You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
cargo install currently downloads, compiles and installs unsigned code, probably even over an unencrypted connection. The only security measure at all is checking some package index. This behaviour is horribly insecure.
cargo should do better:
warn for every unsigned piece of software that it is unsigned (and thus horribly insecure to run)
don't allow to git checkout over unencrypted connections at all. Ever.
suggest (later version: require) crates releases to be signed by the crate author
use Web of Trust or PKCS to verify signatures; fall back to TOFU (trust on first use) after warning and confirmation by the user.
The text was updated successfully, but these errors were encountered:
cargo installcurrently downloads, compiles and installs unsigned code, probably even over an unencrypted connection. The only security measure at all is checking some package index. This behaviour is horribly insecure.cargo should do better:
git checkoutover unencrypted connections at all. Ever.The text was updated successfully, but these errors were encountered: