[Technical Initiative Funding Request]: Sigstore Rust SDK code audit #574
Description
Technical Initiative
Sigstore
Lifecycle Phase
Graduated
Funding amount
$54,000
Problem Statement
The Sigstore ecosystem needs a robust, conformant Rust SDK to support the growing number of tools and organizations adopting Rust. A new implementation (sigstore/sigstore-rust, previously prefix-dev/sigstore-rust) has been generously donated to the Sigstore organization by prefix.dev, and it passes Sigstore's client conformance test suite at 100% demonstrating full compatibility with the Sigstore specification. We'd like a formal security and code quality review, in order to confidently recommend the SDK for production use in critical infrastructure.
Who does this affect?
This affects the Sigstore community, Rust tooling developers, and any organizations that have noted interest in using a native Rust implementation of Sigstore.
Have there been previous attempts to resolve the problem?
There have been previous iterations of Sigstore tooling in Rust, but this specific implementation is distinct because it was written to match the API style of newer Sigstore SDKs and fully passes the Sigstore conformance test suite.
Why should it be tackled now and by this TI?
The SDK has been donated to the Sigstore organization and has proven its functional correctness via the conformance suite. Now is the critical moment to validate its security posture before it sees widespread adoption. Funding this review ensures that the foundation of the Rust SDK is secure from the start, preventing technical debt and security vulnerabilities from proliferating in the ecosystem.
Give an idea of what is required to make the funding initiative happen
This initiative requires funding to hire an external security auditor proficient in Rust. They will need to perform a comprehensive audit of the sigstore-rust codebase, focusing on cryptographic implementation correctness, memory safety, and adherence to Rust best practices, along with implementing best practices for Sigstore clients.
What is going to be needed to deliver this funding initiative?
Access to the source code (which is open source) and coordination between the maintainers and the auditor.
Are there tools or tech that still need to be produced to facilitate the funding initiative?
No. The SDK itself has already been written and donated. The initiative is strictly for the review and auditing of existing code.
Give a summary of the requirements that contextualize the costs of the funding initiative
The cost comes from a combination of the unique requirements, needing a full security assessment and a "Rust best practices" review to ensure idiomatic and safe code usage, and also requiring Sigstore expertise.
Who is responsible for doing the work of this funding initiative?
William Woodruff, Astral
Who is accountable for doing the work of this funding initiative?
Wolf Vollprecht, prefix.dev, & Hayden Blauzvern & Jussi Kukkonen, Google
If the responsible or accountable parties are no longer available, what is the backup contact or plan?
Sigstore TSC
What license is this funding initiative being used under?
Apache 2.0
Code of Conduct
- I agree to follow the OpenSSF's Code of Conduct
List the major milestones by date and identify the overall timeline within which the technical initiative plans to accomplish their goals. Any payments for services, sponsorships, etc., will require LF Legal and Financial review.
- 60 engineer-hours: Comprehensive review of codebase
- 20 engineer-hours: Proposing and prioritizing security remediations, and refactors to align with Rust best practice
- 40 engineer-hours: Completing development of remediations and refactors
If this is a request for funding to issue a contract, then OpenSSF will issue that contract. Please provide a Statement of Work (SOW) that we may review. Any contracting action will take 4-6 weeks to issue.
SoW to be sent for review with approval