Skip to content

Add cargo-deny plugin#18

Merged
jleibs merged 1 commit into
mainfrom
jleibs/add-cargo-deny
Jul 1, 2026
Merged

Add cargo-deny plugin#18
jleibs merged 1 commit into
mainfrom
jleibs/add-cargo-deny

Conversation

@jleibs

@jleibs jleibs commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Adds a proto plugin for cargo-deny, which audits Rust dependency trees for security advisories, license policy, duplicate versions, and untrusted sources. Follows the prek pattern (musl Linux build, per-asset .sha256 verification, binary nested in a versioned archive directory). Tags are bare semver so no version-pattern is needed, and upstream ships x86_64 only for Windows. Verified locally that install + checksum verification + proto bin resolution succeed on Linux; the CI smoke-test covers macOS and Windows.

🤖 Generated with Claude Code

@jleibs jleibs requested a review from a team as a code owner July 1, 2026 01:24
@jleibs jleibs force-pushed the jleibs/add-cargo-deny branch from 25ba2ee to c60be3b Compare July 1, 2026 04:32
@jleibs

jleibs commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Heads up on checksums: I initially had per-platform checksum-file + .sha256 verification, but the Windows leg fails CI. cargo-deny publishes its Windows .sha256 as an uppercase digest (Linux/macOS are lowercase), and proto compares checksums case-sensitively, so proto install rejects a correct file on Windows.

Root cause + fix upstream: moonrepo/proto#1041 (makes hex comparison case-insensitive; issue moonrepo/proto#1040).

Since checksum-url lives in [install] and is global, there's no way to verify Linux/macOS while skipping only Windows — it's all platforms or none. So as an interim I've dropped checksums (with a comment in plugin.toml pointing at #1041). Once that proto fix is released, restoring verification on all platforms is a one-commit change.

Happy to instead hold this PR until the proto fix lands if you'd rather not merge without checksums — your call.

cargo-deny audits Rust dependency trees for security advisories, license
policy, duplicate versions, and untrusted sources.

- Uses the static musl Linux build; macOS and Windows use the upstream
  release archives (Windows ships x86_64 only)
- Tags are bare semver, so no version-pattern is needed
- The binary nests inside a versioned directory, reflected in exe-path

Checksum verification is temporarily disabled: cargo-deny publishes its
Windows .sha256 as an uppercase digest and proto compares checksums
case-sensitively, so install fails on Windows. checksum-url is global to
[install], so it's all platforms or none. The checksum-file / checksum-url
directives are left in place but commented out; uncomment them once the
proto fix ships: moonrepo/proto#1041

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01T2Rwh4XwFE3cR9oHCc7T89
@jleibs jleibs force-pushed the jleibs/add-cargo-deny branch from c60be3b to 9a5be64 Compare July 1, 2026 11:36

@jlouazel jlouazel left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Went down a rabbit hole on your "better workaround than disabling checksums" question. Short answer: there's one that works, but I don't think it's worth it over what you did.

I pulled proto's source to confirm the diagnosis first. The matcher is sha.rs#L54-L55, literally line == checksum_hash, and checksum_hash is the lowercase digest proto computes locally, so cargo-deny's uppercase Windows .sha256 never matches. Exactly the thing your #1041 fixes (still unmerged on master as of that commit, so v0.58.1 has the case-sensitive version). I reproduced it on proto 0.58.1 too: feed it an uppercase bare digest and install fails, lowercase passes.

The workaround that keeps checksums on everywhere without waiting for #1041: vendor the checksums into this repo, lowercase the Windows one, and point checksum-url at the repo-hosted copies instead of upstream's. I tested it locally and it works. checksum-url happily lives on a different host than download-url, and the lowercase digest verifies. One gotcha if anyone tries it: proto won't take a file:// checksum-url ("URL scheme is not allowed"), so it has to be served over http(s), and raw.githubusercontent.com is fine.

But honestly I'd leave it as-is. Vendoring makes us the trust anchor, so someone has to verify against upstream once and then re-vendor the digest on every version bump, and that's ongoing work to cover a gap that disappears the second your own #1041 lands. What you've got is documented, flips back on in one line, and is tied to a fix you already wrote. Seems like the right tradeoff.

@jlouazel jlouazel left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@jleibs jleibs merged commit 063dec4 into main Jul 1, 2026
5 checks passed
@jleibs jleibs deleted the jleibs/add-cargo-deny branch July 1, 2026 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants