-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Lockfile for non-reproducible crates #16
Comments
Maybe this overlaps with https://github.com/mozilla/cargo-vet |
I'm not sure this really stands on the security side. What's stopping someone from sending a PR with all of the newly added dependencies marked as perfectly reproducible only to find out the file had been changed by hand? |
Ok, maybe a list of known reproducible crates is not that useful and we can run not on every commit but when Cargo.lock changes, that it is manageable. Feature request then is to create a cargo-goggles.lock file with a list of known non-reproducible crates on a first run. Then on rerun remove crates that are not in Cargo.lock anymore and complain if more non-reproducible crates are added to prevent upgrades from reproducible crates to non-reproducible. |
cargo-goggles
needs a way to store a list of tested reproducible and tested non-reproducible crates next toCargo.lock
so it can be committed to the repository. Then in CI we can check that all packages fromCargo.lock
have been tested and are included in one of these lists. Locally developers can runcargo-goggles
to update the list, but likely not in CI on every commit because downloading git repositories for all dependencies is too slow and uses git hoster resources unnecessarily.The text was updated successfully, but these errors were encountered: