The curl | sh bootstrap installer (install.sh) follows the same trust model as rustup:
- Transport integrity: the script and all assets are fetched over HTTPS only. The installer aborts on any non-HTTPS URL or HTTP error.
- Binary integrity: every downloaded binary tarball is verified against its published
.sha256checksum before installation. A checksum mismatch aborts the install. - Installer integrity: the
install.shscript itself is not cryptographically signed. HTTPS is the only integrity guarantee for the script. If you require higher assurance, download and review the script before executing it:curl -sSfO https://raw.githubusercontent.com/bobmatnyc/trusty-tools/main/install.sh less install.sh # review sh install.sh - Idempotent re-runs: when a matching version is already installed, the installer skips re-download and therefore skips checksum re-verification of the existing binary. Run with
--force(orTRUSTY_FORCE=1) to always re-download and re-verify.
We maintain security updates for recent releases. The exact version support matrix is maintained in the individual crate CHANGELOG files (located in crates/*/CHANGELOG.md).
General guidance:
- Always upgrade to the latest version for security fixes
- Per-crate versioning means updates can be released independently
- Subscribe to GitHub Security Advisories to be notified of published vulnerabilities
We take security seriously. If you discover a security vulnerability, do not open a public issue. Instead, please report it privately using one of the following channels:
Primary (Recommended): GitHub Security Advisories
Secondary: r@1mc.io
Include in your report:
- A clear description of the vulnerability
- Steps to reproduce (if applicable)
- Affected crate(s) and version(s)
- Potential impact and severity
- Any known mitigations
- Acknowledgment: We will acknowledge receipt within 48 hours
- Triage: We will assess severity and begin work on a fix
- Fix timeline: Critical vulnerabilities are addressed within 7 days; others within 30 days
- Disclosure: We will coordinate a responsible disclosure timeline with you before publishing a fix
The project uses cargo audit to scan for known vulnerabilities in dependencies:
cargo auditThis is run in CI on every commit. Dependencies are kept up-to-date as part of regular maintenance.
See CLAUDE.md for the project's development conventions, including:
- Error handling best practices
- No use of
unsafeexcept in carefully justified library code - No global state or unsynchronized access patterns
- Logging to stderr only (no secrets leak to stdout)
For security-related questions or concerns, please use the reporting channels above.