►
From YouTube: Rust Zürisee, April: cargo crev and cargo audit
Description
Recording of the Rust Zürisee Meetup on April 30th.
Christian (aka chrysn) talked about cargo-crev: «Don't waste time reviewing crates – make it count instead! With crev code reviews, we can mesh up our reviews to gain a level of review coverage on, and thus trust in, our dependencies that would be practically unobtainable alone. Let's join forces to cover our whole dependency trees.»
Slides: https://christian.amsuess.com/presentations/2020/crev/
Tool: https://crates.io/crates/cargo-crev
Tony Arcieri (aka tarcieri / bascule) talked about cargo-audit and the RustSec Advisory Database.
Tool: https://crates.io/crates/cargo-audit
A
Welcome
everybody
to
the
second
virtual
rust
me
double
for
us
to
accept
I'm
very
excited
today
that
we
have
to
talk
today
both
about
auditing
using
Cardo
or
checking
in
code
using
Karla.
So
for
those
of
you
who
are
new
to
our
original
rough
it
up.
If
you
just
drop
by
here
in
the
twitch
streams,
you
can
either
chat
in
the
twitch
chat
to
your
side,
or
we
also
have
a
matrix
chat
which
is
linked
on
the
event
page,
so
feel
free
to
discuss
Sarah
as
questions
there.
A
Chats
for
any
discussions,
so
just
a
few
things,
this
talk
is
all
these
thoughts
are
also
going
to
be
recorded,
so
they
will
upload
the
recording
to
YouTube
later
on
and
I
also
should
mention
that,
while
I'm
the
person
speaking
here,
this
meetup
is
actually
being
mostly
managed
by
the
needle
in
the
background,
so
he's
the
person
doing
old,
audio,
mixing
and
video
mixing
and
setting
up
the
live
stream
for
us.
So
thanks
a
lot
to
Danilo
for
doing
this
and
to
Mike
organist
Stefan,
who
has
also
been
involved
in
building
this.
A
C
Rest
in
goanna,
thanks
for
having
me
here,
my
name
is
Christian
and
I'd
like
to
introduce
to
a
tool
called
craft
or
cargo
craft
which
would
make
our
our
lives
much
easier
when
it
comes
to
dependencies
and
trust
in
them.
I
didn't
reduce
this
tool
I
later
on,
like
to
invite
you
to
participate
and
I'll,
be
posting
installation
instructions
on
the
on
the
matrix
channel.
C
So
if
you'd
like
you,
can
just
fire
them
off
so
that
you
can
afterwards
basically
follow
everything
that
I'm
doing
that
I'm
that
I'm
showing
life,
because
it
takes
a
lot
to
it's
long
so
without
further
ado.
What
is
this
all
about?
The
problem
of
dependencies?
If
you've
ever
had
any
larger
cargo
project,
a
rust
project
and
looked
at
your
dependency
tree,
for
example,
using
the
mascara
tree
command,
then
you
will
have
noticed
lots
and
lots
and
lots
of
programs
so
of
crazy.
C
This
is
depending
on,
and
this
is
not
only
the
ones
that
you're
directly
depending
on
this-
is
the
ones
that
your
dependencies
are
depending
on,
and
this
easily
goes
into
the
hundreds.
Now
the
JavaScript
ecosystem
has
been
as
nice
as
to
show
a
few
of
the
problems
Laura,
both
often
in
having
so
many
dependencies
and
having
very
small
pieces
of
code
in
their
own
packages.
C
Cargo
craft
will
not
solve
the
issues
that
were
had
with,
for
example,
left
pad
where
the
package
just
vanished,
and
then
everyone's
build
systems
suddenly
broke
because
cargo
has
its
own
features
there.
That
will
mitigate
those
problems,
but
the
problem
remains
that
there
is
lots
of
code
in
there
that
you
don't
necessarily
trust
yourself
or
that
you
haven't
reviewed
all
that.
Maybe
nobody
has
reviewed,
because
the
author
of
the
craic
you're,
depending
on,
might
have
had
a
look
at
its
dependencies.
Maybe
he
didn't
so.
C
Actually
you
don't
know
everything
you
usually
have
as
the
download
numbers
so
enter
crap.
Maybe
at
this
time
it's
good
point
for
the
schema
I
didn't
write.
This
actually
didn't
even
contribute
any
code
to
it,
I'm
just
a
user
root
of
it,
who
is
very
interested
in
in
having
it
because
for
me
it
means
that
I
can
start
looking
into
the
pieces
of
code
that
I'm
shipping,
with
my
deployments,
that
nobody
so
far
had
a
deeper
look
in
at
except
for
the
author's
cargo
craft
is
a
tool
to
do
structured
code
reviews.
