pinkforest(she/her)
pinkforest(she/her)
They appear when there is a PR that doesn't add advisories e.g. when we bumped rustsec-admin 0.8.0 for rustdecimal https://github.com/rustsec/advisory-db/pull/1308 Resulted into: https://github.com/rustsec/advisory-db/pull/1309 Probably should adjust the workflow in db
What I like with deny is that I can call `cargo deny init` ``` init Creates a cargo-deny config from a template ``` This creates it's own default config file...
Continuing from here: https://github.com/rustsec/advisory-db/issues/380 I don't think we can guarantee that the PR number is in the merge commit so that `rustsec-admin assign-id --github-actions-output` can spit it to the message...
## Background We've had some advisories / proposals where we don't have any concrete security issue(s) caused by untrusted data handling but it may be sometimes reasonable / feasible to...
Noticed another error as part of fixing #619 via #620 e.g. when a crate name is missing from crates.io we get: `error: error linting advisory DB ../../: crates.io index error:...
### git2-rs - Example 1 **Repro** docker run -ti --rm rust /bin/bash ``` cargo install cargo-geiger --git https://github.com/rust-secure-code/cargo-geiger --force mkdir app ; cd app git clone https://github.com/rust-lang/git2-rs.git . cargo geiger...
Folk are using this and seems the maintainer @svartalf seems MIA There seems to be at least one fork already by @djmitche / GothernburgBitFactory: https://github.com/actions-rs/audit-check/pull/221#issuecomment-1193138925 https://github.com/GothenburgBitFactory/taskwarrior/issues/2830#issuecomment-1179835614 Here: https://github.com/GothenburgBitFactory/audit-check Addressing: https://github.com/actions-rs/audit-check/issues/223...
EDIT: After @tarcieri comment I added "Deprecated" **I've been thinking of formal definitions** 1) Maintained (_currently exists as Unmaintained_) and 2) Deprecated (_currently does not exist_) As well as the...
I was wondering what else we could do as a WG to help crate maintainers to keep their crates secure. This was in combination with some governance stuff I had...
**Why? - or - The Target Problem(s) Statement** 1. Knowing what the binary *was* compiled with (transitive dependencies) in the past is hard for both the maintainer as well as...