mirrors/rage
1
0
Fork 0
mirror of https://github.com/str4d/rage.git synced 2025-04-03 19:07:42 +03:00
Code Issues Projects Releases Packages Wiki Activity

cargo vet prune

Browse source
This commit is contained in:
Jack Grigg 2024-07-28 17:23:42 +00:00
parent 67ee02b47e
commit b9de00a29a
2 changed files with 199 additions and 87 deletions
Download patch file Download diff file Expand all files Collapse all files

52
supply-chain/config.toml
View file

@ -133,10 +133,6 @@ criteria = "safe-to-deploy"
version = "0.1.11+1.0.8"
criteria = "safe-to-deploy"
[[exemptions.cast]]
version = "0.3.0"
criteria = "safe-to-run"
[[exemptions.cbc]]
version = "0.1.2"
criteria = "safe-to-deploy"
@ -213,10 +209,6 @@ criteria = "safe-to-run"
version = "0.3.2"
criteria = "safe-to-deploy"
[[exemptions.cpp_demangle]]
version = "0.4.3"
criteria = "safe-to-run"
[[exemptions.cpufeatures]]
version = "0.2.2"
criteria = "safe-to-deploy"
@ -305,18 +297,6 @@ criteria = "safe-to-deploy"
version = "0.13.0"
criteria = "safe-to-deploy"
[[exemptions.futures]]
version = "0.3.30"
criteria = "safe-to-deploy"
[[exemptions.futures-executor]]
version = "0.3.30"
criteria = "safe-to-deploy"
[[exemptions.futures-io]]
version = "0.3.30"
criteria = "safe-to-deploy"
[[exemptions.futures-macro]]
version = "0.3.30"
criteria = "safe-to-deploy"
@ -349,10 +329,6 @@ criteria = "safe-to-deploy"
version = "0.28.1"
criteria = "safe-to-run"
[[exemptions.half]]
version = "2.2.1"
criteria = "safe-to-run"
[[exemptions.hashbrown]]
version = "0.14.3"
criteria = "safe-to-deploy"
@ -441,10 +417,6 @@ criteria = "safe-to-deploy"
version = "2.6.3"
criteria = "safe-to-deploy"
[[exemptions.memmap2]]
version = "0.9.4"
criteria = "safe-to-run"
[[exemptions.minimal-lexical]]
version = "0.2.1"
criteria = "safe-to-deploy"
@ -453,10 +425,6 @@ criteria = "safe-to-deploy"
version = "0.26.1"
criteria = "safe-to-deploy"
[[exemptions.nom]]
version = "7.1.1"
criteria = "safe-to-deploy"
[[exemptions.num-bigint-dig]]
version = "0.8.4"
criteria = "safe-to-deploy"
@ -481,10 +449,6 @@ criteria = "safe-to-deploy"
version = "0.1.1"
criteria = "safe-to-deploy"
[[exemptions.object]]
version = "0.32.2"
criteria = "safe-to-run"
[[exemptions.once_cell]]
version = "1.15.0"
criteria = "safe-to-deploy"
@ -537,10 +501,6 @@ criteria = "safe-to-deploy"
version = "0.10.2"
criteria = "safe-to-deploy"
[[exemptions.pkg-config]]
version = "0.3.29"
criteria = "safe-to-deploy"
[[exemptions.plotters]]
version = "0.3.5"
criteria = "safe-to-run"
@ -733,10 +693,6 @@ criteria = "safe-to-deploy"
version = "0.1.0"
criteria = "safe-to-run"
[[exemptions.strsim]]
version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.symbolic-common]]
version = "12.8.0"
criteria = "safe-to-run"
@ -781,10 +737,6 @@ criteria = "safe-to-deploy"
version = "0.1.44"
criteria = "safe-to-deploy"
[[exemptions.tinytemplate]]
version = "1.2.1"
criteria = "safe-to-run"
[[exemptions.tokio]]
version = "1.35.0"
criteria = "safe-to-run"
@ -833,10 +785,6 @@ criteria = "safe-to-deploy"
version = "1.7.0"
criteria = "safe-to-run"
[[exemptions.wait-timeout]]
version = "0.2.0"
criteria = "safe-to-run"
[[exemptions.walkdir]]
version = "2.4.0"
criteria = "safe-to-deploy"