C
So
when
you
every
time
you
look
at
you,
look
at
someone
else's
codes,
you
can
review
it
in
a
way
that
it's
signed
so
cryptographically
authenticated
that
can
be
published
and
that
can
be
machine
readable
so
that
others
can
use
it.
Let's
look
into
the
details
of
of
how
this
is
done
when
you
review
a
crate
you're
presented
with
a
with
a
form-
and
this
asks
you
very,
very
simple
questions
which
you
can.
Would
you
I'm
sure
you
can
answer
with
this?
Is
how
thorough
did
you
review
that
authorial?
Did
you
review?
That
is
it?
C
Was
it
just
glimpsing
over
it?
That's
fine
as
well.
That's
valuable
information
for
everyone
who
will
later
be
using
this.
How
well
do
you
understand
it?
If
it's
cryptographic
code,
you
might
want
to
state
a
little
lower
understanding
unless
you're
into
it,
unless
you
really
know
what
you're
saying
there.
So
this
gives
it
kind
of
two
dimensional
grid,
where
you
can
line
yourself
and
the
final
verdict
of
is
good.
C
It
shows
you,
whether
your
crate,
whether
that
dependency
and
by
the
way
this
is
this
whole
list
here-
is
just
that
free
from
before
in
a
flattened
form,
so
it
doesn't
care
about
how
deep
your
dependencies
in
your
tree.
It
just
shows
that
this
is
something
that
that
you
include
in
your
build.
C
The
last
possibly
interesting
line
is
this
one?
Usually
it
really
are
the
reviews
related
to
a
particular
version
when
you're
developing
right
now,
you
usually
don't
work
on
a
released
version,
so
this
just
says
there
are
no
reviews
but
hey.
This
is
a
work
in
progress
thing,
so
this
is
what
you're
working
on.
C
When
you
did
reviews
you
can
share
them,
and
this
is
happening
using
git.
So
the
easiest
workflow
is
just
to
create
your
you
create
your
key
you'll
start
reviewing
you
push
it.
Other
people
pull
it.
This
is
all
managed
by
by
cargo
craft.
The
cryptographic
part
is
managed
by
cargo
craft.
So
when
you
started
up,
you
create
an
ID,
it
creates
a
key
for
you.
It
encrypts
the
key
for
you
locally.
C
When
you
there's
two
kinds
of
things
you
can
state
with
the
universal
one
is
I've
looked
at
this
piece
of
software
and
this
looks
good
or
bad.
The
other
is
there.
Is
this
other
reviewer
I
wanted
to
use
their
reviews
and
I
want
to
trust
their
reviews
again,
you
state
whether
you
fully
trust
them
or
whether
you
have
kind
of
marginal
trust
or
you
don't
trust
them
at
all,
but
you
can
state
that
the
default
model
that's
used
by
a
carry
craft
is
a
transitive
model.
C
So
if
you
trust
someone
to
review,
create
yours
or
trust
them
to
trust
other
people
which
gives
you
a
network
of
people,
so
by
the
time
you
you
actually
start
verifying
your
code,
chances
are
that
several
of
the
crates
you
have
in
there
I
already
have
already
been
reviewed
by
someone
in
parallel
to
your
trust
network.
There's
also
a
public
list
of
published
proof
repositories,
which
is
what
feeds
the
issues
counters
in
the
first
few
slides
up.
C
C
This
is
basically
repeating
the
installation
instructions
I
already
pasted
it
in
the
in
the
metrics
Channel.
Now
the
first
thing
you
usually
do
when
you,
when
you
install
crap,
is
that
you
create
your
ID
character.
F
is
relatively
tightly
integrated
with
with
that
get
publishing
process.
So
currently
you
can't
even
create
a
new
ID
without
having
a
repository
that
you
will
later
publish
it
into
this.
C
Then
those
will
show
up
in
the
in
the
public
lists.
So
if
anyone
is
fetching
your
repositories
and
looking
for
fetching
all
repositories
and
looking
for
where
has
ever
someone
reviewed,
that
particular
crate,
and
maybe
if
that
review
is
good,
I
start
giving
them
a
little
trust,
then
just
walk
from
there,
and
this
will
make
sure
that
that
those
pages
keep
track
of
where
those
repositories
are.
C
Now
that
you
have
your
ID,
you
can
start
trusting
people,
so
this
line
will
put
trust
in
whatever
I've
published.
