Validate the integrity of PURL source and binaries of popular packages in Rust

[pombredanne]

Here we scan and anlyze the integrity of PURLs for source and binaries to detect malicious backdoors or missing source code for the most popular PURLs in Rust ecosystem. Where relevant we should work with upstream FOSS projects and ecosystems to resolve the key security issues uncovered.

[chinyeungli]

@pombredanne What would be considered the "binary" for a rust package?
For example, in the case of the serde package (https://crates.io/crates/serde/1.0.0), the source download URL is:
https://crates.io/api/v1/crates/serde/1.0.0/download
Is there a separate binary download URL for this package?

[DennisClark]

@pombredanne we need your response on this to move it out of "Blocked", thanks.

[pombredanne]

@chinyeungli @DennisClark re:

• Validate the integrity of PURL source and binaries of popular packages in Rust #65 (comment)

We have done d2d on Rust binaries in the past, but that would imply that we go from a crate to its source git repo and there to prebuilt binaries if available.

We have a ample and useful results with PyPI, npm and maven. So I am moving this issue out of the plan for now