From 0d285b789b4e139b8d31c6e561f1fcfc3237d5d4 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Wed, 1 Nov 2023 20:35:49 -0400 Subject: [PATCH 1/6] Lower cargo vet review criteria to "safe-to-run" For many crates we don't have the technical expertise to sign off on "safe-to-deploy", as defined by the cargo-vet documentation. The "safe-to-run" criteria is roughly the same standard we hold for Python diff reviews, with the benefit that our reviews are legible to the rest of the Cargo Vet community. Refs #6999. Co-authored-by: Cory Francis Myers --- supply-chain/config.toml | 72 +++++------ supply-chain/imports.lock | 246 +++++++++++++++++++++----------------- 2 files changed, 163 insertions(+), 155 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index c5212f8bd8..44c171fade 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1,5 +1,6 @@ # cargo-vet config file +default-criteria = "safe-to-run" [cargo-vet] version = "0.8" @@ -43,6 +44,9 @@ notes = "Redox OS-only" criteria = [] notes = "Redox OS-only" +[policy.redwood] +criteria = "safe-to-run" + [policy.wasi] criteria = [] notes = "WASM-only" @@ -121,112 +125,92 @@ notes = "Windows-only" [[exemptions.bitflags]] version = "2.4.0" -criteria = "safe-to-deploy" - -[[exemptions.cc]] -version = "1.0.83" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.chrono]] version = "0.4.31" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.diff]] version = "0.1.13" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.ena]] version = "0.14.2" -criteria = "safe-to-deploy" - -[[exemptions.flate2]] -version = "1.0.27" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.generic-array]] version = "0.14.7" -criteria = "safe-to-deploy" - -[[exemptions.getrandom]] -version = "0.2.10" -criteria = "safe-to-deploy" - -[[exemptions.itertools]] -version = "0.10.5" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.lalrpop]] version = "0.19.12" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.memoffset]] version = "0.8.0" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.memsec]] version = "0.6.3" -criteria = "safe-to-deploy" - -[[exemptions.once_cell]] -version = "1.18.0" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.openssl]] version = "0.10.57" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.openssl-sys]] version = "0.9.93" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.petgraph]] version = "0.6.4" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.ppv-lite86]] -version = "0.2.17" -criteria = "safe-to-deploy" +version = "0.2.16" +criteria = "safe-to-run" [[exemptions.pyo3]] version = "0.18.3" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.pyo3-build-config]] version = "0.18.3" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.pyo3-ffi]] version = "0.18.3" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.pyo3-macros-backend]] version = "0.18.3" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.rand]] version = "0.7.3" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.smallvec]] version = "1.11.1" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.string_cache]] version = "0.8.7" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.term]] version = "0.7.0" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.tiny-keccak]] version = "2.0.2" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.typenum]] version = "1.17.0" -criteria = "safe-to-deploy" +criteria = "safe-to-run" [[exemptions.xxhash-rust]] version = "0.8.7" -criteria = "safe-to-deploy" +criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index b93a7d9dbc..01198ac5bb 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -99,13 +99,6 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" -[[publisher.libc]] -version = "0.2.146" -when = "2023-06-06" -user-id = 2915 -user-login = "Amanieu" -user-name = "Amanieu d'Antras" - [[publisher.linux-raw-sys]] version = "0.4.10" when = "2023-10-09" @@ -267,20 +260,6 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" -[[publisher.unicode-normalization]] -version = "0.1.22" -when = "2022-09-16" -user-id = 1139 -user-login = "Manishearth" -user-name = "Manish Goregaokar" - -[[publisher.unicode-xid]] -version = "0.2.4" -when = "2022-09-15" -user-id = 1139 -user-login = "Manishearth" -user-name = "Manish Goregaokar" - [[publisher.unindent]] version = "0.1.11" when = "2022-12-17" @@ -305,6 +284,12 @@ who = "Benjamin Bouvier " criteria = "safe-to-deploy" delta = "0.9.0 -> 0.10.2" +[[audits.bytecode-alliance.audits.cfg-if]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "1.0.0" +notes = "I am the author of this crate." + [[audits.bytecode-alliance.audits.crypto-common]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" @@ -352,6 +337,12 @@ criteria = "safe-to-deploy" delta = "0.2.146 -> 0.2.147" notes = "Only new type definitions and updating others for some platforms, no major changes" +[[audits.bytecode-alliance.audits.libc]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.2.148 -> 0.2.149" +notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." + [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -366,11 +357,10 @@ its own longevity should be relatively hardened against some of the more common compression-related issues. """ -[[audits.bytecode-alliance.audits.pkg-config]] +[[audits.bytecode-alliance.audits.openssl-macros]] who = "Pat Hickey " criteria = "safe-to-deploy" -version = "0.3.25" -notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably." +version = "0.1.0" [[audits.bytecode-alliance.audits.tempfile]] who = "Alex Crichton " @@ -413,10 +403,22 @@ criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." -[[audits.google.audits.cfg-if]] +[[audits.google.audits.cc]] who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "1.0.0" +criteria = "safe-to-run" +version = "1.0.79" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cc]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.0.79 -> 1.0.82" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.cc]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.0.82 -> 1.0.83" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.fastrand]] @@ -429,10 +431,76 @@ that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.openssl-macros]] +[[audits.google.audits.flate2]] who = "George Burgess IV " -criteria = "safe-to-deploy" -version = "0.1.0" +criteria = "safe-to-run" +version = "1.0.26" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.flate2]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.0.26 -> 1.0.27" +notes = """ +There is a CRC implementation in here, but those are not considered crypto. +Further, it's only used in tests internal to this crate. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.getrandom]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.2.10" +notes = """ +While this crate provides crypto methods, they all defer to system or hardware +crypto implementations. Hence, this crate does not implement crypto. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.itertools]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.10.5" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.lazy_static]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.4.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.libc]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.2.146" +notes = """ +Much like the getrandom crate, this exports interfaces to APIs which perform +crypto, but does not implement any crypto itself. +""" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.log]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.4.17" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.log]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.17 -> 0.4.20" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.once_cell]] +who = "crosvm" +criteria = "safe-to-run" +version = "1.17.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.once_cell]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "1.17.0 -> 1.18.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" [[audits.google.audits.openssl-macros]] @@ -441,12 +509,42 @@ criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.pkg-config]] +who = "Alexandre Courbot " +criteria = "safe-to-run" +version = "0.3.26" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand_chacha]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.3.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand_core]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.6.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.tempfile]] who = "George Burgess IV " criteria = "safe-to-run" version = "3.