Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set up Cargo audit infrastructure #1359

Merged
merged 15 commits into from
Apr 23, 2024
Merged

Set up Cargo audit infrastructure #1359

merged 15 commits into from
Apr 23, 2024

Conversation

str4d
Copy link
Contributor

@str4d str4d commented Apr 23, 2024

This starts the process of removing our dependency on zcash/zcash for our cargo-vet audits. We import audits from there and other upstreams to bootstrap audits here; once this PR merges, we'll include this repo into our aggregated audit set, and then we can use audits here (for the MSRV-compatible dependencies pinned in this repo's Cargo.lock) to augment the audits done in our end binary repos (zcashd and the mobile SDKs, which use as close to stable Rust as we can).

str4d added 15 commits April 22, 2024 23:31
@str4d
cargo vet init
672cc9f
@str4d
Import cargo-vet criteria from zcash/zcash
afb8b55
@str4d
Trust the Zcash crates we maintain and publish
f3717d9 
Trust set imported from `zcash/zcash` where there were common deps.
@str4d
Import our Rust crate audits from elsewhere
3f11ba5
@str4d
Trust the Windows crates published by Microsoft
4eb2df6 
As with our `cargo-vet` usage in `zcash/zcash`, these are binary crates
for interacting with Windows APIs, so both sides are maintained by
Microsoft and are not something we can audit ourselves.
@str4d
Import Rust crate audits from Mozilla
6bbd002
@str4d
Import Rust crate audits from Google
12334b3
@str4d
Import Rust crate audits from ISRG
d99edcc
@str4d
Import Rust crate audits from the Bytecode Alliance
03627b1
@str4d
Import Rust crate audits from Embark Studios
846d986
@str4d
Import Rust crate audits from Fermyon
e574c27
@str4d
CI: Add audit check for cargo vet
08cd7e2
@str4d
Add config file for cargo deny check licenses
66f11ce 
Most of the config is copied from `zcash/zcash`, but with a few extra
license exceptions due to the `download-params` feature of
`zcash_proofs` and the `lightwalletd-tonic-transport` feature of
`zcash_client_backend`.
@str4d
CI: Add audit check for cargo deny check licenses
011909d
@str4d
Adjust versions of pinned dependencies to cover more audits
069109b
nuttycom
nuttycom approved these changes Apr 23, 2024
View reviewed changes
Copy link
Contributor

@nuttycom nuttycom left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK. I did not carefully review the audit claims from other organizations.

@str4d
Copy link
Contributor Author

str4d commented Apr 23, 2024

The other orgs are all ones we already depend on for audits in zcash/zcash except for Fermyon, and their repo only introduces one additional audit (for oorandom 11.1.3).

@nuttycom nuttycom merged commit 895afe5 into main Apr 23, 2024
26 checks passed
@nuttycom nuttycom deleted the cargo-audits branch April 23, 2024 17:51
daira
daira reviewed Apr 23, 2024
View reviewed changes
supply-chain/config.toml
version = "0.2.88"
criteria = "safe-to-deploy"

[[exemptions.wasm-bindgen-macro-support]]
Copy link
Contributor

@daira daira Apr 23, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I actually reviewed this completely:

daira
daira reviewed Apr 23, 2024
View reviewed changes
Copy link
Contributor

@daira daira left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Post-hoc ACK

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@daira daira daira left review comments

@nuttycom nuttycom nuttycom approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@str4d @nuttycom @daira