Stream: wg-secure-code

Topic: Cargo token disclosure vulnerability


briansmith (Jan 29 2019 at 00:23, on Zulip):

See https://github.com/rust-lang/cargo/issues/6545. To me it looks like the root cause is the lack of association between the token and the expected audience of the token; i.e. the tokens aren't directed or labeled appropriately. It might be something where this group could be useful in coming up with a good long-term solution.

Tony Arcieri (Jan 29 2019 at 00:31, on Zulip):

audience confusion strikes again

Last update: Nov 11 2019 at 22:00UTC