Open
Description
| Metadata | |
|---|---|
| Point of contact | @walterhpearce |
| Team(s) | cargo, crates-io, infra, leadership-council, release |
| Goal document | 2025h1/verification-and-mirroring |
Summary
Within 6 months, we will work towards consensus with Rust teams on an RFC for cryptographic verification and mirroring of releases and crates.io, and provide experimental infrastructure demonstrating the ability to mirror crates.io and verify downloads from a mirror. This will include a proof of concept for a secure chain-of-trust to the Rust Project, via a quorum-based mechanism, and methods to verify singular Rust crates, their singular index entries, as well as the index and the artifacts as a whole.
This consensus will include a clear policy for the threat models we should protect against, and a clear demonstration that the proposed infrastructure secures against those threats.
Tasks and status
- Inside Rust blog post about proof-of-concept (@walterhpearce)
- Series of documents (RFC components or Inside Rust blog posts) (@walterhpearce, @joshtriplett)
- Policy decision (leadership-council
)
- Design meeting (cargo
- Design meeting (cargo
- Dedicated reviewer (cargo
- Design meeting (crates-io
- Design meeting (crates-io
- Design meeting (infra
- Discussion and moral support (release
Quorum-based cryptographic infrastructure (RFC 3724)
- Further revisions to RFC (@walterhpearce, @joshtriplett)
- Implementation and proof-of-concept deployment (@walterhpearce)