You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently it's a bit of effort of finding the needle from the haystack to figure out whether the output - which either have unsafe or don't have the unsafe code not allowed bit on - have been audited in any way so the information that the Geiger spits out can be a bit hellscape to understand thus has less value.
Nor there is a standard workflow to keep track of unsafe code blobs as to commenting to enable the maintainers to do the right thing with the unsafe code - everyone does it differently and you have to parse a lot of behind the scenes to know what is going on and even then probably doens't give any clear idea.
I've discussed this in Discord #crypto-and-security as well as in the cargo-crev matrix to come to find and suggest below.
There is no easily parseable metadata to get any easy indication whether unsafe blocks have been audited / reviewed / whatever
Idea
Define a meta-data flag in the code to allow linkage to ongoing issue that tracks the relevant unsafe block use just like the associated safety documentation that Clippy looks out for
When meta-data flag has been added to the associated unsafe block that links to issue Geiger can validate the that the issue has been closed that has been linked from the code
This would go long way to allow devs to insert hookpoints for public commenting on any unsafe blocks and for automating the verification that at least some tracking issue is out there...
Currently it's a bit of effort of finding the needle from the haystack to figure out whether the output - which either have unsafe or don't have the unsafe code not allowed bit on - have been audited in any way so the information that the Geiger spits out can be a bit hellscape to understand thus has less value.
Nor there is a standard workflow to keep track of unsafe code blobs as to commenting to enable the maintainers to do the right thing with the unsafe code - everyone does it differently and you have to parse a lot of behind the scenes to know what is going on and even then probably doens't give any clear idea.
I've discussed this in Discord #crypto-and-security as well as in the cargo-crev matrix to come to find and suggest below.
Findings
Idea
This would go long way to allow devs to insert hookpoints for public commenting on any unsafe blocks and for automating the verification that at least some tracking issue is out there...
#![geiger(unsafe_tracker_base_url = "https://github.com/user/repo/issue/<default_unsafe_issue>")] #![geiger(unsafe_tracker = "https://github.com/user/repo/issue/<relevant_unsafe_issue>")]
The text was updated successfully, but these errors were encountered: