Add initial cargo vet configuration
#6981
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was a blind `cargo update` run to get us to the latest on everything.
|
Summary from today's team meeting:
|
cargo vet is a tool designed by Mozilla to record audits of Rust dependencies, and it matches nicely with the philosophy of our diff review system for Python. It can automatically present diffs and verify everything has been checked. == Trust == To reduce the number of audits we have to do, we trust the following organizations: * Bytecode Alliance (WASM/WASI) * Google * Internet Security Research Group (Let's Encrypt, etc.) * Mozilla * Zcash We also trust a number of individual developers, because they are members of the Rust Project and also trusted by one of the above organizations we trust. We also trust the two Sequoia-OpenPGP team members who release things. All of the individual trust markers have an expiry date to remind us to re-evalutate trustworthiness every so often. For now we've set the expiry to 6 months as we're still getting familiar with the system. == Exemptions == There are a number of dependencies that appear in our tree but are not used on Linux x86_64 so we can ignore them entirely. These are marked in config.toml with a policy stanza that has an empty criteria block. These crates have been identified manually, in the future cargo-vet will hopefully let us specify specific targets we care about and take care of it automatically. The remaining exemptions in config.toml have not been reviewed yet; we can incrementally chip away at them. == Signing == Unlike diff reviews, there is no PGP signing of this file. Because these are committed into the Git repository directly, we can rely on that as a measure of trust (unlike random wiki pages). == CI == CI verifies that all dependencies have either been reviewed or exempted, so there's no need for manual tracking in PR descriptions. Upstream provides a GitHub Actions template that we use most of. Fixes #6500.
Demonstrates what an audit looks like on our end, as well as showing how we can import supporting audits from Bytecode Alliance and Mozilla.
zenmonkeykstop
approved these changes
Oct 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Status
Ready for review
Description of Changes
cargo vet is a tool designed by Mozilla to record audits of Rust
dependencies, and it matches nicely with the philosophy of our diff
review system for Python. It can automatically present diffs and
verify everything has been checked.
Trust
To reduce the number of audits we have to do, we trust the following
organizations:
We also trust a number of individual developers, because they are
members of the Rust Project and also trusted by one of the above
organizations we trust. We also trust the two Sequoia-OpenPGP team
members who release things.
All of the individual trust markers have an expiry date to remind us to
re-evalutate trustworthiness every so often.
Exemptions
There are a number of dependencies that appear in our tree but are not
used on Linux x86_64 so we can ignore them entirely. These are marked in
config.toml with a policy stanza that has an empty criteria block. These
crates have been identified manually, in the future cargo-vet will
hopefully let us specify specific targets we care about and take care of
it automatically.
The remaining exemptions in config.toml have not been reviewed yet; we
can incrementally chip away at them.
Signing
Unlike diff reviews, there is no PGP signing of this file. Because these
are committed into the Git repository directly, we can rely on that as a
measure of trust (unlike random wiki pages).
CI
CI verifies that all dependencies have either been reviewed or exempted,
so there's no need for manual tracking in PR descriptions. Upstream
provides a GitHub Actions template that we use most of.
Fixes #6500.
Testing
cargo vetlocally succeeds.cargo vet suggestlists all the crates that are currently exempt and not yet reviewed.Deployment
Any special considerations for deployment? No, CI only
Checklist
make lint) and tests (make test) pass in the development container