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.unicode-normalization]] +who = "George Burgess IV " +criteria = "safe-to-run" +version = "0.1.22" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-xid]] +who = "George Burgess IV " +criteria = "safe-to-deploy" +version = "0.2.4" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.version_check]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -468,6 +566,11 @@ who = "David Cook " criteria = "safe-to-deploy" delta = "0.21.2 -> 0.21.3" +[[audits.isrg.audits.base64]] +who = "Ameer Ghani " +criteria = "safe-to-run" +delta = "0.21.3 -> 0.21.4" + [[audits.isrg.audits.block-buffer]] who = "David Cook " criteria = "safe-to-deploy" @@ -483,16 +586,6 @@ who = "David Cook " criteria = "safe-to-deploy" delta = "0.10.6 -> 0.10.7" -[[audits.isrg.audits.rand_chacha]] -who = "David Cook " -criteria = "safe-to-deploy" -version = "0.3.1" - -[[audits.isrg.audits.rand_core]] -who = "David Cook " -criteria = "safe-to-deploy" -version = "0.6.3" - [[audits.mozilla.wildcard-audits.core-foundation-sys]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -503,24 +596,6 @@ renew = false notes = "I've reviewed every source contribution that was neither authored nor reviewed by Mozilla." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.wildcard-audits.unicode-normalization]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -user-id = 1139 # Manish Goregaokar (Manishearth) -start = "2019-11-06" -end = "2024-05-03" -notes = "All code written or reviewed by Manish" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.wildcard-audits.unicode-xid]] -who = "Manish Goregaokar " -criteria = "safe-to-deploy" -user-id = 1139 # Manish Goregaokar (Manishearth) -start = "2019-07-25" -end = "2024-05-03" -notes = "All code written or reviewed by Manish" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.android_system_properties]] who = "Nicolas Silva " criteria = "safe-to-deploy" @@ -591,39 +666,12 @@ criteria = "safe-to-deploy" delta = "1.9.0 -> 2.0.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.lazy_static]] -who = "Nika Layzell " -criteria = "safe-to-deploy" -version = "1.4.0" -notes = "I have read over the macros, and audited the unsafe code." -aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" - [[audits.mozilla.audits.libc]] who = "Mike Hommey " criteria = "safe-to-deploy" delta = "0.2.147 -> 0.2.148" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.libc]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "0.2.148 -> 0.2.149" -notes = "New defintions for a new target we don't use" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - -[[audits.mozilla.audits.log]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -version = "0.4.17" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - -[[audits.mozilla.audits.log]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "0.4.17 -> 0.4.18" -notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.mozilla.audits.new_debug_unreachable]] who = "Bobby Holley " criteria = "safe-to-deploy" @@ -631,10 +679,10 @@ version = "1.0.4" notes = "This is a trivial crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.pkg-config]] +[[audits.mozilla.audits.ppv-lite86]] who = "Mike Hommey " criteria = "safe-to-deploy" -delta = "0.3.25 -> 0.3.26" +delta = "0.2.16 -> 0.2.17" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" [[audits.mozilla.audits.precomputed-hash]] @@ -644,12 +692,6 @@ version = "0.1.1" notes = "This is a trivial crate." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.rand_core]] -who = "Mike Hommey " -criteria = "safe-to-deploy" -delta = "0.6.3 -> 0.6.4" -aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" - [[audits.mozilla.audits.tempfile]] who = "Jan-Erik Rediger " criteria = "safe-to-deploy" @@ -668,12 +710,6 @@ criteria = "safe-to-deploy" delta = "0.3.8 -> 0.3.13" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.zcash.audits.base64]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.21.3 -> 0.21.4" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.block-buffer]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -681,18 +717,6 @@ delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.log]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.18 -> 0.4.19" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.log]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.19 -> 0.4.20" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.siphasher]] who = "Jack Grigg " criteria = "safe-to-deploy" From a96c6f600d08d92a934e3c596019c319bd3ce485 Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Thu, 2 Nov 2023 18:00:45 -0700 Subject: [PATCH 2/6] chore: downgrade my audits to "safe-to-run" Per . --- supply-chain/audits.toml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 8a8c87d432..028dc82127 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -3,32 +3,32 @@ [[audits.ascii-canvas]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "3.0.0" [[audits.crc32fast]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "1.3.2" [[audits.digest]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.9.0" [[audits.dirs-next]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "2.0.0" [[audits.dirs-sys-next]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.1.2" [[audits.fixedbitset]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.4.2" [[audits.iana-time-zone]] @@ -51,7 +51,7 @@ notes = "Autogenerated code was not reviewed." [[audits.lalrpop-util]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.19.12" [[audits.lalrpop-util]] @@ -61,7 +61,7 @@ delta = "0.19.12 -> 0.20.0" [[audits.phf_shared]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.10.0" [[audits.pkg-config]] @@ -71,7 +71,7 @@ delta = "0.3.26 -> 0.3.27" [[audits.pyo3-macros]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.18.3" [[audits.rand]] @@ -81,17 +81,17 @@ delta = "0.7.3 -> 0.8.5" [[audits.rand_chacha]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.2.2 -> 0.3.1" [[audits.rand_core]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.5.1 -> 0.6.3" [[audits.siphasher]] who = "Cory Francis Myers " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.3.10" [[trusted.aho-corasick]] From 5419f824c14c24430cdf974a095181c8833a4bab Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 6 Nov 2023 15:04:17 -0500 Subject: [PATCH 3/6] Downgrade my audits to "safe-to-run" Per . --- supply-chain/audits.toml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 028dc82127..87bfc51841 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -33,19 +33,19 @@ version = "0.4.2" [[audits.iana-time-zone]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" version = "0.1.58" notes = "Only code for Linux was reviewed." [[audits.idna]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.3.0 -> 0.4.0" notes = "Primarily adding a no_std mode" [[audits.lalrpop]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.19.12 -> 0.20.0" notes = "Autogenerated code was not reviewed." @@ -56,7 +56,7 @@ version = "0.19.12" [[audits.lalrpop-util]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.19.12 -> 0.20.0" [[audits.phf_shared]] @@ -66,7 +66,7 @@ version = "0.10.0" [[audits.pkg-config]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.3.26 -> 0.3.27" [[audits.pyo3-macros]] @@ -76,7 +76,7 @@ version = "0.18.3" [[audits.rand]] who = "Kunal Mehta " -criteria = "safe-to-deploy" +criteria = "safe-to-run" delta = "0.7.3 -> 0.8.5" [[audits.rand_chacha]] From e1d56cf8da93e9b9656cfd43b7c302477d0b599d Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 2 Nov 2023 15:42:48 -0400 Subject: [PATCH 4/6] Trust some more Rust Project members in cargo vet The trust markers are added for 6 months. --- supply-chain/audits.toml | 35 +++++++++++++++++++++++++++++++++++ supply-chain/config.toml | 12 ------------ supply-chain/imports.lock | 21 +++++++++++++++++++++ 3 files changed, 56 insertions(+), 12 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 87bfc51841..7433252a85 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -149,6 +149,13 @@ user-id = 539 # Josh Stone (cuviper) start = "2019-04-02" end = "2024-04-10" +[[trusted.ena]] +criteria = "safe-to-deploy" +user-id = 1386 # Niko Matsakis (nikomatsakis) +start = "2019-03-19" +end = "2024-05-02" +notes = "Rust Project member" + [[trusted.equivalent]] criteria = "safe-to-deploy" user-id = 539 # Josh Stone (cuviper) @@ -198,6 +205,13 @@ start = "2022-01-22" end = "2024-04-10" notes = "Rust Project member" +[[trusted.lalrpop]] +criteria = "safe-to-deploy" +user-id = 1386 # Niko Matsakis (nikomatsakis) +start = "2023-03-25" +end = "2024-05-02" +notes = "Rust Project member" + [[trusted.libc]] criteria = "safe-to-deploy" user-id = 1 # Alex Crichton (alexcrichton) @@ -240,6 +254,27 @@ start = "2019-05-20" end = "2024-04-10" notes = "Rust Project member" +[[trusted.openssl]] +criteria = "safe-to-deploy" +user-id = 5 # Steven Fackler (sfackler) +start = "2019-02-22" +end = "2024-05-02" +notes = "Rust Project member" + +[[trusted.openssl]] +criteria = "safe-to-deploy" +user-id = 163 # Alex Gaynor (alex) +start = "2023-03-24" +end = "2024-05-02" +notes = "Rust Project member" + +[[trusted.openssl-sys]] +criteria = "safe-to-deploy" +user-id = 5 # Steven Fackler (sfackler) +start = "2019-03-01" +end = "2024-05-02" +notes = "Rust Project member" + [[trusted.parking_lot]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 44c171fade..791d8ad282 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -135,10 +135,6 @@ criteria = "safe-to-run" version = "0.1.13" criteria = "safe-to-run" -[[exemptions.ena]] -version = "0.14.2" -criteria = "safe-to-run" - [[exemptions.generic-array]] version = "0.14.7" criteria = "safe-to-run" @@ -155,14 +151,6 @@ criteria = "safe-to-run" version = "0.6.3" criteria = "safe-to-run" -[[exemptions.openssl]] -version = "0.10.57" -criteria = "safe-to-run" - -[[exemptions.openssl-sys]] -version = "0.9.93" -criteria = "safe-to-run" - [[exemptions.petgraph]] version = "0.6.4" criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 01198ac5bb..7b8ec768c5 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -57,6 +57,13 @@ user-id = 539 user-login = "cuviper" user-name = "Josh Stone" +[[publisher.ena]] +version = "0.14.2" +when = "2023-03-17" +user-id = 1386 +user-login = "nikomatsakis" +user-name = "Niko Matsakis" + [[publisher.equivalent]] version = "1.0.1" when = "2023-07-10" @@ -127,6 +134,20 @@ user-id = 539 user-login = "cuviper" user-name = "Josh Stone" +[[publisher.openssl]] +version = "0.10.57" +when = "2023-08-27" +user-id = 163 +user-login = "alex" +user-name = "Alex Gaynor" + +[[publisher.openssl-sys]] +version = "0.9.93" +when = "2023-09-04" +user-id = 5 +user-login = "sfackler" +user-name = "Steven Fackler" + [[publisher.parking_lot]] version = "0.12.1" when = "2022-05-31" From df04be949fb92d3dd6f5790622b28cd4585cb16e Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 2 Nov 2023 15:42:52 -0400 Subject: [PATCH 5/6] Audit Rust crates using cargo vet --- supply-chain/audits.toml | 86 ++++++++++++++++++++++++++++++++++++++- supply-chain/config.toml | 68 ------------------------------- supply-chain/imports.lock | 73 +++++++++++++++++++++++++++++++++ 3 files changed, 158 insertions(+), 69 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 7433252a85..1613564765 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -6,11 +6,21 @@ who = "Cory Francis Myers " criteria = "safe-to-run" version = "3.0.0" +[[audits.chrono]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.4.26 -> 0.4.31" + [[audits.crc32fast]] who = "Cory Francis Myers " criteria = "safe-to-run" version = "1.3.2" +[[audits.diff]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.1.13" + [[audits.digest]] who = "Cory Francis Myers " criteria = "safe-to-run" @@ -46,7 +56,7 @@ notes = "Primarily adding a no_std mode" [[audits.lalrpop]] who = "Kunal Mehta " criteria = "safe-to-run" -delta = "0.19.12 -> 0.20.0" +delta = "0.19.10 -> 0.20.0" notes = "Autogenerated code was not reviewed." [[audits.lalrpop-util]] @@ -59,6 +69,21 @@ who = "Kunal Mehta " criteria = "safe-to-run" delta = "0.19.12 -> 0.20.0" +[[audits.memoffset]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.6.5" + +[[audits.memsec]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.6.3" + +[[audits.petgraph]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.6.2 -> 0.6.4" + [[audits.phf_shared]] who = "Cory Francis Myers " criteria = "safe-to-run" @@ -69,16 +94,48 @@ who = "Kunal Mehta " criteria = "safe-to-run" delta = "0.3.26 -> 0.3.27" +[[audits.ppv-lite86]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.2.10 -> 0.2.16" + +[[audits.pyo3]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" + +[[audits.pyo3-build-config]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" +notes = "Windows, cross-compiling and abi3 code not reviewed." + +[[audits.pyo3-ffi]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" +notes = "Unsurprisingly lots of unsafe, appears fine for an FFI library. PyPy and Windows code was skipped." + [[audits.pyo3-macros]] who = "Cory Francis Myers " criteria = "safe-to-run" version = "0.18.3" +[[audits.pyo3-macros-backend]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.18.3" + [[audits.rand]] who = "Kunal Mehta " criteria = "safe-to-run" delta = "0.7.3 -> 0.8.5" +[[audits.rand]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.8.3 -> 0.8.5" + [[audits.rand_chacha]] who = "Cory Francis Myers " criteria = "safe-to-run" @@ -94,6 +151,33 @@ who = "Cory Francis Myers " criteria = "safe-to-run" version = "0.3.10" +[[audits.smallvec]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "1.6.1 -> 1.11.1" + +[[audits.string_cache]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.8.7" + +[[audits.term]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.7.0" +notes = "Windows code was not