Determine plan for auditing Rust dependencies #6500
Comments
|
I reviewed both the cargo-crev and cargo-vet documentation, and while it seems less mature, my preference is for cargo-vet. cargo-crev is designed for individuals doing reviews, each person gets a crev ID and hosts their own crev proof repository. While cargo-vet seems more aligned with trusting orgs for reviews. cargo-crev is built on the web of trust, so when you trust person, you now implicitly trust all the other people they trust. I think that's fine for casual projects, but I think we're a lot more paranoid than that! I imagine we would trust the audits done by Mozilla/Firefox since if we don't trust them we're already pwned, but not necessarily every person who someone who works on Firefox trusts. And ultimately cargo-vet seems conceptually simpler, there's no cryptography involved or keys or IDs, it just relies on git repos (so HTTPS). |
ghost
self-assigned this
Since we only target Linux x86_64 machines, I ignored all the obvious Windows/WASM/Redox dependencies. In the future it seems like we should be able to set an explicit target for this (mozilla/cargo-vet#63). We import the Firefox audits to help reduce review load; the SecureDrop security model relies on Firefox already via Tor Browser. Refs #6500
|
I tried out |
|
Thinking closely about the Python diff review workflow, there are two steps missing:
|
Since we only target Linux x86_64 machines, I ignored all the obvious Windows/WASM/Redox dependencies. In the future it seems like we should be able to set an explicit target for this (mozilla/cargo-vet#63). We import the Firefox audits to help reduce review load; the SecureDrop security model relies on Firefox already via Tor Browser. Refs #6500
Since we only target Linux x86_64 machines, I ignored all the obvious Windows/WASM/Redox dependencies. In the future it seems like we should be able to set an explicit target for this (mozilla/cargo-vet#63). We import the Firefox audits to help reduce review load; the SecureDrop security model relies on Firefox already via Tor Browser. Refs #6500
Since we only target Linux x86_64 machines, I ignored all the obvious Windows/WASM/Redox dependencies. In the future it seems like we should be able to set an explicit target for this (mozilla/cargo-vet#63). We import the Firefox audits to help reduce review load; the SecureDrop security model relies on Firefox already via Tor Browser. Refs #6500
Since we only target Linux x86_64 machines, I ignored all the obvious Windows/WASM/Redox dependencies. In the future it seems like we should be able to set an explicit target for this (mozilla/cargo-vet#63). We import the Firefox audits to help reduce review load; the SecureDrop security model relies on Firefox already via Tor Browser. Refs #6500
|
I think we're mostly set on going forward with |
Since we only target Linux x86_64 machines, I ignored all the obvious Windows/WASM/Redox dependencies. In the future it seems like we should be able to set an explicit target for this (mozilla/cargo-vet#63). We import the Firefox audits to help reduce review load; the SecureDrop security model relies on Firefox already via Tor Browser. Refs #6500
|
@legoktm, thanks for your research and recommended links here. I've read the cargo-vet manual and like both the trust model it implements and the review ergonomics it offers. Re: #6500 (comment) (modulo my conversion to ordered list :-), the cargo-vet team has addressed both of these topics in mozilla/cargo-vet#449:
I agree with you that this still requires trusting
To feel comfortable with this, I think we'd want to upgrade our "commits should be signed" to "commits MUST be signed", enforced by CI. See also: |
If we want to enforce it by CI (a good idea IMO), then I think we should just sign the relevant files, similar to how we sign sha256sums in securedrop-builder, so we're not dependent on tracking the entire git history to ensure it hasn't been touched by an unsigned commit, we can just check the latest state. |
|
Not that I'm any kind of stakeholder here, but it seems to me that if you consider commit signing important enough to enforce for third-party code integrity, it would make sense to enforce it for first-party code as well. |
|
Generating signed hashes for the audit files seems like an extra hurdle, I'd be in favour of adding an overall commit signing policy - only downside I can see is inconvenience/barrier to entry. Failing that, a more lightweight approach would be to define code ownership for said files and ensuring the owner group is a) signing their commits and b) comfortable reviewing changes to the cargo vet audits. |
cargo vet is a tool designed by Mozilla to record audits of Rust dependencies, and it matches nicely with the philosophy of our diff review system for Python. It can automatically present diffs and verify everything has been checked. == Trust == To reduce the number of audits we have to do, we trust the following organizations: * Bytecode Alliance (WASM/WASI) * Google * Internet Security Research Group (Let's Encrypt, etc.) * Mozilla * Zcash We also trust a number of individual developers, because they are members of the Rust Project and also trusted by one of the above organizations we trust. We also trust the two Sequoia-OpenPGP team members who release things. All of the individual trust markers have an expiry date to remind us to re-evalutate trustworthiness every so often. == Exemptions == There are a number of dependencies that appear in our tree but are not used on Linux x86_64 so we can ignore them entirely. These are marked in config.toml with a policy stanza that has an empty criteria block. These crates have been identified manually, in the future cargo-vet will hopefully let us specify specific targets we care about and take care of it automatically. The remaining exemptions in config.toml have not been reviewed yet; we can incrementally chip away at them. == Signing == Unlike diff reviews, there is no PGP signing of this file. Because these are committed into the Git repository directly, we can rely on that as a measure of trust (unlike random wiki pages). == CI == CI verifies that all dependencies have either been reviewed or exempted, so there's no need for manual tracking in PR descriptions. Upstream provides a GitHub Actions template that we use most of. Fixes #6500.
