cargo-vet

What it is #

cargo-vet is Mozilla’s tool for sharing audits of Rust crates. It originated from Mozilla’s need to know that the growing set of Rust dependencies inside Firefox had been reviewed by someone trusted, and is now in production use across several Rust-ecosystem organisations.

It expresses audits using TOML, with criteria and a free-form notes section. Audits can be stored in the repository, or they can be imported via HTTPS. Imported audit lists are pinned by their hash.

It uses a configuration file that declares which external audits to import by URL, the audit criteria the consumer requires, exemptions (unaudited packages the consumer has chosen to accept), and per-package overrides.

Workflow #

Auditor side: cargo vet certify writes a new audit entry for a specific crate version into the local audits.toml. cargo vet diff <crate> <old> <new> opens the diff between two versions in an editor; a delta audit can then be written for just the change rather than the whole crate.

Consumer side: cargo vet check ensures every crate in the lockfile is covered either by a local audit, an imported audit, or an exemption. cargo vet suggest reports which crates still need audits and proposes the cheapest path (for example, a delta audit on top of an already-audited prior version).

Trust model #

Trust in cargo-vet is criteria-based. A criterion is a label (for example safe-to-deploy, safe-to-run, or a custom one defined in config.toml) paired with a free-form description. Auditors assert that a crate version satisfies one or more criteria. Imports are explicit per organisation and intentionally non-transitive: if A imports from B and B imports from C, A does not automatically gain C’s audits. cargo-vet documents this as “an intentional limitation which keeps trust relationships direct and easy to reason about”.

Comparison to OpenVet #

cargo-vet was one of the tools that inspired OpenVet, so some of the design decisions that OpenVet made can be credited to cargo-vet’s prior work. However, OpenVet does differ from cargo-vet in a number of ways, most of which are additive.

The structural differences:

Cryptographic verification. cargo-vet audits are unsigned. Integrity rests on TLS between the consumer and the hosting git repository, and on the integrity of the host itself. OpenVet signs every audit (by the author) and every log commit (by the log owner). Tampering breaks signature verification regardless of where the data is served from.

Attribution. cargo-vet records the auditor identity in a free-form who field with no protocol-level verification; anyone with write access to the publisher’s audits.toml can write any identity. OpenVet signs every audit with a key bound to the auditor, and attribution to that auditor is cryptographic and preserved permanently in the log’s history.

Subject binding. cargo-vet audits identify the audited code by package name and version; there is no content hash. If the bytes a consumer’s registry serves for a given name@version differ from what the auditor reviewed (for example through a malicious mirror or a hostile proxy registry), the audit still appears to apply, but to different code than was actually reviewed. OpenVet audits are bound to the content hash of the audit subject: an audit applies only when the consumer’s bytes hash to the same value the auditor reviewed. OpenVet treats software package registries as untrusted.

History integrity. A cargo-vet audits.toml repository can be force-pushed or rewritten with no protocol-level append-only guarantee, and imports.lock only pins what the consumer last fetched. OpenVet logs are append-only signed commit chains, and a previously-pinned head must remain reachable from any new head or the update aborts.

Distribution. cargo-vet audits live in monolithic audits.toml files fetched in their entirety. OpenVet uses content-addressed Merkle Search Trees indexed by audit subject, so a consumer fetches only the audits matching packages in its lockfile. This allows logs to scale to millions of audits, but they remain efficient to query.

Discoverability. cargo-vet has no central index of audits: a consumer imports audits from a specific list of URLs, and there is no way to ask “who has audited package X?” across the ecosystem. Google’s and Mozilla’s audit sets are public knowledge in the Rust community, but other publishers are invisible until someone tells you their URL. OpenVet’s protocol is host-agnostic, but the public registry indexes audits by subject across the logs it hosts, so consumers can search for audits of a package without already knowing who wrote them.

Ecosystem. cargo-vet is a Cargo subcommand. The audit model is general but the tooling is Rust-specific. OpenVet covers Cargo, npm, PyPI, Go modules, and RubyGems through a single audit format and CLI.

Claims vs criteria. cargo-vet auditors assert criteria like safe-to-deploy; importing audits from another organisation means accepting that organisation’s definition of “safe to deploy”. OpenVet auditors assert atomic claims (impl-crypto, crypto-impl-safe, crypto-impl-correct, crypto-impl-tested) which consumers compose into their own requirements. The two surfaces look similar; policy decisions sit in different places.

Authoring surface. cargo-vet audits are TOML edited by hand or written by cargo vet certify, and the publisher hosts the resulting audits.toml themselves. OpenVet offers CLI and TUI authoring as well as a web authoring path on the registry. The web path uses GitHub sign-in, and the registry handles key generation and publishing (with opt-out for self-custodial key handling), so an auditor does not need to set up his/her own audit hosting to participate.

Using alongside OpenVet #

OpenVet is intended as a replacement for cargo-vet, not a complement. The two answer the same question, and running them side-by-side duplicates authoring work. Existing cargo-vet audits can be re-published as OpenVet audits on a log of one’s own. cargo-vet entries are unsigned, so the converted audits carry the republishing party as the attribution rather than the original cargo-vet author.