reviewed." + +[[audits.typenum]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "1.15.0" + +[[audits.xxhash-rust]] +who = "Kunal Mehta " +criteria = "safe-to-run" +version = "0.8.7" +notes = "Only the `xxh3` feature, used by Sequoia, was reviewed" + [[trusted.aho-corasick]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 791d8ad282..543f2a3b57 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -127,78 +127,10 @@ notes = "Windows-only" version = "2.4.0" criteria = "safe-to-run" -[[exemptions.chrono]] -version = "0.4.31" -criteria = "safe-to-run" - -[[exemptions.diff]] -version = "0.1.13" -criteria = "safe-to-run" - [[exemptions.generic-array]] version = "0.14.7" criteria = "safe-to-run" -[[exemptions.lalrpop]] -version = "0.19.12" -criteria = "safe-to-run" - -[[exemptions.memoffset]] -version = "0.8.0" -criteria = "safe-to-run" - -[[exemptions.memsec]] -version = "0.6.3" -criteria = "safe-to-run" - -[[exemptions.petgraph]] -version = "0.6.4" -criteria = "safe-to-run" - -[[exemptions.ppv-lite86]] -version = "0.2.16" -criteria = "safe-to-run" - -[[exemptions.pyo3]] -version = "0.18.3" -criteria = "safe-to-run" - -[[exemptions.pyo3-build-config]] -version = "0.18.3" -criteria = "safe-to-run" - -[[exemptions.pyo3-ffi]] -version = "0.18.3" -criteria = "safe-to-run" - -[[exemptions.pyo3-macros-backend]] -version = "0.18.3" -criteria = "safe-to-run" - -[[exemptions.rand]] -version = "0.7.3" -criteria = "safe-to-run" - -[[exemptions.smallvec]] -version = "1.11.1" -criteria = "safe-to-run" - -[[exemptions.string_cache]] -version = "0.8.7" -criteria = "safe-to-run" - -[[exemptions.term]] -version = "0.7.0" -criteria = "safe-to-run" - [[exemptions.tiny-keccak]] version = "2.0.2" criteria = "safe-to-run" - -[[exemptions.typenum]] -version = "1.17.0" -criteria = "safe-to-run" - -[[exemptions.xxhash-rust]] -version = "0.8.7" -criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 7b8ec768c5..b5f6fcd528 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -106,6 +106,13 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" +[[publisher.lalrpop]] +version = "0.19.10" +when = "2023-04-24" +user-id = 1386 +user-login = "nikomatsakis" +user-name = "Niko Matsakis" + [[publisher.linux-raw-sys]] version = "0.4.10" when = "2023-10-09" @@ -364,6 +371,12 @@ criteria = "safe-to-deploy" delta = "0.2.148 -> 0.2.149" notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." +[[audits.bytecode-alliance.audits.memoffset]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "This was a small update to the crate which has to do with Rust language features and compiler versions, no substantial changes." + [[audits.bytecode-alliance.audits.miniz_oxide]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -442,6 +455,24 @@ criteria = "safe-to-run" delta = "1.0.82 -> 1.0.83" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.chrono]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.4.23" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.chrono]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.23 -> 0.4.24" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.chrono]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "0.4.24 -> 0.4.26" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -512,6 +543,12 @@ criteria = "safe-to-run" delta = "0.4.17 -> 0.4.20" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.memoffset]] +who = "Dennis Kempin " +criteria = "safe-to-run" +delta = "0.6.5 -> 0.7.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.once_cell]] who = "crosvm" criteria = "safe-to-run" @@ -530,12 +567,30 @@ criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.petgraph]] +who = "ChromeOS" +criteria = "safe-to-run" +version = "0.6.2" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.pkg-config]] who = "Alexandre Courbot " criteria = "safe-to-run" version = "0.3.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.ppv-lite86]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.2.10" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.rand]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "0.8.3" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.rand_chacha]] who = "Android Legacy" criteria = "safe-to-run" @@ -548,6 +603,12 @@ criteria = "safe-to-run" version = "0.6.4" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.smallvec]] +who = "Android Legacy" +criteria = "safe-to-run" +version = "1.6.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.tempfile]] who = "George Burgess IV " criteria = "safe-to-run" @@ -725,6 +786,12 @@ criteria = "safe-to-deploy" delta = "3.6.0 -> 3.8.