Exclude development scripts from published package#79
Exclude development scripts from published package#79weiznich wants to merge 2 commits intocuviper:masterfrom
Conversation
During a dependency review we noticed that the autocfg crate includes various development scripts. These development scripts shouldn't be there as they might, at some point become problematic. As of now they prevent any downstream user from enabling the `[bans.build.interpreted]` option of cargo deny. I opted for using an explicit include list instead of an exclude list to prevent these files from being included in the published packages to make sure that everything that's included is an conscious choice.
What exactly? Is it just
They also caution that "the compile time crate linting supplied by cargo-deny does NOT protect you from actively malicious code." https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html#the-build-field-optional
I do object to excluding tests though, and this script is needed by one of those. Tests are used both by downstream packagers (like Linux distros) as well as Rust's own crater for release checks -- it would raise awareness if some upcoming change caused a regression in Note that the test could write an equivalent script as a temporary file when it runs, but I think that would look even more suspicious. Either way, obfuscating or omitting tests, we shouldn't let audit tooling push us toward worse behavior! |
Yes, only
I don't think it's that simple. The code in this crate can (and in my particular example is) used as build-dependency of another crate. Given that all the code in this crate can run at built-time. This theoretically includes the script as well. An example of an crate using
Thanks for highlighting. I'm well aware of that, and to be clear And to be clear here: Yes the current code is not malicious, but it is still a potential vector for anyone to introduce malicious code.
If you feel that there is any value in including the tests I'm happy to change the PR to include them as well. I still would like to avoid the script. To argue with your own arguments here: The shell script is just not portable and will make the tests fail in environments that doesn't provide bash (e.g. windows). So maybe there is a solution to run the test without the shell script? Or just exclude that particular test from publishing? Another transparency section: I opted for excluding the tests as that is what other larger projects like rustls or reqwest do as well. I have no hard feelings for tests being there, it's just that I believe it's uneccessary to have them for almost all consumers of the crates.io package. As for crater: I'm well aware of that. You should also know that it also uses github repositories as source, so it can (and likely will?) use the tests from there. |
|
@cuviper What is missing to move this forward. Does the response above address your concerns? |
|
I would rather not exclude tests. If you'd like to try reworking that particular test without the script, e.g. using itself as the wrapper (and |
Also include the tests in the published package.
|
@cuviper I updated the PR according to your requests. It now replaces the shell script with a small binary compiled by rustc doing the same thing. Tests are also included in the published package now. Hopefully that satisfies your needs, if that's not the case just let me know. |
|
I was thinking more like #80 -- let me know if that works for you! |
2 participants
During a dependency review we noticed that the autocfg crate includes various development scripts. These development scripts shouldn't be there as they might, at some point become problematic. As of now they prevent any downstream user from enabling the
[bans.build.interpreted]option of cargo deny.I opted for using an explicit include list instead of an exclude list to prevent these files from being included in the published packages to make sure that everything that's included is an conscious choice.