Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add lint(s) for git sources #235

Closed
Jake-Shadle opened this issue Aug 5, 2020 · 2 comments · Fixed by #237
Closed

Add lint(s) for git sources #235

Jake-Shadle opened this issue Aug 5, 2020 · 2 comments · Fixed by #237
Assignees
@Jake-Shadle
Labels
enhancement New feature or request

Comments

@Jake-Shadle
Copy link
Member

Jake-Shadle commented Aug 5, 2020
edited
Loading

When using a git repository as a crate source, by default it will just pull the HEAD of the default branch from the URL given whenever the lockfile is updated, which is basically the same as having a wildcard dependency on the crate, which we recently added a check for, except it's even worse since it can pull code that hasn't even been released yet.

Cargo allows specifying branch, tag, and rev to give more control over what code to pull from the git repo, but of these, really only rev is a precise identifier, as branch has similar problems to the default behavior, as well as tag, as tags can be moved to different commits between lockfile updates, though this is a lesser concern.

For our projects we mandate that any git dependencies use a rev specifier, both for sanity, as well as to get the most benefit from cargo-fetcher, but we don't actually lint for this, and would fit in nicely with the existing sources check.
@Jake-Shadle Jake-Shadle added the enhancement New feature or request label Aug 5, 2020
@Jake-Shadle Jake-Shadle self-assigned this Aug 5, 2020
@8573
Copy link

8573 commented Aug 5, 2020

When using a git repository as a crate source, by default it will just pull the HEAD of the default branch from the URL given […]

Is this true yet? To my limited understanding, Cargo, for now, defaults to using master and doesn't check what the default branch actually is: see, e.g., rust-lang/cargo#8364, rust-lang/cargo#8522. I'm not sure whether those patches have been released, but I would imagine there would have been a note on the Rust blog if they had.

@Jake-Shadle
Copy link
Member Author

Yah you're right, I meant default more as master for now, but with cargo adding in default branch detection in the future.

Jake-Shadle added a commit that referenced this issue Aug 6, 2020
@Jake-Shadle
Add suppport for checking all git sources have the required minimum spec
37f9e17 
Resolves: #235
Jake-Shadle added a commit that referenced this issue Aug 6, 2020
@Jake-Shadle
Add suppport for checking all git sources have the required minimum spec
cce33eb 
Resolves: #235
@Jake-Shadle Jake-Shadle mentioned this issue Aug 6, 2020
Merged
Jake-Shadle added a commit that referenced this issue Aug 6, 2020
@Jake-Shadle
Improve sources check (#237)
17f42a3 
* Add UnvalidatedConfig trait

* Add feature to allow github/gitlab/bitbucket orgs instead of only exact urls

Resolves: #236

* Refactor and simplify tests

* Add sources tests

* Add gitlab/bitbucket tests

* Add suppport for checking all git sources have the required minimum spec

Resolves: #235

* Update sources doc

* Update CHANGELOG
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Jake-Shadle Jake-Shadle

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve sources check EmbarkStudios/cargo-deny
2 participants
@Jake-Shadle @8573