From ac306dad505341cad60f26600dc4a90af77a0208 Mon Sep 17 00:00:00 2001 From: Ameer Ghani Date: Thu, 14 Nov 2024 10:16:48 -0600 Subject: [PATCH] cargo vet: zlib-rs audit --- supply-chain/audits.toml | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 0e8db221..cd8aecfa 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -398,6 +398,16 @@ who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "0.2.149 -> 0.2.150" +[[audits.libz-rs-sys]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = """ +This crate uses unsafe since it's for C to Rust FFI. I have reviewed and fuzzed it, and I believe it is free of any serious security problems. + +The only dependency is zlib-rs, which is maintained by the same maintainers as this crate. +""" + [[audits.linux-raw-sys]] who = "Brandon Pitman " criteria = "safe-to-run" @@ -839,6 +849,16 @@ who = "Tim Geoghegan " criteria = "safe-to-run" delta = "7.0.0 -> 7.0.1" +[[audits.zlib-rs]] +who = "Ameer Ghani " +criteria = "safe-to-deploy" +version = "0.4.0" +notes = """ +zlib-rs uses unsafe Rust for invoking compiler intrinsics (i.e. SIMD), eschewing bounds checks, along the FFI boundary, and for interacting with pointers sourced from C. I have extensively reviewed and fuzzed the unsafe code. All findings from that work have been resolved as of version 0.4.0. To the best of my ability, I believe it's free of any serious security problems. + +zlib-rs does not require any external dependencies. +""" + [[trusted.byteorder]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi)