Add cargo vet infrastructure
#1509
Comments
|
Out of curiosity, I attempted to run cargo-vet on an app of mine, which quickly got me down the rabbit hole of reviews on a huge audit backlog. To assess the scope for gtk-rs independently, I set up a small demo repo with gtk4, libadwaita, and gettext-rs and got started on cargo-vet. It's not great, but it's not too bad either. gtk-rs has a non-trivial dependency tree, and cargo vet initially reports about 1.2 million LoC for review. Importing the standard audit databases (google, mozilla, bytecode alliance, and embark studios) got it down to about 400k, and trusting a few high profile individuals which are also trusted by at least mozilla gets it down to just about 28k lines. If you consider that much of that is licenses, docs, etc. and that reviewing for |
|
Very doable, yes. Just needs to be done :) |
|
So, what's the next step? Make a pull request to add cargo vet to this repo and thus make reviews mandatory for dependency updates? |
|
Yes. See how it was done in the linked issue to get an idea |
|
Mh, which linked issue are you referring to precisely? I only see a ticket in gtk-rs/release but there wasn't anything done over there 🤔 |
|
https://gitlab.gnome.org/Teams/Releng/rust-supply-chain is linked from there |
See gtk-rs/release#196
The text was updated successfully, but these errors were encountered: