Fix cargo vet complaints

deny.toml

@@ -1,7 +1,8 @@
 [sources.allow-org]
 github = [
-    "mintlayer", # allow any code from mintlayer's github
-    "tokio-rs",  # we have to use an unreleased version of tokio at this moment
+    "mintlayer",  # allow any code from mintlayer's github
+    "paritytech", # we have to use an unreleased version of parity-scale-codec at this moment
+    "tokio-rs",   # we have to use an unreleased version of tokio at this moment
 ]
 
 [licenses]
@@ -24,28 +25,24 @@ allow = [
     "MIT",
     "MPL-2.0",
     "Unicode-3.0",
-    "Unlicense", # this is a specific license rather than no license at all
+    "Unlicense",           # this is a specific license rather than no license at all
     "Zlib",
 ] # deny a license not in this set of licenses
 
 [[licenses.clarify]]
 name = "ring"
 expression = "LicenseRef-ring"
-license-files = [
-    { path = "LICENSE", hash = 0xbd0eed23 },
-]
+license-files = [{ path = "LICENSE", hash = 0xbd0eed23 }]
 
 [[licenses.clarify]]
 name = "webpki"
 expression = "LicenseRef-webpki"
-license-files = [
-    { path = "LICENSE", hash = 0x001c7e6c },
-]
+license-files = [{ path = "LICENSE", hash = 0x001c7e6c }]
 
 [advisories]
 version = 2
 db-path = "~/.cargo/advisory-dbs"
-db-urls = [ "https://github.com/RustSec/advisory-db" ]
+db-urls = ["https://github.com/RustSec/advisory-db"]
 yanked = "warn"
 ignore = [
     "RUSTSEC-2024-0436", # "paste" is no longer maintained

supply-chain/README.md

@@ -107,8 +107,32 @@ will be automatically removed by `cargo vet`, while `cargo vet --locked` will co
     | Jonas Platte | jplatte | Member of `tokio-rs` and `tower-rs`, maintainer of `axum`. |
     | Eliza Weisman | hawkw | Member of `tokio-rs` and `tower-rs`, creator/maintainer of `tracing` crates and crates related to `tokio-console`. |
     | Jon Gjengset | jonhoo | Educator, author of "Rust for Rustaceans", author and maintainer of the `hdrhistogram` crate used by `console-subscriber`. |
+    | Frank Denis | jedisct1 | Member of `WebAssembly` and `wasm-crypto`, creator/maintainer of `libsodium`. |
+    | Hayden Stainsby | hds | One of the owners of the `tracing` crates. Recent versions of `tracing` were published by him. |
 
 - We also trust the crates that we've forked.
 
     Normally this is done by putting them to the `policy` table in `config.toml` and setting its
     `audit-as-crates-io` key to `false`.
+
+## What to do when a dependency gets updated and `cagro vet` starts complaining.
+
+- First of all, run `cargo vet check` (i.e. without `--locked`), which may pull some new audits.
+
+- The `cargo vet check` call above may also suggest trusting crates published by people that we already trust, so you may run what it suggests.\
+  Alternatively, you may want to just run `cargo vet trust` for all publishers that we already trust, e.g.
+  ```
+  for var in alexcrichton Darksonn Amanieu ...; do cargo vet trust --all "$var" --allow-multiple-publishers --criteria safe-to-deploy; done
+  ```
+  (use all publisher ids both from the list and the table above).
+
+- Consider adding new publishers as trusted. In particular, if a crate is from an ecosystem that we generally trust (e.g. `tracing`)
+  and a new version of that crate has been published by a new publisher, it makes sense to add that publisher as trusted as well (after
+  verifying that the person is indeed among the crate's owners/maintainers).
+
+  Don't forget to add the newly trusted publishers to the table above.
+
+- Consider making an audit yourself.
+
+- Finally, if there are still some unvetted dependecies, run `cargo vet regenerate exemptions`, which will create new exemptions
+  or update existing ones.

supply-chain/audits.toml

@@ -191,7 +191,7 @@ end = "2026-10-15"
 
 [[trusted.bip39]]
 criteria = "safe-to-deploy"
-user-id = 28012 # Steven Roose (stevenroose)
+user-id = 28012
 start = "2020-07-22"
 end = "2026-10-15"
 
@@ -1455,6 +1455,12 @@ user-id = 5059 # Artyom Pavlov (newpavlov)
 start = "2020-01-06"
 end = "2026-10-15"
 
+[[trusted.siphasher]]
+criteria = "safe-to-deploy"
+user-id = 468 # Frank Denis (jedisct1)
+start = "2019-09-20"
+end = "2027-02-11"
+
 [[trusted.slab]]
 criteria = "safe-to-deploy"
 user-id = 6741 # Alice Ryhl (Darksonn)
@@ -1707,24 +1713,48 @@ user-id = 1249 # Eliza Weisman (hawkw)
 start = "2019-06-28"
 end = "2027-02-11"
 
+[[trusted.tracing]]
+criteria = "safe-to-deploy"
+user-id = 172786 # Hayden Stainsby (hds)
+start = "2024-11-27"
+end = "2027-02-11"
+
 [[trusted.tracing-attributes]]
 criteria = "safe-to-deploy"
 user-id = 1249 # Eliza Weisman (hawkw)
 start = "2019-08-08"
 end = "2027-02-11"
 
+[[trusted.tracing-attributes]]
+criteria = "safe-to-deploy"
+user-id = 172786 # Hayden Stainsby (hds)
+start = "2024-11-26"
+end = "2027-02-11"
+
 [[trusted.tracing-core]]
 criteria = "safe-to-deploy"
 user-id = 1249 # Eliza Weisman (hawkw)
 start = "2019-06-20"
 end = "2027-02-11"
 
+[[trusted.tracing-core]]
+criteria = "safe-to-deploy"
+user-id = 172786 # Hayden Stainsby (hds)
+start = "2024-11-25"
+end = "2027-02-11"
+
 [[trusted.tracing-serde]]
 criteria = "safe-to-deploy"
 user-id = 1249 # Eliza Weisman (hawkw)
 start = "2019-06-27"
 end = "2027-02-11"
 
+[[trusted.tracing-serde]]
+criteria = "safe-to-deploy"
+user-id = 172786 # Hayden Stainsby (hds)
+start = "2024-11-27"
+end = "2027-02-11"
+
 [[trusted.tracing-subscriber]]
 criteria = "safe-to-deploy"
 user-id = 10
@@ -1737,6 +1767,12 @@ user-id = 1249 # Eliza Weisman (hawkw)
 start = "2019-06-27"
 end = "2027-02-11"
 
+[[trusted.tracing-subscriber]]
+criteria = "safe-to-deploy"
+user-id = 172786 # Hayden Stainsby (hds)
+start = "2024-11-29"
+end = "2027-02-11"
+
 [[trusted.unicode-ident]]
 criteria = "safe-to-deploy"
 user-id = 3618 # David Tolnay (dtolnay)