rust/comprehensive-rust
1
0
Fork 0
mirror of https://github.com/google/comprehensive-rust.git synced 2024-12-15 06:20:32 +02:00
Code Issues Releases Activity

Chromium: minor tweaks in reviews-and-audits.md. (#1540)

Browse Source
This commit is contained in:
Lukasz Anforowicz 2023-12-01 08:34:04 +00:00 committed by GitHub
parent 547de2b161
commit 1ab68d6ac1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/chromium/adding-third-party-crates/reviews-and-audits.md
View File

@ -1,7 +1,7 @@
# Auditing third party crates # Auditing third party crates
Adding new libraries is subject to Chromium's standard [policies][0], but of Adding new libraries is subject to Chromium's standard [policies][0], but of
course also subject to code review. As you may be bringing in not just a single course also subject to security review. As you may be bringing in not just a single
crate but also transitive dependencies, there may be a lot of code to review. crate but also transitive dependencies, there may be a lot of code to review.
On the other hand, safe Rust code can have limited negative side effects. On the other hand, safe Rust code can have limited negative side effects.
How should you review it? How should you review it?
@ -18,7 +18,7 @@ Meanwhile, for each new crate addition, we are checking for the following:
* Use `cd third-party/rust/chromium_crates_io; cargo audit` to check for * Use `cd third-party/rust/chromium_crates_io; cargo audit` to check for
known vulnerabilities (first you'll need to `cargo install cargo-audit`, known vulnerabilities (first you'll need to `cargo install cargo-audit`,
which ironically involves downloading lots of dependencies from the internet[2]) which ironically involves downloading lots of dependencies from the internet[2])
* Ensure any unsafe code is good enough for the [Rule of Two][3] * Ensure any `unsafe` code is good enough for the [Rule of Two][3]
* Check for any use of `fs` or `net` APIs * Check for any use of `fs` or `net` APIs
* Read all the code at a sufficient level to look for anything out of place * Read all the code at a sufficient level to look for anything out of place
that might have been maliciously inserted. (You can't realistically aim that might have been maliciously inserted. (You can't realistically aim