From 800e182cb7009c53e8288ee6013bb33a61fb8ead Mon Sep 17 00:00:00 2001
From: "Sergey \"Shnatsel\" Davidoff" <shnatsel@gmail.com>
Date: Thu, 31 Aug 2023 19:03:47 +0200
Subject: [PATCH 1/4] Create 2023-08-29-keeping-secure-with-cargo-audit-0.18.md

Release announcement for cargo-audit v0.18
---
 ...29-keeping-secure-with-cargo-audit-0.18.md | 71 +++++++++++++++++++
 1 file changed, 71 insertions(+)
 create mode 100644 posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md

diff --git a/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md b/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
new file mode 100644
index 000000000..666bdb1e9
--- /dev/null
+++ b/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
@@ -0,0 +1,71 @@
+---
+layout: post
+title: "Keeping Rust projects secure with cargo-audit 0.18: performance, compatibility and security improvements"
+author: Sergey "Shnatsel" Davidoff
+description: "A look at the new features in cargo-audit 0.18 for ensuring dependencies are free of known vulnerabilities"
+team: the Secure Code WG <https://www.rust-lang.org/governance/wgs/wg-secure-code>
+---
+
+[`cargo audit`](https://crates.io/crates/cargo-audit) checks your project's dependencies for known security vulnerabilites.
+
+By default `cargo audit` checks on your `Cargo.lock` file, but it can also [scan compiled binaries](https://github.com/rustsec/rustsec/tree/main/cargo-audit#cargo-audit-bin-subcommand). You can install `cargo-audit` and run it against your project with the following commands:
+
+```
+$ cargo install cargo-audit
+$ cargo audit
+```
+
+Both `cargo audit` and the [RustSec](https://rustsec.org/) advisory database that powers it are maintaiend by the [Rust Secure Code working group](https://www.rust-lang.org/governance/wgs/wg-secure-code).
+
+## What's new in this release
+
+### Performance
+
+`cargo audit` now uses the [sparse crates.io index](https://blog.rust-lang.org/inside-rust/2023/01/30/cargo-sparse-protocol.html) when checking for yanked crates. This dramatically speeds up the scanning process because `cargo audit` no longer needs to download the entire crates.io index, which could take up to several minutes.
+
+Sparse index is used by default if you are running Rust 1.70 or later, same as in Cargo itself. `cargo audit` honors [the Cargo settings for the use of sparse index](https://doc.rust-lang.org/cargo/reference/config.html#registriescrates-ioprotocol), should you need to opt out for any reason.
+
+### Security
+
+`cargo audit` previously relied on [OpenSSL](https://en.wikipedia.org/wiki/OpenSSL) on all platforms. In this release we have switched to [rustls](https://crates.io/crates/rustls) - a high-quality, memory-safe TLS implementation in Rust.
+
+In contrast to OpenSSL's [history](https://www.openssl.org/news/vulnerabilities.html) of high-severity vulnerabilities, rustls has a stellar track record and eliminates entire classes vulnerabilities by construction. It has passed an independent audit with flying colors; the auditors even [noted](https://github.com/rustls/rustls/blob/main/audit/TLS-01-report.pdf) that they "had the rare pleasure of being impressed with the exceptional quality of the presented software".
+
+Since TLS constitutes the vast majority of the attack surface of `cargo audit`, we are very excited to use a more secure TLS implementation!
+
+### Compatibility
+
+A number of long-standing issues are resolved thanks to switching from [libgit2](https://github.com/libgit2/libgit2) to [gitoxide](https://github.com/Byron/gitoxide) as our git implementation:
+
+ 1. [`cargo audit` can now run in Alpine Linux containers](https://github.com/rustsec/rustsec/issues/466).
+ 1. [Several instances of `cargo audit` running in parallel can now fetch Git repositories without issue](https://github.com/rustsec/rustsec/issues/490).
+ 4. [Accessing Git repositories over SSH is now supported](https://github.com/rustsec/rustsec/issues/292).
+ 3. [Credential helpers to access private repositories are now supported](https://github.com/rustsec/rustsec/issues/555).
+
+## Known issues
+
+### Limited CPU architecture support
+
+CPU architectures other than x86 and ARM are not supported by this release. This is due to [ring](https://github.com/briansmith/ring), the cryptographic library used by rustls, not supporting other CPU architectures yet.
+
+rustls is [in the process](https://github.com/rustls/rustls/issues/521) of adding support for other cryptographic libraries. We will consider adding support for another TLS implementation if no portable cryptographic library for rustls materializes in the near future.
+
+In the meantime we recommend using the previous release on uncommon CPU architectures. You may also consider other tools that read `Cargo.lock` files and the RustSec advisory database, such as [Trivy](https://github.com/aquasecurity/trivy), [osv-scanner](https://github.com/google/osv-scanner) or [Dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts).
+
+### `cargo audit fix` is not converted
+
+The experimental subcommand `cargo audit fix` to automatically upgrade vulnerable dependencies has existed for a while but has been disabled by default. It has **not** been converted to use gitoxide and rustls in this release, and has not benefited from any of these improvements.
+
+We will likely [rewrite this feature from the ground up](https://github.com/rustsec/rustsec/issues/938) before enabling it by default in subsequent releases.
+
+## Reporting issues
+
+Due to the sweeping changes to the libraries `cargo audit` relies on for git protocol and networking there are bound to be subtle differences in behavior compared to previous versions.
+
+If you encounter issues with this latest release, please [report it to us on Github](https://github.com/rustsec/rustsec/issues/new). Thank you!
+
+## Acknowledgements
+
+Thanks to [Jake Shadle](https://github.com/Jake-Shadle) who did most of the work in this release, as well as for creating the [`tame-index`](https://github.com/EmbarkStudios/tame-index) crate that enabled sparse registry support in `cargo audit`.
+
+Thanks to [Sebastian Thiel](https://github.com/Byron) for creating [`gitoxide`](https://github.com/Byron/gitoxide) and improving it to accommodate the `cargo audit` requirements, as well as helping review the changes.

