Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identifying dependency passlist candidates #137

Open
workingjubilee opened this issue Dec 10, 2022 · 0 comments
Open

Identifying dependency passlist candidates #137

workingjubilee opened this issue Dec 10, 2022 · 0 comments
Labels
fn-builder safety

Comments

@workingjubilee
Copy link
Contributor

We can imagine a list of requirements for "is this crate safe to build as a dependency?" in a very low-trust user environment. Throwing some darts at the wall, meeting the following requirements would make it easy to justify building a given crate as a dependency for a PL/Rust function:

  • Does not have a build.rs
  • Is not a proc macro
  • Compiles while forbidding unsafe code
  • Is not in the RustSec Advisory Database
  • Meets certain licensing requirements?
  • Some other requirements I am not thinking of currently
  • ...for all transitive dependencies

We may want to also figure out how to more finely grade crates than "yes or no" and generate, essentially, a "safety recommendation" for a given crate as to whether it should be added to the passlist. In a higher-trust environment, as determined by the installing superuser DBA (who, remember, is the ultimate human source of trust for both PL/Rust and credentials to the database thus what they say is trustworthy is), the DBA may want to dial a threshold for automatic acceptance.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
fn-builder safety
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@workingjubilee