rekor
Cargo
rekor | Cargo | |
---|---|---|
29 | 264 | |
830 | 11,985 | |
0.2% | 1.1% | |
9.7 | 10.0 | |
8 days ago | 5 days ago | |
Go | Rust | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
rekor
-
Obtainium – Get Android App Updates Directly from the Source
There could be asset hashes in sigstore: https://sigstore.dev/
Is there a good way to run native mobile app GUI tests with GitHub Actions?
A VM/container emulator like anbox, waydroid, (or all of ChromeOS Flex in KVM) in a GitHub Action is probably enough to run GUI tests?
"Build your own SLSA 3+ provenance builder on GitHub Actions"
- Why SQLite Does Not Use Git
-
PGP signatures on PyPI: worse than useless
I expect something like https://sigstore.dev
-
An Overview of Kubernetes Security Projects at KubeCon Europe 2023
sigstore is another suite of tools that focuses on attestation and provenance. Within the suite are two tools I heard mentioned a few times at KubeCon: Cosign and Rekor.
- 50% new NPM packages are spam
-
Spin 1.0 — The Developer Tool for Serverless WebAssembly
Since we can distribute Spin applications using popular registry services, we can also take advantage of ecosystem tools such as Sigstore and Cosign, which address the software supply chain issue by signing and verifying applications using Sigstore's new keyless signatures (using OIDC identity tokens from providers such as GitHub).
-
Build and sign application containers
With containers being the heart of Cloud Native application development, it has become even more critical to ensure the integrity of the containers. One of the ways to do this to sign and verify the container images.sigstore is a open source project that empowers software developers to securely sign the container images.
-
Ask HN: What is the most impactful thing you've ever built?
https://sigstore.dev - although its really not true to say I built it. I started it off, but very quickly smarter folks then me jumped on board and really took it to all sorts of new directions.
-
Container Images for the Cloud Native Era
Powered by Wolfi, Chainguard Images are a suite of distroless images that consolidate the base features of the Wolfi undistro into end-user container images that can be integrated into existing workflows. Chainguard Images are fully declarative and reproducible, and include SBOMs that cover all image dependencies. In addition, Chainguard Images are signed via Sigstore, which attests the provenance of all artifacts. All images and corresponding signatures, as well as their SBOMs, are hosted in Chainguard's OCI registry cgr.dev.
-
I am Mikko Hypponen, a global infosec expert! Ask me anything.
What's your thoughts on the sigstore project from the linux foundation?
Cargo
-
Surprisingly Powerful – Serverless WASM with Rust Article 1
Installing Trunk happens through Cargo. Remember, Cargo is more than a package manager, it also supports sub-commands.
-
Understanding Dependencies in Programming
Dependency Management in Other Languages: We've discussed Python and Node.js in this article, but dependency management is a universal concept in programming. Exploring how you handle dependencies in other languages like Java, C#, or Rust could be beneficial. (I think Rust's cargo is an excellent example of a package manager.)
- Cargo Script
-
Scriptisto: "Shebang interpreter" that enables writing scripts in compiled langs
Nice hack! Would it have been possible back then to use cargo to pull in some dependencies?
The clean solution of cargo script is here: https://github.com/rust-lang/cargo/issues/12207
-
Making Rust binaries smaller by default
Yes, I am sure this is going to be a part of Rust 1.77.0 and it will release on 21st March. I say that because of the tag in the PR (https://github.com/rust-lang/cargo/pull/13257#event-11505613...).
I'm no expert on Rust compiler development, but my understanding is that all code that is merged into master is available on nightly. If they're not behind a feature flag (this one isn't), they'll be available in a full release within 12 weeks of being merged. Larger features that need a lot more testing remain behind feature flags. Once they are merged into master, they remain on nightly until they're sufficiently tested. The multi-threaded frontend (https://blog.rust-lang.org/2023/11/09/parallel-rustc.html) is an example of such a feature. It'll remain nightly only for several months.
Again, I'm not an expert. This is based on what I've observed of Rust development.
-
You can't do that because I hate you
The author provides very surface-level criticism of two Rust tools, but they don't look into why those choices were made.
With about five minutes of my time, I found out:
wrap_comments was introduced in 2019 [0]. There are bugs in the implementation (it breaks Markdown tables), so the option hasn't been marked as stable. Progress on the issue has been spotty.
