gecko-dev/supply-chain/config.toml
Emilio Cobos Álvarez c76b2e267d Bug 1926269 - Changes to allow publishing selectors. r=supply-chain-reviewers
to_shmem and to_shmem_derive need a description, and selectors needs a
version bump.

Tweak supply-chain audits / config to deal with now published crates.

Differential Revision: https://phabricator.services.mozilla.com/D226468
2024-10-23 19:54:49 +00:00

766 lines
19 KiB
TOML

# cargo-vet config file
[cargo-vet]
version = "0.10"
[imports.bytecode-alliance]
url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml"
[imports.embark-studios]
url = "https://raw.githubusercontent.com/EmbarkStudios/rust-ecosystem/main/audits.toml"
[imports.google]
url = "https://raw.githubusercontent.com/google/supply-chain/main/audits.toml"
[imports.isrg]
url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/audits.toml"
[imports.mozilla]
url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml"
[policy.allocator-api2]
audit-as-crates-io = true
notes = "This is the upstream code without the Box implementation which may have a soundness issue."
[policy.any_all_workaround]
audit-as-crates-io = true
notes = "This is the upstream code plus the ARM intrinsics workaround from qcms, see bug 1882209."
[policy.autocfg]
audit-as-crates-io = true
notes = "This is the upstream code plus a few local fixes, see bug 1685697."
[policy."bindgen:0.69.4"]
audit-as-crates-io = true
notes = "This is the upstream code plus a fix for clang trunk. See bug 1894093."
[policy.chardetng]
audit-as-crates-io = true
notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
[policy.chardetng_c]
audit-as-crates-io = true
notes = "This is a crate Henri wrote which is also published. We should probably update Firefox to tip and certify that."
[policy.coremidi]
audit-as-crates-io = true
notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
[policy.cose]
audit-as-crates-io = true
notes = "This is upstream plus a warning fix from bug 1823866."
[policy.firefox-on-glean]
audit-as-crates-io = false
notes = "The crates.io version of this is just a placeholder to allow public crates to depend on firefox-on-glean."
[policy.geckodriver]
audit-as-crates-io = false
criteria = "safe-to-run"
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
[policy.gkrust-gtest]
criteria = "safe-to-run"
notes = "Used for testing."
[policy.gkrust-shared]
dependency-criteria = { tokio-reactor = [], tokio-threadpool = [] }
notes = "The dependencies on tokio-reactor and tokio-threadpools are just a hack to pin the version used by audioipc-{client,server}. Suppress vetting on those for the same reasons behind the policy entries."
[policy.gluesmith]
criteria = "safe-to-run"
notes = "Used for fuzzing."
[policy.http3server]
criteria = "safe-to-run"
notes = "Used for testing."
[policy.icu_capi]
audit-as-crates-io = true
notes = "Patched version of upstream"
[policy.icu_segmenter_data]
audit-as-crates-io = true
notes = "Patched version of upstream"
[policy.l10nregistry]
dependency-criteria = { fluent-testing = "safe-to-run", tokio = "safe-to-run" }
notes = "This crate has two testing-only dependencies which are specified as regular-but-optional rather than a dev-dependencies, because they need to be available to both benchmarks and integration tests."
[policy.libudev-sys]
audit-as-crates-io = false
notes = "This override is an api-compatible fork with an orthogonal implementation."
[policy."libz-rs-sys:0.2.1@git:4aa430ccb77537d0d60dab8db993ca51bb1194c5"]
audit-as-crates-io = true
[policy.malloc_size_of_derive]
audit-as-crates-io = false
notes = "This was originally servo code which Bobby Holley put on crates.io some years ago and that was moved in-tree as first-party code later on."
[policy.marionette]
audit-as-crates-io = false
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
[policy.midir]
audit-as-crates-io = true
notes = "This is a pinned version of the upstream code, presumably to get a fix that hadn't been released yet. We should consider switching to the latest official release."
[policy.mozbuild]
audit-as-crates-io = false
notes = "The crates.io version of this is just a placeholder to allow public crates to depend on mozbuild."
[policy.mozdevice]
audit-as-crates-io = false
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
[policy.mozglue-static]
dependency-criteria = { rustc_version = "safe-to-run" }
notes = "The rustc_version dependency is only used in the build script, and does not generate any runtime code"
[policy.mozilla-central-workspace-hack]
audit-as-crates-io = false
criteria = "safe-to-run"
notes = "This is a first-party crate which is also published to crates.io as a convenience for other in-tree crates that depend on it and are published as well. The dependencies from this crate are dependencies of other crates that will get the right criteria through them, but using safe-to-deploy for this one would be too broad."
[policy.mozprofile]
audit-as-crates-io = false
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
[policy.mozrunner]
audit-as-crates-io = false
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
[policy.mozversion]
audit-as-crates-io = false
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here."
[policy.mp4parse]
audit-as-crates-io = false
[policy.mp4parse_capi]
audit-as-crates-io = false
[policy.naga]
audit-as-crates-io = true
notes = "Part of the wgpu repository, pinned as the rest of wgpu crates."
[policy.peek-poke]
audit-as-crates-io = false
[policy.peek-poke-derive]
audit-as-crates-io = false
[policy.plist]
audit-as-crates-io = true
notes = "This is the upstream code plus one local fix, see bug 1874167."
[policy.pulse]
audit-as-crates-io = false
notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
[policy.qcms]
audit-as-crates-io = true
notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
[policy.rure]
audit-as-crates-io = true
notes = "Identical to upstream, but with cdylib and staticlib targets disabled to avoid unnecessary build artifacts and linker errors."
[policy.selectors]
audit-as-crates-io = true
notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
[policy.servo_arc]
audit-as-crates-io = true
notes = "This is a first-party crate which is also published to crates.io, but we should publish audits for it for the benefit of the ecosystem."
[policy.smoosh]
criteria = "safe-to-run"
notes = "We're not shipping this and have no plans to ship it."
[policy.storage]
audit-as-crates-io = false
notes = "This is a first-party crate which is entirely unrelated to the crates.io package of the same name."
[policy.tabs]
audit-as-crates-io = false
notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
[policy.to_shmem]
audit-as-crates-io = true
notes = "This is a first-party crate which is also published to crates.io"
[policy.to_shmem_derive]
audit-as-crates-io = true
notes = "This is a first-party crate which is also published to crates.io"
[policy.unicode-bidi]
audit-as-crates-io = true
[policy.viaduct]
audit-as-crates-io = false
notes = "This is a first-party crate, maintained by the appservices team, which is entirely unrelated to the crates.io package of the same name."
[policy.webdriver]
audit-as-crates-io = false
criteria = "safe-to-run"
notes = "This is a first-party crate which is also published to crates.io. We certify audits for this crate as part of the documented release process, but that step happens after the version bump lands on central so we don't enforce it here. It's also used only for automation, so its subtree can be safe-to-run."
[policy.webrender]
audit-as-crates-io = false
[policy.webrender_api]
audit-as-crates-io = false
[policy.webrender_build]
audit-as-crates-io = false
[policy.wgpu-core]
audit-as-crates-io = true
notes = "Upstream project which we pin."
[policy.wgpu-hal]
audit-as-crates-io = true
notes = "Upstream project which we pin."
[policy.wgpu-types]
audit-as-crates-io = true
notes = "Upstream project which we pin."
[policy.windows]
audit-as-crates-io = true
notes = "Local override of the crates.io crate that uses a non-vendored local copy of the downloaded crate"
[policy.wr_malloc_size_of]
audit-as-crates-io = false
[policy."zlib-rs:0.2.1@git:4aa430ccb77537d0d60dab8db993ca51bb1194c5"]
audit-as-crates-io = true
[[exemptions.ahash]]
version = "0.7.6"
criteria = "safe-to-deploy"
[[exemptions.alsa]]
version = "0.4.3"
criteria = "safe-to-deploy"
[[exemptions.alsa-sys]]
version = "0.3.1"
criteria = "safe-to-deploy"
[[exemptions.android_log-sys]]
version = "0.2.0"
criteria = "safe-to-deploy"
[[exemptions.askama_derive]]
version = "0.11.2"
criteria = "safe-to-deploy"
[[exemptions.askama_escape]]
version = "0.10.3"
criteria = "safe-to-deploy"
[[exemptions.async-task]]
version = "4.0.3"
criteria = "safe-to-deploy"
[[exemptions.bincode]]
version = "1.3.3"
criteria = "safe-to-deploy"
[[exemptions.bitreader]]
version = "0.3.6"
criteria = "safe-to-deploy"
[[exemptions.block]]
version = "0.1.6"
criteria = "safe-to-deploy"
[[exemptions.cache-padded]]
version = "1.2.0"
criteria = "safe-to-deploy"
[[exemptions.camino]]
version = "1.0.9"
criteria = "safe-to-deploy"
[[exemptions.chrono]]
version = "0.4.19"
criteria = "safe-to-deploy"
[[exemptions.chunky-vec]]
version = "0.1.0"
criteria = "safe-to-deploy"
[[exemptions.clang-sys]]
version = "1.3.3"
criteria = "safe-to-deploy"
[[exemptions.cookie]]
version = "0.16.0"
criteria = "safe-to-run"
[[exemptions.coreaudio-sys]]
version = "0.2.10"
criteria = "safe-to-deploy"
[[exemptions.coremidi]]
version = "0.6.0@git:fc68464b5445caf111e41f643a2e69ccce0b4f83"
criteria = "safe-to-deploy"
[[exemptions.coremidi-sys]]
version = "3.1.0"
criteria = "safe-to-deploy"
[[exemptions.cose]]
version = "0.1.4"
criteria = "safe-to-deploy"
[[exemptions.cose-c]]
version = "0.1.5"
criteria = "safe-to-deploy"
[[exemptions.cpufeatures]]
version = "0.2.2"
criteria = "safe-to-deploy"
[[exemptions.crossbeam-channel]]
version = "0.5.4"
criteria = "safe-to-deploy"
[[exemptions.crossbeam-deque]]
version = "0.8.1"
criteria = "safe-to-deploy"
[[exemptions.crossbeam-epoch]]
version = "0.9.8"
criteria = "safe-to-deploy"
[[exemptions.crossbeam-utils]]
version = "0.8.8"
criteria = "safe-to-deploy"
[[exemptions.darling]]
version = "0.13.4"
criteria = "safe-to-deploy"
[[exemptions.darling_core]]
version = "0.13.4"
criteria = "safe-to-deploy"
[[exemptions.darling_macro]]
version = "0.13.4"
criteria = "safe-to-deploy"
[[exemptions.data-encoding]]
version = "2.3.2"
criteria = "safe-to-deploy"
[[exemptions.dbus]]
version = "0.6.5"
criteria = "safe-to-deploy"
[[exemptions.derive_more-impl]]
version = "1.0.0-beta.2"
criteria = "safe-to-deploy"
notes = "The crate is new to version 1.0.x, and derived from older versions of derive_more. The differences against 0.99.17 have been audited, but cargo-vet cannot record this information."
