Comments (1)
jcgruenhage
commented on August 18, 2024
https://doc.rust-lang.org/cargo/faq.html#why-do-binaries-have-cargolock-in-version-control-but-not-libraries is very clear about recommending that all binaries should check in their Cargo.lock file. The requirement for frequent releases is there already in my opinion, because without them, people aren't going to rebuild acmed. If you assume they will rebuild acmed without a new release, then I'd say it'd also be fair to assume that they'd run cargo update before, to ensure that they get the newest dependencies.
With regards to analyzing all changes in all dependencies: I don't think that is feasible, ever, and even if it was, it's not related to checking in the Cargo.lock file IMO? There's cargo crev for this that works on a Web of Trust basis and operates on positive/neutral/negative assessments for crates, or lists of advisories on problematic crates/crate versions in the RUSTSEC database. IMO, working with cargo audit and the RUSTSEC database is enough here, and if we want to go the extra mile, we can do spot checks which we then document with cargo crev, but checking in the Cargo.lock file should be blocked on those things.
from acmed.
Related Issues (20)
- Random failure in podman deployment HOT 3
- Cargo.lock not updated/committed for 0.22.0 HOT 3
- Make {{proof}} available in base64url format, for challenge-tls-alpn-01. HOT 6
- Support for ARI (ACME Renewal Information)
- FR: Add capability to generate (and deploy) DANE records HOT 9
- Allow for not using any pidfile HOT 2
- Compliance with Let's Encrypt Integration Guide HOT 9
- Use more external crates HOT 3
- Include config directories HOT 1
- Scheduling renewals
- Exponential backoff for retrying renewals
- Certificate meta-information file HOT 1
- Functional/integration testing
- Fine grained rate-limits HOT 2
- Exposing prometheus/opentelemetry compatible metrics.
- Reduce error boilerplate using `thiserror` HOT 2
- Don't create a new http client/session on each request
- Expose file paths of cert and private key to post-operation hook
- Stop using a deprecated function when creating a certificate in tacd
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from acmed.