[infogulch]

This seems like a pretty comprehensive strategy to take wasm security and correctness seriously. It pretty much covers everything I would want to see if I were relying on this system, including auditing, fuzzing, formal correctness, spectre, and even a clear-eyed organizational stance toward reported security vulnerabilities.

The post mentions using `cargo vet` to organize audits of third party crates, discussed here a few months ago [0]. I'm more familiar with cargo-crev which does something similar, how do these auditing tools compare? The audit format [1] seems somewhat reasonable, but it doesn't include the review date and there's no mechanism to validate the authenticity of the auditors.

[0]: https://news.ycombinator.com/item?id=31719532

[1]: https://mozilla.github.io/cargo-vet/recording-audits.html

[vlmutolo]

I previously asked "why cargo vet instead of extending crev" and I think the answer was that architecturally cargo-crev is meant to be a single repository of public audits, where as cargo-vet aims for a decentralized system where anyone can publish an audit anywhere, and each individual project has to opt into which audit databases they trust.

Also cargo-vet has some good ideas about how to suddenly introduce cargo-vet into an existing codebase.