Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lockfile for non-reproducible crates #16

Open
link2xt opened this issue Apr 2, 2024 · 3 comments
Open

Lockfile for non-reproducible crates #16

link2xt opened this issue Apr 2, 2024 · 3 comments

Comments

@link2xt
Copy link
Contributor

link2xt commented Apr 2, 2024

cargo-goggles needs a way to store a list of tested reproducible and tested non-reproducible crates next to Cargo.lock so it can be committed to the repository. Then in CI we can check that all packages from Cargo.lock have been tested and are included in one of these lists. Locally developers can run cargo-goggles to update the list, but likely not in CI on every commit because downloading git repositories for all dependencies is too slow and uses git hoster resources unnecessarily.

@link2xt
Copy link
Contributor Author

link2xt commented Apr 2, 2024

Maybe this overlaps with https://github.com/mozilla/cargo-vet
Essentially I want to have for each dependency a record saying some developer has checked that it is reproducible, or not reproducible but the differences are not important (Cargo.toml formatting etc.) and an issue has been filed.

@paolobarbolini
Copy link
Member

paolobarbolini commented Apr 2, 2024

Then in CI we can check that all packages from Cargo.lock have been tested and are included in one of these lists.

I'm not sure this really stands on the security side. What's stopping someone from sending a PR with all of the newly added dependencies marked as perfectly reproducible only to find out the file had been changed by hand?

@link2xt link2xt changed the title List of exceptions and reproducible crates similar to deny.toml Lockfile for non-reproducible crates Apr 2, 2024
@link2xt
Copy link
Contributor Author

link2xt commented Apr 2, 2024

Ok, maybe a list of known reproducible crates is not that useful and we can run not on every commit but when Cargo.lock changes, that it is manageable.

Feature request then is to create a cargo-goggles.lock file with a list of known non-reproducible crates on a first run. Then on rerun remove crates that are not in Cargo.lock anymore and complain if more non-reproducible crates are added to prevent upgrades from reproducible crates to non-reproducible.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants