We are looking for a solution on how to communicate which crates were audited and which were not. For example the broker pallet is not audited, but how to communicate this? There are several approaches so far: A. Code hash signing from RFC: trustless in-code auditing annotations Downside: Only w…

Without knowing the options I would have proposed the versioning scheme which is pretty straight forward and explicit, people installing a crate can immediately tell from the version but relying on the same trusted entity to publish crates with the right tag can be tricky. cargo crev looks promisin…

Yea, (ab)using the versioning scheme has the advantage of clear visibility, but it does not play well with the standard semver rules since it is not treated as a proper release. Alternatively to the cargo-crev there are also: cargo-vet from Mozilla cargo-audit from RustSec Guess we will have to …

[image] OliverTY: C. Specific versioning scheme like 1.0.0-unaudited. I am not sure familiar with all the other options, but once looking into the problem we have, and the possible solutions, this seemed to me to be the best bang for our buck. It will solve the issue, and is pretty simple. T…

I’d be extremely interested, and would love to see, Parity adopt crev/vec over the polkadot-sdk repo and publish not only crev/vet statements for their tags, yet have any external researchers they work with do so (not to mention host statements from ecosystem projects who spend the time to review pa…

[image] tomaka: cargo-crev is meant to spot security vulnerabilities or unsoundness. crev’s primary use case is to build a web of trust of code reviews. From their docs, Crev is a system for verifying security and reliability of dependencies based on collaborative code reviews.

crev wants to build a web of trust of code reviews, with the objective of spotting security vulnerabilities or unsoundness. Every single piece of information in their README points towards this objective. Would it for example be appropriate for a pallet crate to get red flagged by crev because its…

Thanks for bringing up this topic. The Parity AppSec team has been working on a proposal for a while, and it’s published here . It would be great to have your attention and feedback.

Rust crate auditing across the ecosystem

Tech Talk

tomaka November 10, 2023, 1:54pm 6

cargo-crev is meant to spot security vulnerabilities or unsoundness.
This is a very different use case than what auditors audit in Substrate. It is not the right tool.

Topic		Replies	Views
Security Audit Log and Tracking security	2	934	March 11, 2024
RFC: trustless in-code auditing annotations Tech Talk frame	5	808	December 5, 2022
Polkadot Summit 24' - Ecosystem Audit Log and Tracking & Ecosystem Vulnerability Disclosure Ecosystem polkadot-summit	0	191	April 3, 2024
Publish Substrate to crates.io Tech Talk	44	2383	March 11, 2024
Scouting Vulnerabilities and Detection Techniques in Substrate Ecosystem security	3	694	March 18, 2024

Rust crate auditing across the ecosystem

Related topics