Add .cargo_vcs_info.json (with git commit hash) to crates uploaded to crates.io
#21
Labels
enhancement
New feature or request
Comments
|
Interesting, I did not know this was a thing. Sounds good to me. |
|
Quick reminder to add the repository to the crates. Maybe a broad review is necessary. Some of them still have no reference to the repository nor the commit where it originated from. Example Polkadot SDK crate without repository: https://crates.io/crates/polkadot-runtime-common Example Polkadot SDK crate with repository: https://crates.io/crates/bp-polkadot |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Most crates on crates.io contain a
.cargo_vcs_info.jsonfile (see https://doc.rust-lang.org/cargo/commands/cargo-package.html#cargo_vcs_infojson-format for a documentation on the format) containing the git commit hash (and location within the repository) corresponding to the released version. This allows automated tools to verify crates on crates.io against the source code on github and can therefore reduce the risk of having undetected backdoors in uploaded crates if the machine used for runningparity-publishand doing the official uploads is ever compromised.Additionally to that, having this mapping between the released version and the commit hash can also be useful for software engineers (or security auditors) trying to understand which version of the code is actually used in a given runtime configuration.
The text was updated successfully, but these errors were encountered: