Better code authentication on crates.io

[Shnatsel]

crates.io currently lacks a number of fairly basic security features, such as requiring signatures from several maintainers to issue a package release.

Designing a solution for this from scratch or gradually patching for more and more stuff sound like dubious undertakings. Fortunately, The Update Framework provides a fairly comprehensive solution that is not overly tedious for crate maintainers. A Rust implementation is in progress.

Discussion on crates.io issue tracker: rust-lang/crates.io#75

[tarcieri]

Here's a proposal I wrote to use TUF for crates.io signing withoutboats/rfcs#7

[heavypackets]

I've yet to get through all of the prior work done so far in detail, but this will be a high priority through the rest of the year for me. I will say, there are a lot parallels here to Notary which I now help maintain. Notary uses TUF metadata in a way similar to what has been proposed, so there is some prior art to reference to also help ramp his effort back up. Are there any current items in progress?

[tarcieri]

@heavypackets my linked proposal in the previous post is the last I know of to integrate TUF into crates.io.

It’s something I’ve been meaning to work on when I have some spare cycles.