From abf3a7166d6bdbf8b38f795531522b9870ae6991 Mon Sep 17 00:00:00 2001
From: Caleb Zulawski <caleb.zulawski@gmail.com>
Date: Fri, 1 Sep 2023 16:15:12 -0400
Subject: [PATCH 2/4] fix typo

---
 posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md b/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
index 666bdb1e9..5187cb4e0 100644
--- a/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
+++ b/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
@@ -15,7 +15,7 @@ $ cargo install cargo-audit
 $ cargo audit
 ```
 
-Both `cargo audit` and the [RustSec](https://rustsec.org/) advisory database that powers it are maintaiend by the [Rust Secure Code working group](https://www.rust-lang.org/governance/wgs/wg-secure-code).
+Both `cargo audit` and the [RustSec](https://rustsec.org/) advisory database that powers it are maintained by the [Rust Secure Code working group](https://www.rust-lang.org/governance/wgs/wg-secure-code).
 
 ## What's new in this release
 

From 3ea5ce22a132341a484eb5585a5ec2ac5f1b7e07 Mon Sep 17 00:00:00 2001
From: "Sergey \"Shnatsel\" Davidoff" <shnatsel@gmail.com>
Date: Sat, 2 Sep 2023 10:33:29 +0200
Subject: [PATCH 3/4] Move cargo-audit announcement to inside-rust blog, it was
 on the main blog by mistake

---
 .../2023-08-29-keeping-secure-with-cargo-audit-0.18.md            | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename posts/{ => inside-rust}/2023-08-29-keeping-secure-with-cargo-audit-0.18.md (100%)

diff --git a/posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md b/posts/inside-rust/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
similarity index 100%
rename from posts/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
rename to posts/inside-rust/2023-08-29-keeping-secure-with-cargo-audit-0.18.md

From 79786bbba5aa1f87031305a4d1e495768e7ead9f Mon Sep 17 00:00:00 2001
From: "Sergey \"Shnatsel\" Davidoff" <shnatsel@gmail.com>
Date: Sat, 2 Sep 2023 10:34:53 +0200
Subject: [PATCH 4/4] schedule the cargo-audit release announcement for the 4th
 of September

---
 ...0.18.md => 2023-09-04-keeping-secure-with-cargo-audit-0.18.md} | 0
 1 file changed, 0 insertions(+), 0 deletions(-)
 rename posts/inside-rust/{2023-08-29-keeping-secure-with-cargo-audit-0.18.md => 2023-09-04-keeping-secure-with-cargo-audit-0.18.md} (100%)

diff --git a/posts/inside-rust/2023-08-29-keeping-secure-with-cargo-audit-0.18.md b/posts/inside-rust/2023-09-04-keeping-secure-with-cargo-audit-0.18.md
similarity index 100%
rename from posts/inside-rust/2023-08-29-keeping-secure-with-cargo-audit-0.18.md
rename to posts/inside-rust/2023-09-04-keeping-secure-with-cargo-audit-0.18.md