diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 0ccbd4c..51a0c66 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -51,10 +51,6 @@ criteria = "safe-to-run" version = "0.7.19" criteria = "safe-to-deploy" -[[exemptions.android_system_properties]] -version = "0.1.5" -criteria = "safe-to-deploy" - [[exemptions.arrayvec]] version = "0.7.2" criteria = "safe-to-run" @@ -283,10 +279,6 @@ criteria = "safe-to-deploy" version = "5.4.0" criteria = "safe-to-deploy" -[[exemptions.debugid]] -version = "0.8.0" -criteria = "safe-to-run" - [[exemptions.der]] version = "0.6.0" criteria = "safe-to-deploy" @@ -299,10 +291,6 @@ criteria = "safe-to-deploy" version = "0.10.5" criteria = "safe-to-deploy" -[[exemptions.either]] -version = "1.8.0" -criteria = "safe-to-deploy" - [[exemptions.encode_unicode]] version = "0.3.6" criteria = "safe-to-deploy" @@ -407,10 +395,6 @@ criteria = "safe-to-deploy" version = "0.8.1" criteria = "safe-to-deploy" -[[exemptions.half]] -version = "1.8.2" -criteria = "safe-to-run" - [[exemptions.hermit-abi]] version = "0.1.19" criteria = "safe-to-deploy" @@ -463,10 +447,6 @@ criteria = "safe-to-run" version = "0.1.12" criteria = "safe-to-deploy" -[[exemptions.intl_pluralrules]] -version = "7.0.2" -criteria = "safe-to-deploy" - [[exemptions.io_tee]] version = "0.1.1" criteria = "safe-to-deploy" @@ -491,10 +471,6 @@ criteria = "safe-to-deploy" version = "0.3.60" criteria = "safe-to-deploy" -[[exemptions.lazy_static]] -version = "1.4.0" -criteria = "safe-to-deploy" - [[exemptions.libc]] version = "0.2.137" criteria = "safe-to-deploy" @@ -823,10 +799,6 @@ criteria = "safe-to-deploy" version = "1.0.147" criteria = "safe-to-deploy" -[[exemptions.serde_cbor]] -version = "0.11.2" -criteria = "safe-to-run" - [[exemptions.serde_derive]] version = "1.0.147" criteria = "safe-to-deploy" @@ -971,10 +943,6 @@ criteria = "safe-to-deploy" version = "1.15.0" criteria = "safe-to-deploy" -[[exemptions.unic-langid]] -version = "0.9.1" -criteria = "safe-to-deploy" - [[exemptions.unicode-ident]] version = "1.0.5" criteria = "safe-to-deploy" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index 9d78678..8e5aed0 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -1,6 +1,25 @@ # cargo-vet imports lock +[[audits.mozilla.audits.android_system_properties]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.1.2" +notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.2 -> 0.1.4" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.android_system_properties]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.1.4 -> 0.1.5" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.autocfg]] who = "Josh Stone " criteria = "safe-to-deploy" @@ -8,6 +27,35 @@ version = "1.1.0" notes = "All code written or reviewed by Josh Stone." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.debugid]] +who = "Gabriele Svelto " +criteria = "safe-to-deploy" +version = "0.8.0" +notes = "This crates was written by Sentry and I've fully audited it as Firefox crash reporting machinery relies on it." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.6.1" +notes = """ +Straightforward crate providing the Either enum and trait implementations with +no unsafe code. +""" +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.6.1 -> 1.7.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.either]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "1.7.0 -> 1.8.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.fluent]] who = "Zibi Braniecki " criteria = "safe-to-deploy" @@ -32,6 +80,17 @@ criteria = "safe-to-deploy" version = "0.11.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.half]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +version = "1.8.2" +notes = """ +This crate contains unsafe code for bitwise casts to/from binary16 floating-point +format. I've reviewed these and found no issues. There are no uses of ambient +capabilities. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.hashbrown]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -51,6 +110,25 @@ criteria = "safe-to-deploy" version = "0.5.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.intl_pluralrules]] +who = "Zibi Braniecki " +criteria = "safe-to-deploy" +version = "7.0.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.intl_pluralrules]] +who = "Makoto Kato " +criteria = "safe-to-deploy" +delta = "7.0.1 -> 7.0.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.lazy_static]] +who = "Nika Layzell " +criteria = "safe-to-deploy" +version = "1.4.0" +notes = "I have read over the macros, and audited the unsafe code." +aggregated-from = "https://raw.githubusercontent.com/mozilla/cargo-vet/main/supply-chain/audits.toml" + [[audits.mozilla.audits.log]] who = "Mike Hommey " criteria = "safe-to-deploy" @@ -121,6 +199,18 @@ version = "1.1.0" notes = "Straightforward crate with no unsafe code, does what it says on the tin." aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.serde_cbor]] +who = "R. Martinho Fernandes " +criteria = "safe-to-deploy" +version = "0.11.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.serde_cbor]] +who = "John M. Schanck " +criteria = "safe-to-deploy" +delta = "0.11.1 -> 0.11.