OpenVet

Idea:

• platform for collaboratively vetting rust crates
• simple design, based on sqlite

Features

• Show raw crate sources

• Ability to expand macros (click to expand?)

• Ability to expand build scripts (or review manually?)

• All changes tracked with a blockchain-like data structure:

  • Crate changes (uploads, yanked, etc)
  • Vetting/auditing changes (per-user?)

• Idea: expose crate sources as Git repositories (https://git-scm.com/book/en/v2/Git-Internals-Transfer-Protocols)

Checks

• lib name matches crate name
• use of unsafe
• libraries it links with
• build script
• proc macro use
• use of FFI
• cargo vcs info works, commit exists

Articles

https://opensource.googleblog.com/2023/05/open-sourcing-our-rust-crate-audits.html

https://raw.githubusercontent.com/bholley/cargo-vet/main/registry.toml

https://github.com/crev-dev/cargo-crev

https://kerkour.com/rust-stdx

https://lib.rs/crates/bitflags/audit