Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for denying crates with executables or specific file extensions #43

Closed
repi opened this issue Nov 11, 2019 · 3 comments · Fixed by #549
Closed

Support for denying crates with executables or specific file extensions #43

repi opened this issue Nov 11, 2019 · 3 comments · Fixed by #549
Assignees
Labels
enhancement New feature or request help wanted Extra attention is needed

Comments

@repi
Copy link
Contributor

repi commented Nov 11, 2019

Some crates like prost-derive include embedded executables that they run in build.rs, this works on the main dev platforms but something we would like to have pure Rust versions of and deny.

@LucioFranco also mentioned that it could be useful to be able to deny crates with specific file extensions in it, which could be part of the same feature.

This would require some scanning and wouldn't be fool proof because a crate could still contain say a zipped exe that it unpacks or simply download an exe and run it in build.rs. But can be good to investigate still

@repi repi added the enhancement New feature or request label Nov 11, 2019
@repi repi added the help wanted Extra attention is needed label Feb 3, 2022
@repi
Copy link
Contributor Author

repi commented Aug 17, 2023

prost-build has moved away from included prebuilt executable in the crate, to use cmake instead (which for us is almost worse), so we built /~https://github.com/EmbarkStudios/proto-gen to manually prebuild and checkin the Rust protobuf bindings for our crates, which has been working well.

though now very recently the very popular serde-derive started having a checked in executable in the crate:

so this issue is still relevant

@Jake-Shadle Jake-Shadle self-assigned this Aug 17, 2023
@conradludgate
Copy link

prost-build has moved away from included prebuilt executable in the crate, to use cmake instead (which for us is almost worse)

They did this in prost-build 0.10 but as far as I know prost-build 0.11 requires protoc installed prior (I know this because I had to fix my docker images to support this, both with the cmake build in 0.10, and with the no cmake version in 0.11)

prost no longer bundles anything

Removal PR:
/~https://github.com/tokio-rs/prost/pull/657/files#diff-b55be6bbf5c9750593e84b0c298cb44d32a5221d3965ec540aa2391cb7f86e9aL76-L87

@MarcusGrass
Copy link

prost-build has moved away from included prebuilt executable in the crate, to use cmake instead (which for us is almost worse)

They did this in prost-build 0.10 but as far as I know prost-build 0.11 requires protoc installed prior (I know this because I had to fix my docker images to support this, both with the cmake build in 0.10, and with the no cmake version in 0.11)

prost no longer bundles anything

Removal PR: /~https://github.com/tokio-rs/prost/pull/657/files#diff-b55be6bbf5c9750593e84b0c298cb44d32a5221d3965ec540aa2391cb7f86e9aL76-L87

Yeah, proto-gen doesn't solve the bundling issue, it's just a smooth(-ish) way of generating the Rust-code and checking that it's up to date with the proto-files, one still needs to wrangle protoc, but only if you want to update protos. That's nice because if you have someone who wants to edit unrelated stuff they generally don't have to bother with protoc. It's does create a bit of a mess since generated files are checked in, but on the positive side it removes the need for a build.rs and tonic build as a direct dependency. It also plays nicer with editors which has been a plus!

Jake-Shadle added a commit that referenced this issue Sep 2, 2023
- Fix committer name
- Update krates/tame-index/gix
- Checkpoint
- Update dependencies

Resolves: #43 
Resolves: #548 
Resolves: #552
Resolves: #553 (I guess? It adds a feature toggle for using the OS
certificate store)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request help wanted Extra attention is needed
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants