Get trusted publishing and build reproducibility insights for any Rust supply chain 🦀
pollux is a CLI tool that provides trust factors insights for Rust supply chains.
It consumes and aggregates information on trusted publishing adoption and build reproducibility within the crates.io ecossystem, so one can easily get visibility on those aspects for any Rust project or crate.
pollux takes inspiration from previous art on the subject, specifically:
and uses public data provided by the crates.io and the oss-rebuild projects.
Curious to see check the adoption of trusted publishing amongst the most downloaded crates? We provide a report on that, which updates automatically every time a new commit lands on this repository.
oss-rebuild has been working on improving build reproducibility coverage across
the Rust ecosystem, hence those numbers must increase over time. Please follow
this issue
to learn more about
You build from the latest HEAD commit with
cargo install --git https://github.com/dotanuki-labs/polluxWarning
To honor crates.io rate limits, all HTTP requests to crates.io/api/*
are queued internally and follow a strict 1.0s (one second) delay between
API calls. This means that some commands may take a few minutes to complete,
especially when analysing large projects with lots of transitive dependencies
You can check a standalone crate version by running
pollux check <package-url>For now, pollux accepts only a
package url
as a precise definition for a crate artifact. You can find a purl for any crate version
directly at crates.io website, just click to copy it!
If you want to generate a report checking trust factors the most downloaded crates, that's also simple:
pollux inquire --output <html, console> --coverage <small, medium, large, huge>For instance, the companion reported hosted at Github pages is generated by
pollux inquire --output html --coverage largepollux defines a fixed amount of popular crates to check according to
the coverage argument, namely:
small: top 100 most downloaded cratesmedium: top 500 most downloaded crateslarge: top 1000 most downloaded crateshuge: top 5000 most downloaded crates
Unlike check, the analyse subcommand dives into transitive dependencies of a given
crate version, and evaluates everything tracked within a Cargo.lock file. If such file is
missing, pollux will generate one on the fly.
pollux analyse crate <package-url>The output of such an execution should be something like
pollux analyse crate pkg:cargo/[email protected]
Analysing packages. This operation may take some time ...
Statistics :
• total packages analysed : 6
• with trusted publishing attested : 0
• with reproducible builds : 0
Veracity factors :
• pkg:cargo/[email protected] (none)
• pkg:cargo/[email protected] (none)
• pkg:cargo/[email protected] (none)
• pkg:cargo/[email protected] (none)
• pkg:cargo/[email protected] (none)
• pkg:cargo/[email protected] (none)
pollux can also analyse any Rust project on your filesystem
pollux analyse project <path>generating a similar output.
In order to speed-up subsequental executions, pollux caches all evidence on
trusted publishing and build reproducibility at $HOME/.pollux.
Please check our docs
Copyright (c) 2025 - Dotanuki Labs - The MIT license