Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add SecureDrop's aggregated audits to the registry #623

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add SecureDrop's aggregated audits to the registry #623

wants to merge 1 commit into from
+3 −0

Conversation

legoktm
Copy link

@legoktm legoktm commented Jul 10, 2024

From https://github.com/freedomofpress/securedrop-supply-chain.

--

We weren't sure if "securedrop" or "freedomofpress" would be preferred; so far all of our audits are specifically for SecureDrop and not other FPF projects.

@mystor mystor requested a review from bholley July 11, 2024 17:29
bholley
bholley approved these changes Jul 11, 2024
View reviewed changes
Copy link
Collaborator

@bholley bholley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@bholley
Copy link
Collaborator

bholley commented Jul 11, 2024

Actually, @legoktm , can you confirm all of these audits correspond to full reviews of the relevant crates? Some of the notes indicate that they may be trusting based on source (e.g., "Rust project member"), in which case trusted declarations would be more appropriate.

@legoktm
Copy link
Author

legoktm commented Jul 18, 2024

hi @bholley, I double checked and the "Rust Project member" comments only apply to [trusted] entries - let me know of course if we're doing that wrong :)

@mystor
Copy link
Collaborator

mystor commented Jul 19, 2024

I did a quick scan over your audits, and noticed a few of them have notes mentioning parts of the crate were skipped when auditing (e.g. 1, 2, 3, 4, 5). Published audits should always apply to all code in the crate for all targets.

Perhaps that could be written out more explicitly in the safe-to-deploy built-in criteria description.

@legoktm
Copy link
Author

legoktm commented Jul 26, 2024

Published audits should always apply to all code in the crate for all targets.

Got it, I think all of these are my own audits so I'll spend a bit of time reviewing the missing bits and updating those audits and then come back here.

Relatedly, I think #380 is what we're really looking for.

legoktm added a commit to freedomofpress/securedrop-dev-docs that referenced this pull request Jul 26, 2024
@legoktm
Clarify we need to review all the code in Rust crates
796ecb1 
Per <mozilla/cargo-vet#623 (comment)>.
@legoktm legoktm mentioned this pull request Jul 26, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bholley bholley bholley approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@legoktm @bholley @mystor