Add cargo-deny plugin#18
Conversation
25ba2ee to
c60be3b
Compare
|
Heads up on checksums: I initially had per-platform Root cause + fix upstream: moonrepo/proto#1041 (makes hex comparison case-insensitive; issue moonrepo/proto#1040). Since Happy to instead hold this PR until the proto fix lands if you'd rather not merge without checksums — your call. |
cargo-deny audits Rust dependency trees for security advisories, license policy, duplicate versions, and untrusted sources. - Uses the static musl Linux build; macOS and Windows use the upstream release archives (Windows ships x86_64 only) - Tags are bare semver, so no version-pattern is needed - The binary nests inside a versioned directory, reflected in exe-path Checksum verification is temporarily disabled: cargo-deny publishes its Windows .sha256 as an uppercase digest and proto compares checksums case-sensitively, so install fails on Windows. checksum-url is global to [install], so it's all platforms or none. The checksum-file / checksum-url directives are left in place but commented out; uncomment them once the proto fix ships: moonrepo/proto#1041 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01T2Rwh4XwFE3cR9oHCc7T89
c60be3b to
9a5be64
Compare
jlouazel
left a comment
There was a problem hiding this comment.
Went down a rabbit hole on your "better workaround than disabling checksums" question. Short answer: there's one that works, but I don't think it's worth it over what you did.
I pulled proto's source to confirm the diagnosis first. The matcher is sha.rs#L54-L55, literally line == checksum_hash, and checksum_hash is the lowercase digest proto computes locally, so cargo-deny's uppercase Windows .sha256 never matches. Exactly the thing your #1041 fixes (still unmerged on master as of that commit, so v0.58.1 has the case-sensitive version). I reproduced it on proto 0.58.1 too: feed it an uppercase bare digest and install fails, lowercase passes.
The workaround that keeps checksums on everywhere without waiting for #1041: vendor the checksums into this repo, lowercase the Windows one, and point checksum-url at the repo-hosted copies instead of upstream's. I tested it locally and it works. checksum-url happily lives on a different host than download-url, and the lowercase digest verifies. One gotcha if anyone tries it: proto won't take a file:// checksum-url ("URL scheme is not allowed"), so it has to be served over http(s), and raw.githubusercontent.com is fine.
But honestly I'd leave it as-is. Vendoring makes us the trust anchor, so someone has to verify against upstream once and then re-vendor the digest on every version bump, and that's ongoing work to cover a gap that disappears the second your own #1041 lands. What you've got is documented, flips back on in one line, and is tied to a fix you already wrote. Seems like the right tradeoff.
Adds a proto plugin for cargo-deny, which audits Rust dependency trees for security advisories, license policy, duplicate versions, and untrusted sources. Follows the
prekpattern (musl Linux build, per-asset.sha256verification, binary nested in a versioned archive directory). Tags are bare semver so noversion-patternis needed, and upstream ships x86_64 only for Windows. Verified locally that install + checksum verification +proto binresolution succeed on Linux; the CI smoke-test covers macOS and Windows.🤖 Generated with Claude Code