cargo vet is a tool designed by Mozilla to record audits of Rust dependencies, and it matches nicely with the philosophy of our diff review system for Python. It can automatically present diffs and verify everything has been checked. == Trust == To reduce the number of audits we have to do, we trust the following organizations: * Bytecode Alliance (WASM/WASI) * Google * Internet Security Research Group (Let's Encrypt, etc.) * Mozilla * Zcash We also trust a number of individual developers, because they are members of the Rust Project and also trusted by one of the above organizations we trust. We also trust the two Sequoia-OpenPGP team members who release things. All of the individual trust markers have an expiry date to remind us to re-evalutate trustworthiness every so often. == Exemptions == There are a number of dependencies that appear in our tree but are not used on Linux x86_64 so we can ignore them entirely. These are marked in config.toml with a policy stanza that has an empty criteria block. These crates have been identified manually, in the future cargo-vet will hopefully let us specify specific targets we care about and take care of it automatically. The remaining exemptions in config.toml have not been reviewed yet; we can incrementally chip away at them. == Signing == Unlike diff reviews, there is no PGP signing of this file. Because these are committed into the Git repository directly, we can rely on that as a measure of trust (unlike random wiki pages). == CI == CI verifies that all dependencies have either been reviewed or exempted, so there's no need for manual tracking in PR descriptions. Upstream provides a GitHub Actions template that we use most of. Fixes #6500.
|
We have some discussion re: signing policy at #6943. Ultimately since these audits are all being stored in the Git history and attributable, I don't think we need to require PGP signatures (in contrast our diff reviews are posted on wiki pages without any pre-review). Also, @bholley, thanks for commenting and your work on cargo-vet :) I've put up our initial configuration at #6981 if you're interested in taking a look. |
cargo vet is a tool designed by Mozilla to record audits of Rust dependencies, and it matches nicely with the philosophy of our diff review system for Python. It can automatically present diffs and verify everything has been checked. == Trust == To reduce the number of audits we have to do, we trust the following organizations: * Bytecode Alliance (WASM/WASI) * Google * Internet Security Research Group (Let's Encrypt, etc.) * Mozilla * Zcash We also trust a number of individual developers, because they are members of the Rust Project and also trusted by one of the above organizations we trust. We also trust the two Sequoia-OpenPGP team members who release things. All of the individual trust markers have an expiry date to remind us to re-evalutate trustworthiness every so often. For now we've set the expiry to 6 months as we're still getting familiar with the system. == Exemptions == There are a number of dependencies that appear in our tree but are not used on Linux x86_64 so we can ignore them entirely. These are marked in config.toml with a policy stanza that has an empty criteria block. These crates have been identified manually, in the future cargo-vet will hopefully let us specify specific targets we care about and take care of it automatically. The remaining exemptions in config.toml have not been reviewed yet; we can incrementally chip away at them. == Signing == Unlike diff reviews, there is no PGP signing of this file. Because these are committed into the Git repository directly, we can rely on that as a measure of trust (unlike random wiki pages). == CI == CI verifies that all dependencies have either been reviewed or exempted, so there's no need for manual tracking in PR descriptions. Upstream provides a GitHub Actions template that we use most of. Fixes #6500.
github-project-automation
bot
moved this from In Progress
to Done
in SecureDrop dev cycle
As part of using Sequoia, we'll start pulling in Rust dependencies (161 crates by my current count!). The process for performing "diff reviews" of Python dependencies is documented on the wiki.
We may want to take advantage of some Rust tools that allow for sharing audit status like:
The text was updated successfully, but these errors were encountered: