Help with rustup signature verification / TUF


#1

There have been a few threads about validating the artifacts downloaded via rustup (one, two), and I’m here to solicit help with an implementation of The Update Framework, (theupdateframework.github.io).

The project is rust-tuf (github.com/heartsucker/rust-tuf), and the plan I’m cooking up with @brson is to get rustup to use TUF to verify all the downloads. The crate is on crates.io as tuf, though the 0.1.x series is going to be fully replaced by new code in 0.2.x. Most of the groundwork is done, but there’s a lot of loose ends and things that need to be implemented before we can start packing it into rustup.

If you’re interested in helping, there’ a few things you can do

  • comment on issues marked Flag :: Research
  • ask to be assigned to isssues marked Flag :: Help Wanted
  • look at the two milestones needed before this can be added to rustup: 0.2.0 & 0.3.0
  • open an issue / make a feature request
  • write so many unit and integration tests
  • grep the code for minor TODOs

I’m trying to keep the GH issues organized do other people can jump in, but I could probably do better there. :slight_smile:

Anyway, get in contact if you want to get involved.


Self_update: In-place updates for rust executables
#2

This is certainly an interest area of mine, although I’m not sure how available I’ll be to work on it directly. I’ve been commenting on some of the rust-tuf issues, but I’ll see if I can help out on some of the other things you mentioned.


#3

Thanks for bringing attention to this important project @heartsucker. It’s really important to everybody in the community that Rust has top-quality security, from front to back, and I think this is going to be a big part of the story.


#4

Linkified for convenience.

Great to see someone working on this, I’ve heard excellent things about TUF!


#5

Yeah, discourse wouldn’t allow me to post multiple links because of spam prevention. :frowning:


#6

Ah, of course. “New” users are indeed limited.
Discourse is pretty nifty though, that restriction gets lifted really quickly after reading a few topics (yes, reading counts too, not just posting!) and returning a few days in a row. Best forum software out there IMHO