--no-merge-sources is not trivial to re-implement [1]. The author has already explained why the flag no longer works -- Cargo integrated the command, but not all of the flags. This commit [2] explains why this functionality was removed in the first place.
Rust is open source, so the author of this blog post could improve the state of the software they care about by championing these issues. The --no-merge-sources error message even encourages you to open an issue, presumably so that the authors of Cargo can gauge the importance of certain flags/features.
You could even do something much simpler, like adding a comment to the related issues mentioning that you ran into these rough edges and that it made your life a little worse, or with a workaround that you found.
Alternatively, you can continue to write about how much free software sucks.
[0]: https://github.com/rust-lang/rustfmt/issues/3347
[1]: https://github.com/rust-lang/cargo/pull/10344
[2]: https://github.com/rust-lang/cargo/commit/3842d8e6f20067f716...
-
Cargo has never frustrated me like npm or pip has. Does Cargo ever get frustrating? Does anyone ever find themselves in dependency hell?
You try to use it as a part of multi-language project, with an external build tool to tie it all together, and you discover that --out-dir flag is still not stabilized over some future compatibility concerns.
- State of Mozilla
-
Learning Rust by Building a CLI App
To create a new application we'll use cargo (a build tool and also a package manager for Rust. It is used for scaffolding new library/binary projects). So in your projects folder, you can run this command in your terminal:
-
Leaving Haskell Behind
> ...but at the end of the day Cargo is the reason that Rust is popular.
FWIW, maybe that's true for you, but there are numerous other advantages to the language for which many people choose to use Rust--some even "despite" Cargo: you see Google having had to put in way way WAY too much work to get Bazel working for Rust :/--that it honestly feels a bit like belittling an extremely important language to make this claim so flippantly.
> You can set a default build target for a Cargo project with two lines of configuration, no nightly features necessary...
This doesn't work as, as soon as you start setting target-specific options, it infects the host build, as they incorrectly modelled the problem as some kind of map from targets to flags. If you don't believe me, on your Linux computer, try cross-compile something complicated that will runs on a "least common denominator" Linux distribution, such as CentOS 7.
> Can you clarify what this is referring to?
Sure. I've Googled rust cargo target host bugs for you (which, FWIW, finds a number of bugs I've filed or have talked about, but it isn't as if I have a list anywhere). Note that one of these bugs is "closed", but I still provide them for context as a patch might have been merged but (as you'll find out if you read through all of these) it isn't stable.
https://github.com/rust-lang/cargo/issues/8147
https://github.com/rust-lang/cargo/issues/3349
https://github.com/rust-lang/cargo/pull/9322
https://github.com/rust-lang/cargo/issues/9453
https://github.com/rust-lang/cargo/pull/9753
The result of this work being left incomplete is that increasingly large numbers of "serious" projects--things I'd expect people in packaging land to have heard of, such as BuildRoot--are being forced to set the ridiculous environment variable __CARGO_TEST_CHANNEL_OVERRIDE_DO_NOT_USE_THIS="nightly" in order to get access to a flag that makes Cargo sort of work.
(And yet, I often see people surprised at how long it is taking for various of the more important clients to fully get into using Rust, as the safety issues are so severe from continuing to use C/C++: as you made the contention that you believe the reason why people use Rust is Cargo, I will say the opposite: the reason why we don't see more Rust is also Cargo.)
What are some alternatives?
sigstore-the-hard-way - sigstore the hard way!
RustCMake - An example project showing usage of CMake with Rust
fulcio - Sigstore OIDC PKI
Clippy - A bunch of lints to catch common mistakes and improve your Rust code. Book: https://doc.rust-lang.org/clippy/
cosign - Code signing and transparency for containers and binaries
RustScan - 🤖 The Modern Port Scanner 🤖
kubeclarity - KubeClarity is a tool for detection and management of Software Bill Of Materials (SBOM) and vulnerabilities of container images and filesystems
opencv-rust - Rust bindings for OpenCV 3 & 4
Covenant - Covenant is a collaborative .NET C2 framework for red teamers.
overflower - A Rust compiler plugin and support library to annotate overflow behavior
MEMZ - A trojan made for Danooct1's User Made Malware Series.
crates.io - The Rust package registry