Implement cargo vet for improved package security

[lukehinds]

cargo vet from mozilla allows us to benefit from crate audits performed by other communities such as mozilla, bytecodealliance etc.

This PR sets a baseline which will pass. If we wish to, we can audit back at any time. The changes in this PR will (once merged) fail a PR if a new package is introduced with no audit history from our peer network set within supply-chain/audits.toml.

All we then need to do, is perform a review of the crate and decide if we feel it is safe to include into sigstore-rs

Anyone can pre-audit with for example a git hook, by installing cargo vet cargo install cargo-vet and then running an audit: cargo vet.

This is useful for obvious reasons, and could capture us mistakenly using a typo based attack or introducing an unaudited crypto lib.

Last of all, we bring Cargo.lock back in, which should only really be gitignore'd for a binary.

Signed-off-by: Luke Hinds [email protected]

Summary

Release Note

Documentation

[lukehinds]

hold on merging this, just found https://github.com/crev-dev/cargo-crev and figuring out which is better suited

[flavio]

Last of all, we bring Cargo.lock back in, which should only really be gitignore'd for a binary.

Committing the Cargo.lock is not recommended for libraries. I guess we have to do that to ensure cargo vet information are accurate, I just wonder if that could have side effects when consuming the library :thinking:

[lukehinds]

Last of all, we bring Cargo.lock back in, which should only really be gitignore'd for a binary.

Committing the Cargo.lock is not recommended for libraries. I guess we have to do that to ensure cargo vet information are accurate, I just wonder if that could have side effects when consuming the library 🤔

You're right, i got it backwards.