Tony Arcieri
Tony Arcieri
@dongcarl that's what I'm proposing after discovering the current state of reproducibility of cargo builds. Still curious what people think about that. If people feel that's worthwhile, it'd be good...
Yes, it's abandoned. We should probably archive the repo.
I pushed up my WIP of a `rustwide`-based sandbox. It doesn't seem like there's an easy way to copy a development source tree into a container: https://github.com/rust-secure-code/cargo-sandbox/pull/7 (should've done a...
As a general thought: the crates.io team seems pretty overworked right now just keeping the lights on. It's probably not a good time to put anything more on their plate....
Something else I suggested on the call was that `rustup` might be a better starting point, and actually plays nicely into a story for `cargo`/crates.io. One thing I've gotten out...
> I think an interesting way to move forward here that will at least temporarily avoid integration headaches with cargo would be to prototype something like TUF + cargo as...
`rustup` is designed to be used by an individual user and does not support global installation (to my knowledge). It uses this crate to determine the user's home directory, along...
Appears to be pointed at Cloudfront: ``` $ host sh.rustup.rs sh.rustup.rs is an alias for dks7yomi95k2d.cloudfront.net. ``` Beyond that, I'm not sure.
FYI, discussion around Sigstore and TUF for crate signing seems to be picking up: https://internals.rust-lang.org/t/pre-rfc-using-sigstore-for-signing-and-verifying-crates/18115/2
There's now an RFC open here for signing crates with Sigstore: https://github.com/rust-lang/rfcs/pull/3403