rustdupe 0.2.0

Smart duplicate file finder with interactive TUI
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105

# Security Policy

## Supported Versions

We release patches for security vulnerabilities for the following versions:

| Version | Supported          |
| ------- | ------------------ |
| 0.2.x   | :white_check_mark: |
| 0.1.x   | :white_check_mark: |

## Reporting a Vulnerability

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

### How to Report

**Please do NOT report security vulnerabilities through public GitHub issues.**

Instead, please report them via one of the following methods:

1. **GitHub Security Advisories** (Preferred):
   - Go to the [Security Advisories](https://github.com/MasuRii/RustDupe/security/advisories) page
   - Click "New draft security advisory"
   - Fill in the details of the vulnerability

2. **Email**:
   - Send an email to the project maintainers
   - Include `[SECURITY]` in the subject line
   - Encrypt sensitive details if possible

### What to Include

Please include as much of the following information as possible:

- **Type of vulnerability** (e.g., path traversal, arbitrary code execution)
- **Affected component** (e.g., file scanner, TUI, output formatter)
- **Steps to reproduce** the issue
- **Proof of concept** code or exploit (if available)
- **Impact assessment** — what an attacker could achieve
- **Suggested fix** (if you have one)

### What to Expect

1. **Acknowledgment**: We will acknowledge receipt within 48 hours
2. **Initial Assessment**: We will provide an initial assessment within 7 days
3. **Regular Updates**: We will keep you informed of our progress
4. **Resolution**: We aim to resolve critical issues within 30 days

### Disclosure Policy

- We follow [Coordinated Vulnerability Disclosure](https://en.wikipedia.org/wiki/Coordinated_vulnerability_disclosure)
- We will credit reporters in the security advisory (unless you prefer to remain anonymous)
- We request that you do not publicly disclose the issue until we have released a fix

## Security Best Practices for Users

### General Recommendations

1. **Keep Updated**: Always use the latest version of RustDupe
2. **Verify Downloads**: Check SHA256 checksums of downloaded binaries
3. **Review Before Deleting**: Always review duplicate groups before confirming deletion
4. **Use Trash**: Keep the default trash behavior instead of `--permanent`

### Verifying Binary Integrity

Each release includes SHA256 checksums. Verify your download:

```bash
# Linux/macOS
sha256sum -c rustdupe-*.sha256

# Windows (PowerShell)
Get-FileHash rustdupe-*.exe | Format-List
```

### Running with Least Privilege

RustDupe only needs read access to scan directories and write access to delete files. On Unix systems, avoid running as root unless necessary.

## Security Considerations

### File Operations

- RustDupe reads file contents for hashing but never executes files
- Deletion uses the system trash by default, allowing recovery
- Symlinks are not followed by default to prevent escape attacks

### Data Handling

- No data is sent externally — RustDupe operates entirely locally
- No telemetry or analytics are collected
- Output files (JSON/CSV) are written to user-specified locations only

### Dependencies

We regularly audit our dependencies for known vulnerabilities using:

```bash
cargo audit
```

---

Thank you for helping keep RustDupe secure!