[[exemptions.devd-rs]]
version = "0.3.4"
criteria = "safe-to-deploy"
[[exemptions.digest]]
version = "0.10.3"
criteria = "safe-to-deploy"
[[exemptions.dirs]]
version = "4.0.0"
criteria = "safe-to-deploy"
[[exemptions.dirs-sys]]
version = "0.3.7"
criteria = "safe-to-deploy"
[[exemptions.dns-parser]]
version = "0.8.0"
criteria = "safe-to-deploy"
[[exemptions.enumset]]
version = "1.0.11"
criteria = "safe-to-deploy"
[[exemptions.enumset_derive]]
version = "0.6.0"
criteria = "safe-to-deploy"
[[exemptions.env_logger]]
version = "0.9.0"
criteria = "safe-to-deploy"
[[exemptions.error-chain]]
version = "0.12.4"
criteria = "safe-to-deploy"
[[exemptions.fallible-iterator]]
version = "0.2.0"
criteria = "safe-to-deploy"
[[exemptions.fallible-streaming-iterator]]
version = "0.1.9"
criteria = "safe-to-deploy"
[[exemptions.fallible_collections]]
version = "0.4.4"
criteria = "safe-to-deploy"
[[exemptions.ffi-support]]
version = "0.4.4"
criteria = "safe-to-deploy"
[[exemptions.float-cmp]]
version = "0.6.0"
criteria = "safe-to-deploy"
[[exemptions.fs-err]]
version = "2.7.0"
criteria = "safe-to-deploy"
[[exemptions.futures-macro]]
version = "0.3.21"
criteria = "safe-to-deploy"
[[exemptions.futures-task]]
version = "0.3.21"
criteria = "safe-to-deploy"
[[exemptions.futures-util]]
version = "0.3.21"
criteria = "safe-to-deploy"
[[exemptions.generic-array]]
version = "0.14.5"
criteria = "safe-to-deploy"
[[exemptions.getrandom]]
version = "0.2.6"
criteria = "safe-to-deploy"
[[exemptions.gl_generator]]
version = "0.14.0"
criteria = "safe-to-deploy"
[[exemptions.glsl]]
version = "6.0.1"
criteria = "safe-to-deploy"
[[exemptions.goblin]]
version = "0.1.3"
criteria = "safe-to-deploy"
[[exemptions.gpu-alloc]]
version = "0.5.3"
criteria = "safe-to-deploy"
[[exemptions.gpu-alloc-types]]
version = "0.2.0"
criteria = "safe-to-deploy"
[[exemptions.gpu-descriptor]]
version = "0.2.2"
criteria = "safe-to-deploy"
[[exemptions.gpu-descriptor-types]]
version = "0.1.1"
criteria = "safe-to-deploy"
[[exemptions.hashlink]]
version = "0.7.0"
criteria = "safe-to-deploy"
[[exemptions.hexf-parse]]
version = "0.2.1"
criteria = "safe-to-deploy"
[[exemptions.ioctl-sys]]
version = "0.7.1"
criteria = "safe-to-deploy"
[[exemptions.itertools]]
version = "0.10.3"
criteria = "safe-to-deploy"
[[exemptions.khronos-egl]]
version = "4.1.0"
criteria = "safe-to-deploy"
[[exemptions.khronos_api]]
version = "3.1.0"
criteria = "safe-to-deploy"
[[exemptions.lazycell]]
version = "1.3.0"
criteria = "safe-to-deploy"
[[exemptions.libdbus-sys]]
version = "0.2.2"
criteria = "safe-to-deploy"
[[exemptions.libloading]]
version = "0.7.3"
criteria = "safe-to-deploy"
[[exemptions.libsqlite3-sys]]
version = "0.25.2"
criteria = "safe-to-deploy"
suggest = false
notes = "The in-gecko feature that we enable makes only pre-built bindings used, and none of the embedded C code is built. The build script was audited and is not doing anything besides exposing those bindings"
[[exemptions.libudev]]
version = "0.2.0"
criteria = "safe-to-deploy"
[[exemptions.lmdb-rkv-sys]]
version = "0.11.2"
criteria = "safe-to-deploy"
suggest = false
notes = "This crate is forked from another crate and not developed in-house. Given that LMDB-backed RKV is going away, we will probably never bother auditing this"
[[exemptions.mach]]
version = "0.3.2"
criteria = "safe-to-deploy"
[[exemptions.memalloc]]
version = "0.1.0"
criteria = "safe-to-deploy"
