Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cargo deny config #13

Open
repi opened this issue Aug 29, 2019 · 7 comments
Open

Cargo deny config #13

repi opened this issue Aug 29, 2019 · 7 comments
Labels
enhancement New feature or request

Comments

@repi
Copy link
Contributor

repi commented Aug 29, 2019

How about adding our deny.toml from our main project to the template here and make sure all of our open source crates use it in CI?

I think we want to both disallow more crates and also verify that the dependencies in our open source crates do use compatible licenses. And a good start for that would be to have a shared base deny.toml as well as make cargo-deny part of the standard CI config for all of our crates from the beginning.

Some of our crates may have different or additional rules though, but having a base template or master file would make it a lot easier.

This would also have the benefit of making public our main cargo-deny configuration for visibility/transparency to other projects.

@repi
Copy link
Contributor Author

repi commented Aug 29, 2019

Thoughts @Jake-Shadle @arirawr ?

@arirawr
Copy link
Contributor

arirawr commented Aug 29, 2019

From a visibility perspective it seems good - do you have a link to the current list of crates @repi ?

@arirawr arirawr added the enhancement New feature or request label Aug 29, 2019
@Jake-Shadle
Copy link
Member

Yah, by default it could just be the licenses we allow, and, obviously,

[bans]
deny = [
    # You can never be too sure
    { name = "openssl" },
]

@repi
Copy link
Contributor Author

repi commented Aug 29, 2019

It is in our private main monorepo so can't post a link here, but this is how our full deny.toml looks like now soon:

[bans]
multiple_versions = "deny"
deny = [
    { name = "openssl" },
    
    # we don't want to use any XML and some of these are 4 year old dependencies
    { name = "RustyXml" },
    { name = "serde-xml-rs" },

    # term is not fully maintained, and termcolor is replacing it
    { name = "term" },

    # dirs crate has a lot of dependencies and there are better alternatives
    { name = "dirs" },
    { name = "dirs-sys" },

    # color-backtrace is nice but brings in too many dependencies and that are often outdated, so not worth it for us.
    { name = "color-backtrace" }
]
skip = [
    # wasmer-runtime-core uses old blake2b_simd
    { name = "blake2b_simd", version = "=0.4.1" },    
    # Both `metal` and `winit` use older versions of cocoa
    { name = "cocoa", version = "=0.18.4" },
    # rayon/rayon-core use very old versions of crossbeam crates,
    # so skip them for now until rayon updates them
    { name = "crossbeam-deque", version = "=0.6.3" },
    { name = "lock_api", version = "<=0.2.0" },
    # rmp uses an ancient version of num-traits
    { name = "num-traits", version = "=0.1.43" },
    # tokio-reactor, wasmer, and winit all use an older version
    # of parking_lot
    { name = "parking_lot", version = "<=0.8.0" },
    { name = "parking_lot_core", version = "<=0.5.0" },
    # multiple crates use old percent-encoding
    { name = "percent-encoding", version = "<=1.0" },
    # rand 0.6.5 -> 0.7.0 was a large change, many crates
    # haven't updated yet
    { name = "rand", version = "=0.6.5" },
    { name = "rand_chacha", version = "=0.1.1" },
    { name = "rand_core", version = "=0.4.2" },
    { name = "rand_core", version = "=0.3.1" },
    { name = "rand_hc", version = "=0.1.0" },
    { name = "rand_pcg", version = "=0.1.2" },
    # lots of transitive dependencies use the pre-1.0 version
    # of scopeguard
    { name = "scopeguard", version = "=0.3.3" },

    # a lot of crates still use the old url 1.7 instead of 2.0
    { name = "url", version = "=1.7" },
    { name = "idna", version = "=0.1.5" },

    # embed-resource uses an older version of winreg
    { name = "winreg", version = "=0.5.1" },
    # tons of transitive dependencies use the older winapi version
    { name = "winapi", version = "=0.2.8" },

    # some macro crates use the pre 1.0 syn dependencies
    { name = "syn", version = "<=0.15" },
    { name = "proc-macro2", version = "<=0.4" },
    { name = "quote", version = "<=0.6" },
    { name = "unicode-xid", version = "=0.1" },
]

[licenses]
unlicensed = "deny"
unknown = "deny"
# We want really high confidence when inferring licenses from text
confidence_threshold = 0.92
allow = [
    "Embark-Proprietary",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-2-Clause-FreeBSD",
    "BSD-3-Clause",
    "BSL-1.0",
    "CC0-1.0",
    "FTL",
    "ISC",
    "LLVM-exception",
    "MIT",
    "MPL-2.0",
    "Unicode-DFS-2016",
    "Unlicense",
    "Zlib",
]
skip = [
    # ring has a rather complicated LICENSE file due to reasons spelled out
    # in said LICENSE file, but is basically OpenSSL for older parts, and ISC
    # for newer parts
    { name = "ring", licenses = [] },
    # webpki uses an ISC license but it only has a 0.83 confidence level
    { name = "webpki", licenses = [] },
]

[[licenses.ignore]]
name = "rustls"
license_files = [
    # This is a top-level LICENSE that just spells out the *actual* 3
    # licenses that can be used with the crate, which askalono is unable
    # to score
    { path = "LICENSE", hash = 0xe567c411 },
]

[[licenses.ignore]]
name = "ct-logs"
license_files = [
    # This license is copied from rustls
    { path = "LICENSE", hash = 0xe567c411 },
]

[[licenses.ignore]]
name = "hyper-rustls"
license_files = [
    # This license is copied from rustls
    { path = "LICENSE", hash = 0x3154a1c7 },
]

[[licenses.ignore]]
name = "sct"
license_files = [
    # Exact same scenario as with rustls et al
    { path = "LICENSE", hash = 0xb7619ae7 },
]

[[licenses.ignore]]
name = "crossbeam-channel"
license_files = [
    # This contains multiple licenses which lowers confidence scores,
    # but is basically a CC-BY-3.0
    { path = "LICENSE-THIRD-PARTY", hash = 0xc6242648 },
]

[[licenses.ignore]]
name = "ring"
license_files = [
    { path = "LICENSE", hash = 0xbd0eed23 },
]

[[licenses.ignore]]
name = "webpki-roots"
license_files = [
    # This appears to be an automatically generated file, but does
    # contain a MPL-2.0 license in the text, which is also used
    # in the license field
    { path = "LICENSE", hash = 0x6c919c48 },
]

[[licenses.ignore]]
name = "webpki"
license_files = [
    # askalono can correctly identify the license as ISC, but it
    # has a lower confidence of ~0.83 due to modifications, so
    # ignore it specifically so we can raise our confidence threshold
    # quite high so other licenses don't slip through
    { path = "LICENSE", hash = 0x1c7e6c },
]

If we use the full one we do have to have some mechanism of propagating it from our main monorepo to the template and to all the individual crate repos. But that also goes for all the other files in this template repo if/when we do changes on them

@repi
Copy link
Contributor Author

repi commented Aug 29, 2019

But can be a good start with just a minimal deny.toml in all of our open source crates also

@arirawr
Copy link
Contributor

arirawr commented Aug 29, 2019

Looks great to me - we can just keep it updated with comments on why certain things are excluded.

@arirawr
Copy link
Contributor

arirawr commented Nov 11, 2019

@repi any thoughts on what the minimal version would look like? With only the must-haves that apply across all our projects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

3 participants