Stream: wg-secure-code

Topic: Comparing crates.io and GH code?


RalfJ (Aug 28 2019 at 07:39, on Zulip):

Is there an existing tool that can compare the source code uploaded on crates.io with what is on GH? In some cases the author forgot to set a tag so such a tool would be useful to even find out which commit should carry the tag, and otherwise it still seems like something that we probably want to check for when a crate is hosted on GH.

Tony Arcieri (Aug 28 2019 at 16:33, on Zulip):

This sounds like the sort of thing Ben Laurie wants binary transparency for (where source code is... a kind of binary :wink: )

briansmith (Aug 29 2019 at 05:05, on Zulip):

It wouldn't work in general because the crate is allowed to contain things that aren't in GitHub. I do this in ring as I don't check in generated binaries into GitHub but they are in the crate to minimize build dependencies.

Tony Arcieri (Aug 29 2019 at 05:08, on Zulip):

needs more reproducible builds. seems close, though, except for the libfaketime bugs

RalfJ (Aug 29 2019 at 06:51, on Zulip):

It wouldn't work in general because the crate is allowed to contain things that aren't in GitHub. I do this in ring as I don't check in generated binaries into GitHub but they are in the crate to minimize build dependencies.

interesting. yes, generated binaries sound like we need reproducible builds, but I assume those are built from C or so?

Last update: Nov 11 2019 at 22:50UTC