[progbits]

Can someone explain why cargo-vet doesn't include a cryptographic hash of the crate contents?

My understanding is that this repository, and similar ones from Mozilla and others, says: "I, person X from trustworthy organization Y, have reviewed version 1.0 of crate foo and deemed it legit" (for a definition of trustworthy and legit).

But now how does that help me if I want to be careful about what I depend on and supply-chain attacks? I ask for version 1.0 of crate foo but might get some malicious payload without knowing it.

[hobofan]

That's already prevented by the checksum which is present for all crate versions in the registry index, which is set in stone on publish and verified by cargo on download. See e.g. https://github.com/rust-lang/crates.io-index/blob/74f1b1e064...

[progbits]

Hmm, but then you have to trust 1) github, 2) anyone with commit access to that repository.

It's not the worst thing I suppose: #1 is a problem anyway for trusting Google/Mozilla's repo of audits, and #2 can be noticed by others so hard to pull of some supply chain attack that way.

But I would still feel more confident if the audit log contained a copy of the checksum, and ideally itself was signed with author's keys.

[pornel]

https://lib.rs/cargo-crev does this, with the entire chain from the crate data to the reviewer's trusted identity. However, this adds a lot of complexity.

cargo-vet went for the other extreme of being super simple. To fill in their review report you don't even need any tooling.