Not
that
I
particularly
recommend
that,
because
you
don't
know
me
but
with
people
whom
you
trust
you
can
do
this,
you
can
also
enter
the
cryptographic
identifiers
that
come
with
the
repositories
there.
But
this
way
it's
a
bit
easier
and
you
find
the
right
address
for
fetching
right
away
and
it
still
shows
you
the
ID.
So
if
you
want
to
do
fingerprint
comparison,
you
can
do
that.
C
Then
you'll
need
to
fetch
information,
so
this
will
fit
not
only
fetch
from
your
trusted
Network,
which
would
be
cargo
craft
fetch
trusted,
but
fetch
from
everything.
That's
known
included
the
ones
you
trust
and
when
you're
then,
in
your
repository,
run
cargo
craft
crate
verify
you
will
get
that
very
list.
I
showed
you
earlier
of
all
the
repository,
all
the
crates
you're,
depending
on
which
of
them
have
been
reviewed,
which
of
them
have
known
issues
which
of
them
haven't
been
reeled
in
quite
a
while.
C
So
if
this
is
a
crate
that
isn't
really
all
that
widely
used,
it
might
be
a
good
idea
to
start
reviewing
that,
because
it
just
hasn't
gotten
so
many
eyes
on
it
me
you
will
and
I
think
that
will
be
true
for
any
non-trivial
project
at
the
current
state
of
affairs
have
several
crates
that
are
have
not
been
reviewed
by
anyone
and
I'd
invite
you
to
just
have
a
look
at
one
of
those
crates
and
review
it,
and
you
can't
spend
seconds
on
the
on
every
file.
Just
look
skim
through
it.
C
C
So
that's
the
that's.
Basically,
it
from
my
part,
I've
assembled
a
few
links
that
would
catch
just
get
you
further,
there's
a
very
good
getting
started
god
that
essentially
says
what
I'm
saying
here,
maybe
in
a
different
sequence,
but
things
are
there
and
the
the
program
itself
is
documented
and
the
author
is
very
happy
to
accept
pull
requests
so
questions
so
far.
C
Okay,
none
here
I'll
be
around
later
anyway,
and
the
in
the
GT
me
GT
rooms.
But
if
you
have
anything
any
questions
that
come
up
now,
the
baby.
This
can
be
interesting
to
everyone.
C
Okay,
then,
thank
you
see
you
later
in
the
RAI.
A
Yeah,
like
we
said,
feel
free
to
ask
them
in
the
chat
later
he
will
be
around
cool.
Thank
you.
Thank
you
very
much.
Chris
I,
hope,
I,
hope
this
bill
does
a
little
get
to
still
get
some
traction.
This
is
this
is
really
cool
project
like
getting
getting
getting
that
getting
a
map
of
trust.
Bootstrap
is
always
hard,
but
you
know
somebody
has
to
do
the
first
step,
yeah
cool,
so
people,
people
in
the
people
in
the
chat
seem
really
happy.
A
That's
cool
all
right,
then,
if
they
really
no
other
questions
from
the
chat,
I
even
proposed
that
we
switch
it
over.
A
A
B
Right,
can
you
hear
me
mm-hmm,
let
me
try
sharing
my
screen.
B
B
Hopefully,
virtually
I
can't
really
see
anything
else
when
I'm
in
presenter
minutes,
I'm,
gonna
hope
for
the
best
I've,
not
just
ping
me
on
right,
so
yeah
I'm,
Tony
ursery,
and
this
talk
is
about
Oh
suck
the
rough
security
advisory
database.
It's
a
little
bit
about
the
project.
I
mean
you
can
find
the
project's
website
at
rusick
org,
some
noodle
whole
things
about
it.
It's
a
project
of
the
rescue
code,
working
group.
B
This
is
official
working
group
that
mainly
does
rustic,
but
also
has
a
project
called
the
safety
dance
to
audit
crates
for
unsound
usages
of
unsafe
and
potentially
places
that
unsafe
code
could
be
here
a
place
with
safe
code
at
no
cost.
But
the
main
thing
to
know
about
it
is
cargo
audit.
This
is
a
tool
for
auditing
for
security,
vulnerabilities
and
Ross
projects.
B
It
does
that
by
consuming
cargo
block
to
install
it,
I
cargo
install
cargo
audit
or
if
you
want
a
cool
new
kind
of
experimental
feature
that
will
automatically
attempt
to
fix
security
vulnerabilities
in
your
project
and
the
stash
features
that
argument
when
you're
installing
I'll
have
a
demo
of
it
later.
But
first
I
just
wanted
to
talk
about
the
security
advisory
database
itself,
so
consists
of
I.
