Skip to content

Commit

Permalink
Add initial cargo vet configuration
Browse files Browse the repository at this point in the history
cargo vet is a tool designed by Mozilla to record audits of Rust
dependencies, and it matches nicely with the philosophy of our diff
review system for Python. It can automatically present diffs and
verify everything has been checked.

== Trust ==

To reduce the number of audits we have to do, we trust the following
organizations:

* Bytecode Alliance (WASM/WASI)
* Google
* Internet Security Research Group (Let's Encrypt, etc.)
* Mozilla
* Zcash

We also trust a number of individual developers, because they are
members of the Rust Project and also trusted by one of the above
organizations we trust. We also trust the two Sequoia-OpenPGP team
members who release things.

All of the individual trust markers have an expiry date to remind us to
re-evalutate trustworthiness every so often.

== Exemptions ==

There are a number of dependencies that appear in our tree but are not
used on Linux x86_64 so we can ignore them entirely. These are marked in
config.toml with a policy stanza that has an empty criteria block. These
crates have been identified manually, in the future cargo-vet will
hopefully let us specify specific targets we care about and take care of
it automatically.

The remaining exemptions in config.toml have not been reviewed yet; we
can incrementally chip away at them.

== Signing ==

Unlike diff reviews, there is no PGP signing of this file. Because these
are committed into the Git repository directly, we can rely on that as a
measure of trust (unlike random wiki pages).

== CI ==

CI verifies that all dependencies have either been reviewed or exempted,
so there's no need for manual tracking in PR descriptions. Upstream
provides a GitHub Actions template that we use most of.

Fixes #6500.
  • Loading branch information
legoktm committed Oct 10, 2023
1 parent 52f7c2b commit 88c2535
Show file tree
Hide file tree
Showing 4 changed files with 1,113 additions and 0 deletions.
26 changes: 26 additions & 0 deletions .github/workflows/cargo-vet.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# Based off of https://mozilla.github.io/cargo-vet/configuring-ci.html

name: cargo vet

on: [push, pull_request]

jobs:
cargo-vet:
name: Vet Dependencies
runs-on: ubuntu-latest
# Keep version in sync with rust-toolchain.toml
container: rust:1.71.1
env:
CARGO_VET_VERSION: 0.8.0
steps:
- uses: actions/checkout@v4
- uses: actions/cache@v2
with:
path: ${{ runner.tool_cache }}/cargo-vet
key: cargo-vet-bin-${{ env.CARGO_VET_VERSION }}
- name: Add the tool cache directory to the search path
run: echo "${{ runner.tool_cache }}/cargo-vet/bin" >> $GITHUB_PATH
- name: Ensure that the tool cache is populated with the cargo-vet binary
run: cargo install --root ${{ runner.tool_cache }}/cargo-vet --version ${{ env.CARGO_VET_VERSION }} cargo-vet
- name: Invoke cargo-vet
run: cargo vet --locked
283 changes: 283 additions & 0 deletions supply-chain/audits.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,283 @@

# cargo-vet audits file

[audits]

[[trusted.aho-corasick]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-03-28"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.anyhow]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-10-05"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.buffered-reader]]
criteria = "safe-to-deploy"
user-id = 33886 # Neal H. Walfield (nwalfield)
start = "2023-01-06"
end = "2024-10-10"
notes = "Sequoia developer"

[[trusted.bzip2]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2020-07-06"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.bzip2-sys]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2020-02-24"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.cc]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-01"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.dyn-clone]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-12-23"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.either]]
criteria = "safe-to-deploy"
user-id = 539 # Josh Stone (cuviper)
start = "2019-04-02"
end = "2024-10-10"

[[trusted.equivalent]]
criteria = "safe-to-deploy"
user-id = 539 # Josh Stone (cuviper)
start = "2023-02-05"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.errno]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2023-08-29"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.flate2]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-14"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.hashbrown]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-04-02"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.indexmap]]
criteria = "safe-to-deploy"
user-id = 539 # Josh Stone (cuviper)
start = "2020-01-15"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.indoc]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-04-28"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.is-terminal]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2022-01-22"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.libc]]
criteria = "safe-to-deploy"
user-id = 1 # Alex Crichton (alexcrichton)
start = "2019-03-29"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.libc]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2021-01-27"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.linux-raw-sys]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2021-06-12"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.lock_api]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-05-04"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.memchr]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-07-07"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.num-traits]]
criteria = "safe-to-deploy"
user-id = 539 # Josh Stone (cuviper)
start = "2019-05-20"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.parking_lot]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-05-04"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.parking_lot_core]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2019-05-04"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.proc-macro2]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-04-23"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.quote]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-04-09"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.regex]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-02-27"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.regex-automata]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-02-25"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.regex-syntax]]
criteria = "safe-to-deploy"
user-id = 189 # Andrew Gallant (BurntSushi)
start = "2019-03-30"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.rustix]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2021-10-29"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.rustversion]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-07-08"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.scopeguard]]
criteria = "safe-to-deploy"
user-id = 2915 # Amanieu d'Antras (Amanieu)
start = "2020-02-16"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.sequoia-openpgp]]
criteria = "safe-to-deploy"
user-id = 33886 # Neal H. Walfield (nwalfield)
start = "2022-11-18"
end = "2024-10-10"
notes = "Sequoia developer"

[[trusted.sha1collisiondetection]]
criteria = "safe-to-deploy"
user-id = 33886 # Neal H. Walfield (nwalfield)
start = "2022-08-28"
end = "2024-10-10"
notes = "Sequoia developer"

[[trusted.sha1collisiondetection]]
criteria = "safe-to-deploy"
user-id = 14969 # Wiktor Kwapisiewicz (wiktor-k)
start = "2023-05-05"
end = "2024-10-10"
notes = "Sequoia developer"

[[trusted.syn]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-03-01"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.target-lexicon]]
criteria = "safe-to-deploy"
user-id = 6825 # Dan Gohman (sunfishcode)
start = "2019-03-06"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.thiserror]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-10-09"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.thiserror-impl]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-10-09"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.unicode-ident]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2021-10-02"
end = "2024-10-10"
notes = "Rust Project member"

[[trusted.unindent]]
criteria = "safe-to-deploy"
user-id = 3618 # David Tolnay (dtolnay)
start = "2019-08-17"
end = "2024-10-10"
notes = "Rust Project member"
Loading

0 comments on commit 88c2535

Please sign in to comment.