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.typenum]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.15.0 -> 1.16.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.unicode-bidi]] who = "Makoto Kato " criteria = "safe-to-deploy" @@ -750,3 +817,9 @@ criteria = "safe-to-deploy" delta = "0.1.0 -> 0.1.1" notes = "Adds `#![forbid(unsafe_code)]` and license files." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + +[[audits.zcash.audits.typenum]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.16.0 -> 1.17.0" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" From c3151537035bd0f726ff726289da158d5a4c2ab0 Mon Sep 17 00:00:00 2001 From: Cory Francis Myers Date: Thu, 2 Nov 2023 17:59:06 -0700 Subject: [PATCH 6/6] chore: "cargo vet" --- supply-chain/audits.toml | 35 +++++++++++++++++++++++++++++++++++ supply-chain/config.toml | 12 ------------ supply-chain/imports.lock | 31 ++++++++++++++++++++++++------- 3 files changed, 59 insertions(+), 19 deletions(-) diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index 1613564765..75e82aecc2 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -6,6 +6,16 @@ who = "Cory Francis Myers " criteria = "safe-to-run" version = "3.0.0" +[[audits.bitflags]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "1.3.2" + +[[audits.cc]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +delta = "1.0.73 -> 1.0.83" + [[audits.chrono]] who = "Kunal Mehta " criteria = "safe-to-run" @@ -36,11 +46,31 @@ who = "Cory Francis Myers " criteria = "safe-to-run" version = "0.1.2" +[[audits.ena]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "0.14.2" + [[audits.fixedbitset]] who = "Cory Francis Myers " criteria = "safe-to-run" version = "0.4.2" +[[audits.generic-array]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "0.14.6" + +[[audits.getrandom]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "0.1.16" + +[[audits.getrandom]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +delta = "0.1.16 -> 0.2.6" + [[audits.iana-time-zone]] who = "Kunal Mehta " criteria = "safe-to-run" @@ -167,6 +197,11 @@ criteria = "safe-to-run" version = "0.7.0" notes = "Windows code was not reviewed." +[[audits.tiny-keccak]] +who = "Cory Francis Myers " +criteria = "safe-to-run" +version = "2.0.2" + [[audits.typenum]] who = "Kunal Mehta " criteria = "safe-to-run" diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 543f2a3b57..ea6f9707c8 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -122,15 +122,3 @@ notes = "Windows-only" [policy.windows_x86_64_msvc] criteria = [] notes = "Windows-only" - -[[exemptions.bitflags]] -version = "2.4.0" -criteria = "safe-to-run" - -[[exemptions.generic-array]] -version = "0.14.7" -criteria = "safe-to-run" - -[[exemptions.tiny-keccak]] -version = "2.0.2" -criteria = "safe-to-run" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index b5f6fcd528..96082dd191 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -57,13 +57,6 @@ user-id = 539 user-login = "cuviper" user-name = "Josh Stone" -[[publisher.ena]] -version = "0.14.2" -when = "2023-03-17" -user-id = 1386 -user-login = "nikomatsakis" -user-name = "Niko Matsakis" - [[publisher.equivalent]] version = "1.0.1" when = "2023-07-10" @@ -437,6 +430,18 @@ criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." +[[audits.google.audits.bitflags]] +who = "Dennis Kempin " +criteria = "safe-to-run" +delta = "1.3.2 -> 2.2.1" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + +[[audits.google.audits.bitflags]] +who = "George Burgess IV " +criteria = "safe-to-run" +delta = "2.3.2 -> 2.4.0" +aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" + [[audits.google.audits.cc]] who = "George Burgess IV " criteria = "safe-to-run" @@ -724,6 +729,12 @@ version = "0.6.3" notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.bitflags]] +who = "Teodor Tanasoaia " +criteria = "safe-to-deploy" +delta = "2.2.1 -> 2.3.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.block-buffer]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -805,6 +816,12 @@ delta = "0.10.3 -> 0.10.4" notes = "Adds panics to prevent a block size of zero from causing unsoundness." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" +[[audits.zcash.audits.generic-array]] +who = "Sean Bowe " +criteria = "safe-to-deploy" +delta = "0.14.6 -> 0.14.7" +aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" + [[audits.zcash.audits.siphasher]] who = "Jack Grigg " criteria = "safe-to-deploy"