-
Notifications
You must be signed in to change notification settings - Fork 687
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
cargo vet is a tool designed by Mozilla to record audits of Rust dependencies, and it matches nicely with the philosophy of our diff review system for Python. It can automatically present diffs and verify everything has been checked. == Trust == To reduce the number of audits we have to do, we trust the following organizations: * Bytecode Alliance (WASM/WASI) * Google * Internet Security Research Group (Let's Encrypt, etc.) * Mozilla * Zcash We also trust a number of individual developers, because they are members of the Rust Project and also trusted by one of the above organizations we trust. We also trust the two Sequoia-OpenPGP team members who release things. All of the individual trust markers have an expiry date to remind us to re-evalutate trustworthiness every so often. == Exemptions == There are a number of dependencies that appear in our tree but are not used on Linux x86_64 so we can ignore them entirely. These are marked in config.toml with a policy stanza that has an empty criteria block. These crates have been identified manually, in the future cargo-vet will hopefully let us specify specific targets we care about and take care of it automatically. The remaining exemptions in config.toml have not been reviewed yet; we can incrementally chip away at them. == Signing == Unlike diff reviews, there is no PGP signing of this file. Because these are committed into the Git repository directly, we can rely on that as a measure of trust (unlike random wiki pages). == CI == CI verifies that all dependencies have either been reviewed or exempted, so there's no need for manual tracking in PR descriptions. Upstream provides a GitHub Actions template that we use most of. Fixes #6500.
- Loading branch information
Showing
4 changed files
with
1,113 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,26 @@ | ||
| # Based off of https://mozilla.github.io/cargo-vet/configuring-ci.html | ||
|
|
||
| name: cargo vet | ||
|
|
||
| on: [push, pull_request] | ||
|
|
||
| jobs: | ||
| cargo-vet: | ||
| name: Vet Dependencies | ||
| runs-on: ubuntu-latest | ||
| # Keep version in sync with rust-toolchain.toml | ||
| container: rust:1.71.1 | ||
| env: | ||
| CARGO_VET_VERSION: 0.8.0 | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/cache@v2 | ||
| with: | ||
| path: ${{ runner.tool_cache }}/cargo-vet | ||
| key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }} | ||
| - name: Add the tool cache directory to the search path | ||
| run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH | ||
| - name: Ensure that the tool cache is populated with the cargo-vet binary | ||
| run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet | ||
| - name: Invoke cargo-vet | ||
| run: cargo vet --locked |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,283 @@ | ||
|
|
||
| # cargo-vet audits file | ||
|
|
||
| [audits] | ||
|
|
||
| [[trusted.aho-corasick]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 189 # Andrew Gallant (BurntSushi) | ||
| start = "2019-03-28" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.anyhow]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-10-05" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.buffered-reader]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 33886 # Neal H. Walfield (nwalfield) | ||
| start = "2023-01-06" | ||
| end = "2024-10-10" | ||
| notes = "Sequoia developer" | ||
|
|
||
| [[trusted.bzip2]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 1 # Alex Crichton (alexcrichton) | ||
| start = "2020-07-06" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.bzip2-sys]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 1 # Alex Crichton (alexcrichton) | ||
| start = "2020-02-24" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.cc]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 1 # Alex Crichton (alexcrichton) | ||
| start = "2019-03-01" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.dyn-clone]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-12-23" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.either]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 539 # Josh Stone (cuviper) | ||
| start = "2019-04-02" | ||
| end = "2024-10-10" | ||
|
|
||
| [[trusted.equivalent]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 539 # Josh Stone (cuviper) | ||
| start = "2023-02-05" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.errno]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 6825 # Dan Gohman (sunfishcode) | ||
| start = "2023-08-29" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.flate2]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 1 # Alex Crichton (alexcrichton) | ||
| start = "2019-03-14" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.hashbrown]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 2915 # Amanieu d'Antras (Amanieu) | ||
| start = "2019-04-02" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.indexmap]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 539 # Josh Stone (cuviper) | ||
| start = "2020-01-15" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.indoc]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-04-28" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.is-terminal]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 6825 # Dan Gohman (sunfishcode) | ||
| start = "2022-01-22" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.libc]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 1 # Alex Crichton (alexcrichton) | ||
| start = "2019-03-29" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.libc]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 2915 # Amanieu d'Antras (Amanieu) | ||
| start = "2021-01-27" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.linux-raw-sys]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 6825 # Dan Gohman (sunfishcode) | ||
| start = "2021-06-12" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.lock_api]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 2915 # Amanieu d'Antras (Amanieu) | ||
| start = "2019-05-04" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.memchr]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 189 # Andrew Gallant (BurntSushi) | ||
| start = "2019-07-07" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.num-traits]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 539 # Josh Stone (cuviper) | ||
| start = "2019-05-20" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.parking_lot]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 2915 # Amanieu d'Antras (Amanieu) | ||
| start = "2019-05-04" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.parking_lot_core]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 2915 # Amanieu d'Antras (Amanieu) | ||
| start = "2019-05-04" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.proc-macro2]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-04-23" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.quote]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-04-09" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.regex]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 189 # Andrew Gallant (BurntSushi) | ||
| start = "2019-02-27" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.regex-automata]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 189 # Andrew Gallant (BurntSushi) | ||
| start = "2019-02-25" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.regex-syntax]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 189 # Andrew Gallant (BurntSushi) | ||
| start = "2019-03-30" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.rustix]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 6825 # Dan Gohman (sunfishcode) | ||
| start = "2021-10-29" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.rustversion]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-07-08" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.scopeguard]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 2915 # Amanieu d'Antras (Amanieu) | ||
| start = "2020-02-16" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.sequoia-openpgp]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 33886 # Neal H. Walfield (nwalfield) | ||
| start = "2022-11-18" | ||
| end = "2024-10-10" | ||
| notes = "Sequoia developer" | ||
|
|
||
| [[trusted.sha1collisiondetection]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 33886 # Neal H. Walfield (nwalfield) | ||
| start = "2022-08-28" | ||
| end = "2024-10-10" | ||
| notes = "Sequoia developer" | ||
|
|
||
| [[trusted.sha1collisiondetection]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 14969 # Wiktor Kwapisiewicz (wiktor-k) | ||
| start = "2023-05-05" | ||
| end = "2024-10-10" | ||
| notes = "Sequoia developer" | ||
|
|
||
| [[trusted.syn]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-03-01" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.target-lexicon]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 6825 # Dan Gohman (sunfishcode) | ||
| start = "2019-03-06" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.thiserror]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-10-09" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.thiserror-impl]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-10-09" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.unicode-ident]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2021-10-02" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" | ||
|
|
||
| [[trusted.unindent]] | ||
| criteria = "safe-to-deploy" | ||
| user-id = 3618 # David Tolnay (dtolnay) | ||
| start = "2019-08-17" | ||
| end = "2024-10-10" | ||
| notes = "Rust Project member" |
Oops, something went wrong.