Think
about
85
vulnerabilities
right
now
tracked
all
the
way
back
to
2016.
B
Each
of
them
have
this
sort
of
CBE,
like
rustic
identifier,
for
each
advisory.
People
have
also
been
filing
CBE's
for
all
of
these,
as
so
many
of
them
have
a
CV
available
as
well.
Each
of
the
advisories
looks
kind
of
like
this,
so
it
has
the
advisory
ID,
the
crate
name.
What
the
vulnerability
was
when
it
happened,
a
rough
description
of
what
went
wrong
and
which
things
have
been
patched,
so
you
can
find
the
entire
Advisory
dB.
B
B
Basically,
as
all
that
same
information,
you
saw
on
the
previous
page
a
little
bit
of
history
about
the
project,
so
it
started
out
in
2016
as
this
RFC
unmerged
with
the
basic
idea
of
the
crates.
Io
should
probably
track
this
behavior
and
the
response
we
got
from
the
rest
core
team
at
the
time
was.
Perhaps
we
should
develop
something
out
of
tree
and
prove
it
out.
B
So
that's
basically
what
we
did
and
it
has
now
been
incorporated
into
this
official
arrest
working
group
called
the
secure
code
working
group
that
I
mentioned
earlier
so
now,
I
want
to
give
you
a
quick
demo
of
how
a
cargo
audit
works.
Let
me
try
switch
over
du
tourmalet.
Okay,
let's
see,
hopefully
you
can
see
that
if
not
ping
me
and
riot,
hopefully
it's
not
working
so
I'm
gonna
run
I
have
an
example,
arrest
project
here,
I'm
gonna
run
cargo
audits.
B
So
what
it
has
found
is
there
is
this
vulnerable
crate
included
in
the
project?
It's
actually
that
same
one
I
used
as
an
example
earlier
something
else
interesting
is.
It
also
has
warnings
for
crates
that
are
presently
unmaintained,
so
these
aren't
tracked
as
vulnerabilities
or
just
trapped
as
on
maintained,
crates
they're
surfaced
as
warnings,
but
we
do
track
this
information
as
well
just
to
a
lot
of
people
to
know
if
they're
using
on
main
crates
unmaintained
crates
within
their
project.
B
B
A
B
B
Yeah
I
mean
it's
definitely
a
good
thing
to
you:
throw
in
CI.
There
is
a
actions
RS
project.
If
the
avenues
github,
the
us
already
made
action
to
run
this
against
your
projects,
I
recommend
crowning
it.
So
you
just
run
it
like
once
a
day
or
once
a
week,
then
it'll
automatically
spot
vulnerabilities
from
the
Apollo.
B
We
open
the
issues
for
each
of
these
crates
kind
of
as
they
pop
up.
We
usually
try
to
get
the
consent
of
the
crate
authors
if
there
is
already
an
existing
issue
or
the
crate
author
explicitly
says
that
the
craters
on
maintained,
that's,
like
our
mean
signal
if
people
are
kind
of
the
github
project,
that's
like
another
thing
we
look
at,
and
otherwise,
if
there's
just
been
like
an
issue
open
for
years,
where
we
haven't
heard
from
the
author
or
something.
A
A
B
B
There
is
not
an
automated
image
that
would
be
really
cool
if
we
got
this
into
like
a
Rasta
or
something
so
you
could
install
it
as
like
a
rustic
component
or
something
like
that.
Unfortunately,
there's
not
now,
there
is
a
open
issue,
kind
of
tracking
that
sort
of
thing
on
cargo
audits.
It's
definitely
something
we'd
like
to
address.
B
Looks
like
there's
one
more
question
there:
how
the
database
is
maintained,
how
often
it
updates
so
it's
maintained
by
members
of
the
security
working
group.
We
just
kind
of
review,
approve
and
merge
these
PRS
and
updates
happen
whenever
vulnerabilities
are
found.
So
we
just
track
vulnerabilities,
create
my
create
own
Bible
and
updates.
Whenever
you
know
people
publish
them.
B
It
looks
like
there's
one
more
question:
a
dry
run
option
for
fix.
That
would
be
e.
It
doesn't
exist
now,
but
it
would
be
extremely
easy
thing
for
someone
to
contribute.
The
fixed
feature
is
built
on
top
of
a
creek
called
cargo.
Edit
cargo,
edit
does
have
a
dry
run
parameter.
You
can
tossed
into
the
function.
We're
calling
there
just
isn't
a
command
line
flag
to
kind
of
wire.
It
up
right
now,
actually
past
that.