Stream: wg-secure-code

Topic: obtaining crates.io tokens from subprocesses


Tony Arcieri (Jul 23 2019 at 06:29, on Zulip):

interesting RFC https://github.com/rust-lang/rfcs/pull/2730

Tony Arcieri (Jul 23 2019 at 06:31, on Zulip):

An alternative with better user experience but more limited customization would be for Cargo to provide cross platform, native integration with the most popular secret storages, for example the system keyring

Luca Bruno (Jul 24 2019 at 07:10, on Zulip):

https://github.com/hwchen/keyring-rs supports OS-provided user keyrings on Linux/MacOS/Windows.

briansmith (Jul 24 2019 at 20:35, on Zulip):

Is the whole thing still based on shared symmetric secrets, where it is almost easier to send the shared secret to the wrong registry than it is to correctly configure the registry you want?

Tony Arcieri (Jul 24 2019 at 20:38, on Zulip):

it's a bearer credential, and not a pubkey, yes

Tony Arcieri (Jul 24 2019 at 20:38, on Zulip):

cargo tokens, that is

briansmith (Jul 24 2019 at 20:46, on Zulip):

My view is that this design was only temporarily acceptable when there was one registry (crates.io) and now it's untenable. I thought the previous issues already made this pretty clear. Everybody running a custom registry probably has an OAuth provider that they'd prefer to delegate authentication to, which also supports 2FA, AFAICT.

Tony Arcieri (Jul 24 2019 at 20:52, on Zulip):

there are a few threads discussing alternative authentication methods. lots of people said they were going to work on a (Pre-)RFC, but so far I haven't seen one

Tony Arcieri (Jul 25 2019 at 14:37, on Zulip):

TIL https://github.com/rust-lang/rfcs/pull/2730#issuecomment-515068373

Last update: Nov 11 2019 at 22:00UTC