Comment by marcosdumay
1 year ago
> auditing dependency-publisher authentication
What does this mean?
It means you'll trust the random people pushing code to cargo if you can prove they indeed are the random people they claim to be?
1 year ago
> auditing dependency-publisher authentication
What does this mean?
It means you'll trust the random people pushing code to cargo if you can prove they indeed are the random people they claim to be?
When a primary dependency is added to a project, its publishers are evaluated for trustworthiness; it's possible that a dependency might be ruled out if its authors seem sketchy or insufficiently concerned with security. Different organizations might have different standards for what they'd accept, but in any case, this evaluation only needs to happen once.
Afterwards, it suffices to validate with each dependency update that the publisher is the same publisher that was evaluated before.