---
title: Cargo crates供应链治理(Cargo.lock-Checksum-来源)最佳实践
keywords:
- Cargo.lock
- checksum
- crates
- 来源白名单
- 哈希
description: 校验 Cargo.lock 条目与来源白名单、校验和一致性,确保 Rust crates 依赖的完整性与可追溯。
categories:
- 文章资讯
- 技术教程
---
实现示例
type Crate = { name: string; version: string; source: string; checksum: string }
const allowHosts = new Set<string>(['crates.io','github.com','git.example.com'])
function hex64(h: string): boolean { return /^[A-Fa-f0-9]{64}$/.test(h) }
function validSource(u: string): boolean { try { const x = new URL(u); return x.protocol === 'https:' && allowHosts.has(x.host) } catch { return false } }
function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }
function evaluate(list: Crate[]): { ok: boolean; errors: string[] } {
const errors: string[] = []
for (const c of list) {
if (!c.name || !semverLike(c.version)) errors.push(`id:${c.name}`)
if (!validSource(c.source)) errors.push(`source:${c.name}`)
if (!hex64(c.checksum)) errors.push(`checksum:${c.name}`)
}
return { ok: errors.length === 0, errors }
}
审计与运行治理
- 审计记录名称、版本、来源与校验和;异常阻断并回退到可信来源。
- 变更需审批与版本化管理,保持对齐与可追溯。
发表评论 取消回复