Skip to content

Adding a crates.io Security tab #3872

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Adding a crates.io Security tab #3872

wants to merge 5 commits into from
+149 −0

Conversation

@djc
Copy link
Contributor

@djc djc commented Oct 27, 2025
edited by rustbot
Loading

Summary

This RFC proposes that crates.io should provide insight into vulnerabilities and unsound
API surface based on the RustSec advisory database.

Rendered

@djc djc added the T-crates-io Relevant to the crates.io team, which will review and decide on the RFC. label Oct 27, 2025
@djc djc force-pushed the crates-io-security branch from 8017e12 to 0202b53 Compare October 27, 2025 12:16
@djc djc force-pushed the crates-io-security branch from 0202b53 to 80e534c Compare October 27, 2025 12:18
epage
epage reviewed Oct 27, 2025
View reviewed changes
@epage
Copy link
Contributor

epage commented Oct 27, 2025

FYI while I'm a fan of force-pushing, I'd recommend against it for RFCs as the commits regularly get referenced.

epage
epage reviewed Oct 27, 2025
View reviewed changes
epage
epage reviewed Oct 27, 2025
View reviewed changes
text/3872-crates-io-security.md
are about the desirability of the feature, the implementation approach, and the governance
of the source data.

# Future possibilities
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reporting on provenance is related: https://lawngno.me/blog/2024/06/10/divine-provenance.html

The challenge there is setting the right tone of "there are divergences, this needs further investigation" rather than "this is bad!". Unsure if that can be satisfied on a Security tab, or if it needs to be a Health tab or maybe an Insights tab?

@djc
Copy link
Contributor Author

djc commented Oct 27, 2025

FYI while I'm a fan of force-pushing, I'd recommend against it for RFCs as the commits regularly get referenced.

Yes, will stop doing so as I address feedback -- figured getting the RFC number in place was fine for force-pushing.

madsmtm
madsmtm reviewed Oct 27, 2025
View reviewed changes
jieyouxu
jieyouxu reviewed Oct 27, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@epage epage epage left review comments

@madsmtm madsmtm madsmtm left review comments

@jieyouxu jieyouxu jieyouxu left review comments

@Noratrieb Noratrieb Noratrieb left review comments

Assignees

No one assigned

Labels

T-crates-io Relevant to the crates.io team, which will review and decide on the RFC.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@djc @epage @madsmtm @jieyouxu @Noratrieb