Just a wild idea
Would there be an interest of community "hardened" or "moderated" crates.io [registeries] reflector source that essentially filters to cargo automatically by-community-input on crates that are available to cargo via it's index ?
Essentially this would combine several tools - we could use registry hostname identifier which set of "exclusions" are to be used via the reflection.
_NOTE: I am not sure yet whether "private" community registry would work properly with the current cargo as I haven't tested doing this but there is a flag and [registry] - However even without current support it would be nice to discuss the prospect / benefits / cons _
Use-Cases
- Filter-blacklist by yank & Advisory DB - OR -
- Redirect to "last working or presumed secure version" (.lock will fail though)
- Build w/ .lock's that refer to insecure / yank versions will fail
Logistics
- I already have everything via my effort on geiger.rs except how the cargo interacts with the index / registry that I would need to roll the respective API as well as RBL style DNS naming to reflect included sets of deny/redirect-filter list.
Refs
Just a wild idea
Would there be an interest of community "hardened" or "moderated" crates.io [registeries] reflector source that essentially filters to cargo automatically by-community-input on crates that are available to cargo via it's index ?
Essentially this would combine several tools - we could use registry hostname identifier which set of "exclusions" are to be used via the reflection.
_NOTE: I am not sure yet whether "private" community registry would work properly with the current cargo as I haven't tested doing this but there is a flag and [registry] - However even without current support it would be nice to discuss the prospect / benefits / cons _
Use-Cases
Logistics
Refs