More cargo-deny maintenance#1927
Merged
Eliah Kagan (EliahKagan) merged 4 commits intoGitoxideLabs:mainfrom Apr 5, 2025
Merged
Conversation
Before this change, we get a warning:
$ cargo deny --workspace --all-features check licenses
warning[license-not-encountered]: license was not encountered
┌─ /home/ek/source/repos/gitoxide/deny.toml:32:6
│
32 │ "LicenseRef-ring",
│ ━━━━━━━━━━━━━━━ unmatched license allowance
licenses ok
The same warning is shown in the `cargo-deny` job check on CI.
This happens because `ring` no longer uses a custom/nonstandard
license, instead using `Apache-2.0 AND ISC` since version 0.17.10.
(See briansmith/ring#2402 and
https://crates.io/crates/ring/versions for details.)
Nothing in this workspace depends directly or directly on old
versions of `ring` that use that license, so this removes it from
the list of licenses in `deny.toml`.
This turns the comment in `cargo.deny` explaining why we currently ignore the informational advisory RUSTSEC-2024-0436 in `paste` into data that could be parsed and displayed by tools, by using the form with `id` and `reason` fields, where the old comment text is the value of the `reason` field. This is one of the forms documented in: https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-ignore-field-optional
This is only a minor improvement in clarity now, but the benefit will be greater with the immediately forthcoming change, and doing this separately makes it so the next commit can be reverted by itself once it is no longer needed.
This splits the `EmbarkStudios/cargo-deny-action` step in `cargo-deny-advisories` into two such steps: - Scan the workspace except prune `gix-testtools` and everything reachable through it (following it neither as a root, nor when it is found as dev dependency of another crate). This doesn't get to its obsolete dependencies, while still ensuring that nothing in the workspace *except* what we reach through `gix-testtools` is affected by RUSTSEC-2025-0021. - Scan the whole workspace, including `gix-testtools` and all its dependencies, including the obsolete version of `gix-features` that is affected by RUSTSEC-2025-0021. But ignore that advisory. To support this, steps are added to install the `yq`-associated `tomlq` command and use it to produce the modified configuration file for the second scan in a way that shouldn't break under any changes to comments, spacing, style, or ordering in `deny.toml`.
Member
Author
There was a problem hiding this comment.
Since cargo-deny-advisories is modified here and that job does not block auto-merge even when it fails, I want to double-check that it still works the way I have described here. I plan to enable auto-merge after verifying that.
Edit: It is working (as it did when run in my fork).
Sebastian Thiel (Byron)
approved these changes
Apr 5, 2025
Member
Sebastian Thiel (Byron)
left a comment
Sebastian Thiel (Byron)
left a comment
There was a problem hiding this comment.
Thanks a lot! I can't wait for not getting these failure emails anymore 😅.
Eliah Kagan (EliahKagan)
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
Apr 14, 2025
3cfd7fa (GitoxideLabs#1927) removed `LicenseRef-ring` from the `cargo deny` license allowlist, because we no longer used any `ring` version old enough to involve the old custom license. But the associated entry in the `license.clarify` array that definded `LicenseRef-ring` was not removed, even though it's not needed either given that the license it clarifies is no longer referenced. This cleans that up.
Eliah Kagan (EliahKagan)
added a commit
to EliahKagan/gitoxide
that referenced
this pull request
May 5, 2025
…tools" This reverts commit 67d9bf4, but not the other changes from GitoxideLabs#1927. `gix-testtools` 0.16.1 has the change in 9b12d50 (GitoxideLabs#1972) from depending on previous SemVer-incompatible versions of `gix-*` crates to depending on the current versions. Since then, nothing affected by https://rustsec.org/advisories/RUSTSEC-2024-0436.html appears in our dependency tree, and it is no longer necessary or desirable to use a more complicated `cargo deny check advisories` scanning approach allowing that advisory through `gix-testtools`.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes:
Remove the old
ringlicense from the allowlist, since we no longer depend on any versions ofringthat use it.Convert the comment explanation for why we ignore RUSTSEC-2024-0436 into reified form as the value of a
reasonkey, so tools that process the file don't lose it (even if only to make debugging slightly easier when usingtomlq).Split the
cargo-deny-advisoriesscan into two scans (still in that one job) that cover what we covered before, except ignoring RUSTSEC-2025-0021 when the affected version is only reachable as a dependency ofgix-testtools. This is as discussed in #1924 (comment), and it makescargo-deny-advisoriespass again.See the commit messages for further details.
Regarding the license allowlist, disused licenses do seem to accumulate gradually; see also 9c708db (#1863).
cargo denysupports configuring this as an error. But I have refrained from doing so, because:cargo deny check licensesis run, showing another occurrence when--all-featuresis omitted, which might occasionally make sense to do when running it locally.