234
supply-chain/imports.lock
View file

@ -353,6 +353,17 @@ criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting."
[[audits.bytecode-alliance.audits.futures-executor]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
notes = "Unsafe used to implement the unpark mutex, which is well commented and not obviously incorrect. Like with futures-channel I wouldn't be able to certify it as correct without formal methods."
[[audits.bytecode-alliance.audits.futures-io]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.27"
[[audits.bytecode-alliance.audits.heck]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
@ -406,6 +417,12 @@ its own longevity should be relatively hardened against some of the more common
compression-related issues.
"""
[[audits.bytecode-alliance.audits.object]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.30.3 -> 0.31.1"
notes = "A large-ish update to the crate but nothing out of the ordering. Support for new formats like xcoff, new constants, minor refactorings, etc. Nothing out of the ordinary."
[[audits.bytecode-alliance.audits.percent-encoding]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
@ -421,6 +438,21 @@ who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.1.0"
[[audits.bytecode-alliance.audits.pkg-config]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
version = "0.3.25"
notes = "This crate shells out to the pkg-config executable, but it appears to sanitize inputs reasonably."
[[audits.bytecode-alliance.audits.pkg-config]]
who = "Alex Crichton <alex@alexcrichton.com>"
criteria = "safe-to-deploy"
delta = "0.3.26 -> 0.3.29"
notes = """
No `unsafe` additions or anything outside of the purview of the crate in this
change.
"""
[[audits.bytecode-alliance.audits.proc-macro2]]
who = "Pat Hickey <phickey@fastly.com>"
criteria = "safe-to-deploy"
@ -515,6 +547,18 @@ criteria = "safe-to-run"
version = "0.3.67"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.cast]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.3.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.cpp_demangle]]
who = "Hidenori Kobayashi <hidenorik@chromium.org>"
criteria = "safe-to-run"
version = "0.4.3"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.crossbeam-deque]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
@ -549,6 +593,16 @@ that the RNG here is not cryptographically secure.
"""
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.futures]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.3.28"
notes = """
`futures` has no logic other than tests - it simply `pub use`s things from
other crates.
"""
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.glob]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
@ -579,6 +633,12 @@ criteria = "safe-to-run"
delta = "1.0.6 -> 1.0.9"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.memmap2]]
who = "Ying Hsu <yinghsu@chromium.org>"
criteria = "safe-to-run"
version = "0.8.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.nix]]
who = "David Koloski <dkoloski@google.com>"
criteria = "safe-to-run"
@ -599,12 +659,34 @@ Issues:
"""
aggregated-from = "https://fuchsia.googlesource.com/fuchsia/+/refs/heads/main/third_party/rust_crates/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.nom]]
who = "danakj@chromium.org"
criteria = "safe-to-deploy"
version = "7.1.3"
notes = """
Reviewed in https://chromium-review.googlesource.com/c/chromium/src/+/5046153
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.normalize-line-endings]]
who = "Max Lee <endlesspring@google.com>"
criteria = "safe-to-run"
version = "0.3.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.object]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.30.3"
notes = "I'm not counting the code related to the GNU Hash section as crypto for the sake of this review."
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.object]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
delta = "0.31.1 -> 0.32.1"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.pin-project-lite]]
who = "David Koloski <dkoloski@google.com>"
criteria = "safe-to-deploy"
@ -642,12 +724,35 @@ criteria = "safe-to-run"
version = "1.2.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.strsim]]
who = "danakj@chromium.org"
criteria = "safe-to-deploy"
version = "0.10.0"
notes = """
Reviewed in https://crrev.com/c/5171063
Previously reviewed during security review and the audit is grandparented in.
"""
aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT"
[[audits.google.audits.tinytemplate]]
who = "Ying Hsu <yinghsu@chromium.org>"
criteria = "safe-to-run"
version = "1.2.1"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.version_check]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-deploy"
version = "0.9.4"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.wait-timeout]]
who = "George Burgess IV <gbiv@google.com>"
criteria = "safe-to-run"
version = "0.2.0"
aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT"
[[audits.google.audits.zerocopy]]
who = "ChromeOS"
criteria = "safe-to-run"
@ -1202,6 +1307,18 @@ criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-executor]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-io]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.27 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.futures-task]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@ -1238,6 +1355,17 @@ criteria = "safe-to-deploy"
delta = "0.3.26 -> 0.3.28"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.half]]
who = "John M. Schanck <jschanck@mozilla.com>"
criteria = "safe-to-deploy"
version = "1.8.2"
notes = """
This crate contains unsafe code for bitwise casts to/from binary16 floating-point
format. I've reviewed these and found no issues. There are no uses of ambient
capabilities.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.heck]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@ -1300,18 +1428,18 @@ it's not exploitable.
"""
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.memmap2]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.8.0 -> 0.9.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.nix]]
who = "Gabriele Svelto <gsvelto@mozilla.com>"
criteria = "safe-to-deploy"
delta = "0.26.2 -> 0.27.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.nom]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "7.1.1 -> 7.1.3"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.num-integer]]
who = "Josh Stone <jistone@redhat.com>"
criteria = "safe-to-deploy"
@ -1351,6 +1479,12 @@ criteria = "safe-to-deploy"
delta = "2.3.0 -> 2.3.1"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.pkg-config]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
delta = "0.3.25 -> 0.3.26"
aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
[[audits.mozilla.audits.ppv-lite86]]
who = "Mike Hommey <mh+mozilla@glandium.org>"
criteria = "safe-to-deploy"
@ -1810,6 +1944,24 @@ criteria = "safe-to-deploy"
delta = "4.1.0 -> 4.1.1"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.curve25519-dalek]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "4.1.1 -> 4.1.2"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.curve25519-dalek]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "4.1.2 -> 4.1.3"
notes = """
- New unsafe is adding `core::ptr::read_volatile` calls for black box
optimization barriers.
- `build.rs` changes are to use `CARGO_CFG_TARGET_POINTER_WIDTH` instead of
`TARGET` and the `platforms` crate for deciding on the target pointer width.
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.curve25519-dalek-derive]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
@ -1828,6 +1980,13 @@ criteria = "safe-to-deploy"
delta = "0.3.3 -> 0.3.8"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.futures]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.30"
notes = "Only sub-crate updates and corresponding changes to tests."
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
[[audits.zcash.audits.futures-channel]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
@ -1854,6 +2013,18 @@ delta = "0.3.29 -> 0.3.30"
notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.futures-executor]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.30"
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
[[audits.zcash.audits.futures-io]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.3.28 -> 0.3.30"
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
[[audits.zcash.audits.futures-task]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
@ -1898,6 +2069,16 @@ criteria = "safe-to-deploy"
delta = "0.14.6 -> 0.14.7"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.half]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-run"
delta = "1.8.2 -> 2.2.1"
notes = """
All new uses of unsafe are either just accessing bit representations, or plausibly reasonable uses of intrinsics. I have not checked safety
requirements on the latter.
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
[[audits.zcash.audits.indexmap]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
@ -1983,6 +2164,12 @@ code (but adapted to `u16` and `u8` reads, instead of `u32`).
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.memmap2]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.9.3 -> 0.9.4"
aggregated-from = "https://raw.githubusercontent.com/zcash/librustzcash/main/supply-chain/audits.toml"
[[audits.zcash.audits.nix]]
who = "Jack Grigg <jack@z.cash>"
criteria = "safe-to-deploy"
@ -2004,41 +2191,18 @@ A new unsafe trait method `SockaddrLike::set_length` is added; it's impls look f
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.object]]
who = "Daira-Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
delta = "0.32.1 -> 0.32.2"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.pin-project-lite]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "0.2.9 -> 0.2.13"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.platforms]]
who = "Daira Emma Hopwood <daira@jacaranda.org>"
criteria = "safe-to-deploy"
version = "3.0.2"
notes = """
This crate uses `#![forbid(unsafe_code)]` and its build script is safe. It only \"provides programmatic access to
information about valid Rust platforms, sourced from the Rust compiler\"; it does not attempt any detection that
would require unsafety.
"""
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.platforms]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "3.0.2 -> 3.1.2"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.platforms]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "3.1.2 -> 3.2.0"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.platforms]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"
delta = "3.2.0 -> 3.3.0"
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
[[audits.zcash.audits.proc-macro2]]
who = "Jack Grigg <jack@electriccoin.co>"
criteria = "safe-to-deploy"