Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

deprecate or warn about downloads over unencrypted HTTP #7081

Open
benaryorg opened this issue Jun 29, 2019 · 3 comments
Open

deprecate or warn about downloads over unencrypted HTTP #7081

benaryorg opened this issue Jun 29, 2019 · 3 comments
Labels
A-diagnostics Area: Error and warning messages generated by Cargo itself. A-networking Area: networking issues, curl, etc. A-security Area: security C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.

Comments

@benaryorg
Copy link

Describe the problem you are trying to solve

In light of recent developments in the Java ecosystem I think Rust should follow that and also mark "http" sources as deprecated or warn about them in some way.

Describe the solution you'd like

Correct me if I'm wrong here, but pulling sources from http:// instead of directly from crates.io, likely via git does require putting it in its own Toml section either way, right?
One could then require a switch similar to allow-unencrypted-http = true.
In a first step just outputting a warning/deprecation notice if this is not set but the source is http:// should be fine, and after some time one could then switch to this aborting the build.

Notes

This would in the second stage break builds, with the fix being a configuration option.
@benaryorg benaryorg added the C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` label Jun 29, 2019
@ehuss ehuss added the A-networking Area: networking issues, curl, etc. label Sep 21, 2019
@ehuss ehuss added the A-security Area: security label Apr 22, 2020
@alexandre-janniaux
Copy link

Hi,

In case this issue land into the git tree, it is probably a good idea to keep http download when we can provide a signature hash to verify the integrity of the file after download, because https is expensive and the issue is the absence of integrity check somewhere, and https is a mitigation that is not perfect with regard to that.

@eslerm
Copy link

eslerm commented Jul 27, 2023

An opt-in https mode would resolve this and not break environments which require insecure connections.

A warn would encourage better practices.

@weihanglo weihanglo added A-diagnostics Area: Error and warning messages generated by Cargo itself. S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted. labels Aug 11, 2023
@weihanglo
Copy link
Member

This sounds good to me. Once Cargo gets #12115 landed and has its own lint control system, we could start rolling out this kind of warning.

@epage epage mentioned this issue Aug 11, 2023
Open
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-diagnostics Area: Error and warning messages generated by Cargo itself. A-networking Area: networking issues, curl, etc. A-security Area: security C-feature-request Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted` S-needs-design Status: Needs someone to work further on the design for the feature or fix. NOT YET accepted.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@ehuss @alexandre-janniaux @benaryorg @weihanglo @eslerm