Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Crate Owners Security Manual #45

Open
pinkforest opened this issue Jan 6, 2022 · 3 comments
Open

Crate Owners Security Manual #45

pinkforest opened this issue Jan 6, 2022 · 3 comments

Comments

@pinkforest
Copy link

I was wondering what else we could do as a WG to help crate maintainers to keep their crates secure.

This was in combination with some governance stuff I had to sort out at cargo-geiger.

And I was thinking maybe documentation / best practice or "guidelines" could enable the maintainers to do the right things (tm)

It does need a catchy marketable name too! And it should be pleasant, fun and enjoyable to read/consume vs beating the morals.

It should be in story form so people can relate the importance best.

First I am wondering about the scope this thing could potentially cover -

Maybe

  • Thou Shall Not Roll Your Own Crypto
  • All the Badges You Can Eat in your README.md
  • Release Process repo & crates.io
  • Maintenance and handover
  • Dependabot / dependency monitoring and importance of it with stories
  • Unsafe Dark Arts
  • ..... ?

Also we should come up with a simple requirements type checklist to help crate maintainers to test themselves on the above

Every topic should enable the crate maintainer to automate from get-go that encourages good patterns without questions and friction that would deter adoption.

@tarcieri
Copy link
Member

It'd be good to have some best practices documentation for this.

I wonder if there's a place we could upstream this to, like the Rust Book. But perhaps we could start with a Markdown file in this repo.

@carols10cents
Copy link

I don't think the main book is a great place for this content, as the target audience for TRPL is anyone wanting to write any code in Rust, while this content's target audience is anyone who wants to release a crate on crates.io for general usage, a much smaller audience.

It sounds like this would be similar to https://github.com/rust-lang/api-guidelines ; I'm not sure where that is linked from currently.

@8573
Copy link

8573 commented Jul 3, 2022

Some existing (but not necessarily complete) books that seem related (but not quite the same) are

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants