Suggested recommendations for test, dev env, supply chain and error handling #62
Conversation
`+` Best practice in the use of an internal registry `+` Best practice for using several registry in a project `+` Publishing a project in an internal registry `+` Setting up a default registry for a developer `+` Adding french and english version
`+` Bests practices added for supply chain security `+` Adding french and english version
`+` Add a tool for checking the use of `unsafe` blocks in a program's supply chain `+` Adding french and english version `^` Translation error corrected in one of the links
`+` Test to comply with RFC1236 `+` Error API recommendation `+` French and english version
`^` Updating SUMMARY.md `^` Updating 01_introduction.md `+` Best practice in testing added
`.` Correct grammar error in french `+` Second method added for blocking `unsafe` blocks
`^` Moving few word from british english to american english to improve overall consistency of the guide `^` Moving TODO in 01_introduction.md due to an oversight in initial PR `^` Changing from TEST-INTERNE to TEST-UNIT to comply with rust book `-` Removing second-person pronouns in 02_devenv.md
`^` Replacing an example of code that could be considered duplicated `^` Correction of the formatting of the three cargo-geiger output types/levels
`^` Adding explanation for check TEST-CFG
`-` Check LANG-ERRDO may be considered obsolete (cargo issues a warning if the try macro is used)
|
Hello, Regarding the comments on registries, I prefer to give a global answer here rather than in each comment. I completely understand your point of view, but I don't agree with it. In my view, having a private registry can help protect a company's IP but also make an attack on the supply chain more complex. Although cargo-deny is a very good tool (and I think we need to add some recommendations on how to use it), it doesn't fully fulfil the role of a private registry. Indeed, since crates.io allows the deletion of crates, the use of a private registry can protect a company while the situation is resolved. However, I agree that this is not a general thing but more recommendations to be adopted in the event that a high level of security is required. |
There was a problem hiding this comment.
Thank you @Sans-Atout for your important contribution. I left you comments.
`^` Change of the `LIBS-AUDIT-UNSAFE` recommendation to take into account the recommendations of @hg-anssi `^` Change of the `TEST-UNIT` recommendation to take into account the recommendations of @hg-anssi `-` Deletion of the section explaining what ignored tests are `-` Deletion of recommendation LANG-ERR-FLAT `^` Modification for English and French versions
`-` Deletion of recommendations on the use of an internal registery `-` Deletion of `cargo-vet` tool recommendations
`+` Explanation added to TEST-TRAIT recommendation `^` Modification for English and French versions
|
Many thanks for your pertinent comments @hg-anssi. I've taken the liberty of closing the various comments that I feel have been completely resolved by the changes I've made. I think some of them are still open to debate, so I'll let you close them if you're happy with the changes I've made. Regarding the parts deleted in commit 0bdd824, I'm going to open two issues by the end of the week so that we can discuss them in more depth. Indeed:
|
`-` Deletion of `cargo-supply-chain` tool recommendations `-` Deletion of `cargo-geiher` tool recommendations
`^` Modification of the style of certain recommendations `+` Reinsertion of TODO deleted in the initial RP
|
Good evening everyone,
I've also taken the liberty of creating issue #77 in order to group together subjects related to the supply chain. Please let me know if there are too many or if any of the issues need to be modified, deleted, added or merged. |
3 participants
Hi, everyone,
A few months ago, I had to produce a guide on how to develop securely in Rust.
This guide was a great help and one of my main sources.
So I thought I'd propose a few rules and a few changes that I think are relevant after my research.
I apologise in advance for any mistakes I may have made.
I've tried using grammar checkers but I'm not sure I've corrected them all.
Here is a summary of the changes I am proposing :
unsafeblock's checking ((False positives seem to have disappeared since the issue Forbid unsafe code #10 was written) [47c3727]Cargo.toml[8c7b07f]I hope these changes will be useful and I'd be more than happy to discuss them.