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.synstructure]] who = "Nika Layzell " criteria = "safe-to-deploy" @@ -138,6 +228,18 @@ criteria = "safe-to-deploy" version = "0.3.4" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.unic-langid]] +who = "Zibi Braniecki " +criteria = "safe-to-deploy" +version = "0.9.0" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.unic-langid]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.9.0 -> 0.9.1" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.unic-langid-impl]] who = "Zibi Braniecki " criteria = "safe-to-deploy" @@ -152,40 +254,6 @@ aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/suppl description = "The license of this crate has been reviewed for compatibility with its usage in this repository. If the crate is not available under the MIT license, `contrib/debian/copyright` has been updated with a corresponding copyright notice for files under `depends/*/vendored-sources/CRATE_NAME`." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.aead]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "0.4.3 -> 0.5.1" -notes = "Adds an AeadCore::generate_nonce function to generate random nonces, given a CryptoRng." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.chacha20]] -who = "Jack Grigg " -criteria = ["crypto-reviewed", "safe-to-deploy"] -delta = "0.8.1 -> 0.8.2" -notes = "Unpins zeroize." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.chacha20]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "0.8.2 -> 0.9.0" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.chacha20poly1305]] -who = "Jack Grigg " -criteria = ["crypto-reviewed", "safe-to-deploy"] -delta = "0.9.0 -> 0.9.1" -notes = "Unpins zeroize." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.chacha20poly1305]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "0.9.1 -> 0.10.1" -notes = "This mainly adapts to API changes between aead 0.4 and aead 0.5." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.cipher]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -193,332 +261,9 @@ delta = "0.3.0 -> 0.4.3" notes = "Significant rework of (mainly RustCrypto-internal) APIs." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" -[[audits.zcash.audits.cpufeatures]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.5" -notes = "Unsafe changes just introduce `#[inline(never)]` wrappers." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.crypto-common]] -who = "Jack Grigg " -criteria = ["crypto-reviewed", "safe-to-deploy"] -delta = "0.1.3 -> 0.1.6" -notes = "New trait and type alias look fine." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxx]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.72" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.72 -> 1.0.76" -notes = "Impls Unpin for SharedPtr and UniquePtr. The rationale makes sense." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxx]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.76 -> 1.0.78" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxx]] -who = "Kris Nuttycombe " -criteria = "safe-to-deploy" -delta = "1.0.78 -> 1.0.79" -notes = """ -This release changes the result of the `cxxbridge` `exception` call to return -a struct containing both the pointer to an error message and its length, -instead of just the raw `*const u8`. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-flags]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.72" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-flags]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.72 -> 1.0.76" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-flags]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.76 -> 1.0.78" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-flags]] -who = "Kris Nuttycombe " -criteria = "safe-to-deploy" -delta = "1.0.78 -> 1.0.79" -notes = "This is exclusively an update to the `cxxbridge` dependency version." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-macro]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.68 -> 1.0.72" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-macro]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.72 -> 1.0.76" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-macro]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.76 -> 1.0.78" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-macro]] -who = "Kris Nuttycombe " -criteria = "safe-to-deploy" -delta = "1.0.78 -> 1.0.79" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.cxxbridge-macro]] -who = "Kris Nuttycombe " -criteria = "safe-to-deploy" -delta = "1.0.78 -> 1.0.79" -notes = "This is exclusively an update to the `cxxbridge` dependency version." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.getrandom]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.2.6 -> 0.2.7" -notes = """ -Checked that getrandom::wasi::getrandom_inner matches wasi::random_get. -Checked that getrandom::util_libc::Weak lock ordering matches std::sys::unix::weak::DlsymWeak. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.indexmap]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.8.1 -> 1.9.1" -notes = "I'm satisfied that the assertion guarding the new unsafe block is correct." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - [[audits.zcash.audits.inout]] who = "Daira Hopwood " criteria = "safe-to-deploy" version = "0.1.3" notes = "Reviewed in full." aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.itoa]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.1 -> 1.0.3" -notes = "Update makes no changes to code." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.libm]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.2.2 -> 0.2.5" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.link-cplusplus]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.6 -> 1.0.7" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.lock_api]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.7 -> 0.4.9" -notes = "The unsafe changes fix soundness bugs. The unsafe additions in the new ArcMutexGuard::into_arc method seem fine, but it should probably have used ManuallyDrop instead of mem::forget." