Stream: wg-secure-code

Topic: crates.io identity


Tony Arcieri (Mar 30 2019 at 15:44, on Zulip):

Came upon this issue and was mildly terrified by the nonchalance https://github.com/rust-lang/crates.io/issues/326

Tony Arcieri (May 14 2019 at 16:52, on Zulip):

a proposal to use TLS client certificates for crates.io authentication: https://internals.rust-lang.org/t/ultra-pre-rfc-client-certificates-for-cargo-instead-of-shared-tokens/10173/2

Tony Arcieri (May 14 2019 at 16:53, on Zulip):

(not something I'm particularly enthusiastic about)

DevQps (May 16 2019 at 15:20, on Zulip):

Thanks for sharing! I am wonderjng if this will go through anytime soon

Tony Arcieri (May 16 2019 at 15:23, on Zulip):

if you follow the thread, almost certainly not

Tony Arcieri (May 16 2019 at 15:24, on Zulip):

it would require Heroku implement some sort of means of passing the TLS peer identity through as an HTTP header

Tony Arcieri (May 16 2019 at 15:24, on Zulip):

there are a few spitball methods of doing that, but it's probably not going to happen any time soon

Tony Arcieri (May 16 2019 at 15:30, on Zulip):

don't get me wrong, I like the spirit of trying to improve the crates.io AuthN story, but it seems like there's a lot of low hanging fruit that isn't happening, and a lot of complex half-baked ideas

DevQps (May 17 2019 at 00:56, on Zulip):

I understand what you mean. Personally I feel we should rather focus on other things as well

Last update: Nov 11 2019 at 22:05UTC