (perceived?) degree of separation between RustSec and the Rust project that enables this status quo. Displaying advisories directly on a project's crates.io page would break that.

I think there's value in empowering maintainers to notify their users that some old crate versions contain vulnerabilities. But I'm far less comfortable with having any disputed advisory becoming a permanent badge on a crate's project page or the risk of having RustSec's timelines become de-facto support SLAs that all maintainers are expected to adhere to.

Putting maintainers in control would align with open source projects (including Rust!) becoming CVE numbering authorities so that they can define what counts as a security vulnerability and control what CVEs are filed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epage epage epage left review comments

@madsmtm madsmtm madsmtm left review comments

@jieyouxu jieyouxu jieyouxu left review comments

@Noratrieb Noratrieb Noratrieb left review comments

@carols10cents carols10cents carols10cents approved these changes

+2 more reviewers

@programmerjake programmerjake programmerjake left review comments

@fintelia fintelia fintelia left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

T-crates-io Relevant to the crates.io team, which will review and decide on the RFC.

Projects

crates.io team meetings
Status: For next meeting

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@djc @epage @carols10cents @programmerjake @fintelia @madsmtm @jieyouxu @Noratrieb