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.log]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.4.16 -> 0.4.17" -notes = "I confirmed that the unsafe transmutes are fine; NonZeroU128 and NonZeroI128 are `#[repr(transparent)]` wrappers around u128 and i128 respectively." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.num-integer]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.1.44 -> 0.1.45" -notes = "Fixes some argument-handling panic bugs." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.parking_lot]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.11.2 -> 0.12.1" -notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.parking_lot_core]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "0.8.5 -> 0.9.3" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.poly1305]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "0.7.2 -> 0.8.0" -notes = "Changes to unsafe (avx2) code look reasonable." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.proc-macro2]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.37 -> 1.0.41" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.136 -> 1.0.143" -notes = "Bumps serde-derive and adds some constructors." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.serde]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.143 -> 1.0.145" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.136 -> 1.0.143" -notes = "Bumps syn, inverts some build flags." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.serde_derive]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.143 -> 1.0.145" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.syn]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.0.91 -> 1.0.98" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.thiserror]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.30 -> 1.0.32" -notes = "Bumps thiserror-impl, no code changes." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.thiserror]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.32 -> 1.0.37" -notes = "The new build script invokes rustc to determine whether it supports the Provider API. The only side-effect is it overwrites `$OUT_DIR/probe.rs`, which is fine because it is unique to the thiserror package." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.thiserror-impl]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.30 -> 1.0.32" -notes = "Only change is to refine an error message." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.thiserror-impl]] -who = "Jack Grigg " -criteria = "safe-to-deploy" -delta = "1.0.32 -> 1.0.37" -notes = "Proc macro changes migrating to the Provider API look fine." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.unicode-ident]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -version = "1.0.2" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.universal-hash]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "0.4.1 -> 0.5.0" -notes = "I checked correctness of to_blocks which uses unsafe code in a safe function." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.windows_aarch64_msvc]] -who = "Jack Grigg " -criteria = "safe-to-run" -version = "0.36.1" -notes = """ -Adds a binary blob to the library search path, that contains a subset of -the Windows SDK to avoid a direct dependency on the latter. See -https://github.com/microsoft/windows-rs/pull/1217 for context. I did not -audit the binary blob, but the build script looks fine. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.windows_i686_gnu]] -who = "Jack Grigg " -criteria = "safe-to-run" -version = "0.36.1" -notes = """ -Adds a binary blob to the library search path, that contains a subset of -the Windows SDK to avoid a direct dependency on the latter. See -https://github.com/microsoft/windows-rs/pull/1217 for context. I did not -audit the binary blob, but the build script looks fine. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.windows_i686_msvc]] -who = "Jack Grigg " -criteria = "safe-to-run" -version = "0.36.1" -notes = """ -Adds a binary blob to the library search path, that contains a subset of -the Windows SDK to avoid a direct dependency on the latter. See -https://github.com/microsoft/windows-rs/pull/1217 for context. I did not -audit the binary blob, but the build script looks fine. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.windows_x86_64_gnu]] -who = "Jack Grigg " -criteria = "safe-to-run" -version = "0.36.1" -notes = """ -Adds a binary blob to the library search path, that contains a subset of -the Windows SDK to avoid a direct dependency on the latter. See -https://github.com/microsoft/windows-rs/pull/1217 for context. I did not -audit the binary blob, but the build script looks fine. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.windows_x86_64_msvc]] -who = "Jack Grigg " -criteria = "safe-to-run" -version = "0.36.1" -notes = """ -Adds a binary blob to the library search path, that contains a subset of -the Windows SDK to avoid a direct dependency on the latter. See -https://github.com/microsoft/windows-rs/pull/1217 for context. I did not -audit the binary blob, but the build script looks fine. -""" -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml" - -[[audits.zcash.audits.zeroize]] -who = "Daira Hopwood " -criteria = "safe-to-deploy" -delta = "1.4.3 -> 1.5.7" -notes = "The zeroize_c_string unit test has UB, but that's very unlikely to cause a problem in practice." -aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"