[[exemptions.memmap2]]
version = "0.5.4"
criteria = "safe-to-deploy"
[[exemptions.memoffset]]
version = "0.6.5"
criteria = "safe-to-deploy"
[[exemptions.midir]]
version = "0.7.0"
criteria = "safe-to-deploy"
[[exemptions.mime_guess]]
version = "2.0.4"
criteria = "safe-to-deploy"
[[exemptions.minimal-lexical]]
version = "0.2.1"
criteria = "safe-to-deploy"
[[exemptions.mio]]
version = "0.8.0"
criteria = "safe-to-deploy"
[[exemptions.murmurhash3]]
version = "0.0.5"
criteria = "safe-to-deploy"
[[exemptions.nix]]
version = "0.15.0"
criteria = "safe-to-deploy"
[[exemptions.objc]]
version = "0.2.7"
criteria = "safe-to-deploy"
[[exemptions.object]]
version = "0.28.4"
criteria = "safe-to-deploy"
[[exemptions.once_cell]]
version = "1.12.0"
criteria = "safe-to-deploy"
[[exemptions.phf]]
version = "0.10.1"
criteria = "safe-to-deploy"
[[exemptions.phf_codegen]]
version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.phf_generator]]
version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.phf_macros]]
version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.phf_shared]]
version = "0.10.0"
criteria = "safe-to-deploy"
[[exemptions.plain]]
version = "0.2.3"
criteria = "safe-to-deploy"
[[exemptions.plist]]
version = "1.3.1"
criteria = "safe-to-run"
[[exemptions.ppv-lite86]]
version = "0.2.16"
criteria = "safe-to-deploy"
[[exemptions.profiling]]
version = "1.0.6"
criteria = "safe-to-deploy"
[[exemptions.prost]]
version = "0.8.0"
criteria = "safe-to-deploy"
[[exemptions.prost-derive]]
version = "0.8.0"
criteria = "safe-to-deploy"
[[exemptions.quick-error]]
version = "1.2.3"
criteria = "safe-to-deploy"
[[exemptions.rand]]
version = "0.8.5"
criteria = "safe-to-deploy"
[[exemptions.remove_dir_all]]
version = "0.5.3"
criteria = "safe-to-deploy"
[[exemptions.replace_with]]
version = "0.1.7"
criteria = "safe-to-deploy"
[[exemptions.ringbuf]]
version = "0.2.8"
criteria = "safe-to-deploy"
[[exemptions.ron]]
version = "0.7.0"
criteria = "safe-to-deploy"
[[exemptions.runloop]]
version = "0.1.0"
criteria = "safe-to-deploy"
[[exemptions.rusqlite]]
version = "0.27.0"
criteria = "safe-to-deploy"
[[exemptions.rust-ini]]
version = "0.10.3"
criteria = "safe-to-deploy"
[[exemptions.rust_decimal]]
version = "1.24.0"
criteria = "safe-to-deploy"
[[exemptions.scroll]]
version = "0.10.2"
criteria = "safe-to-deploy"
[[exemptions.scroll_derive]]
version = "0.10.5"
criteria = "safe-to-deploy"
[[exemptions.self_cell]]
version = "0.10.2"
criteria = "safe-to-deploy"
[[exemptions.serde_with]]
version = "1.14.0"
criteria = "safe-to-deploy"
[[exemptions.serde_with_macros]]
version = "1.5.2"
criteria = "safe-to-deploy"
[[exemptions.sfv]]
version = "0.9.2"
criteria = "safe-to-deploy"
[[exemptions.shlex]]
version = "1.1.0"
criteria = "safe-to-deploy"
[[exemptions.siphasher]]
version = "0.3.10"
criteria = "safe-to-deploy"
[[exemptions.socket2]]
version = "0.4.4"
criteria = "safe-to-deploy"
[[exemptions.spirv]]
version = "0.2.0+1.5.4"
criteria = "safe-to-deploy"
[[exemptions.stable_deref_trait]]
version = "1.2.0"
criteria = "safe-to-deploy"
[[exemptions.tempfile]]
version = "3.3.0"
criteria = "safe-to-deploy"
[[exemptions.time]]
version = "0.1.44"
criteria = "safe-to-deploy"
[[exemptions.triple_buffer]]
version = "5.0.6"
criteria = "safe-to-deploy"
[[exemptions.type-map]]
version = "0.4.0"
criteria = "safe-to-deploy"
[[exemptions.typenum]]
version = "1.15.0"
criteria = "safe-to-deploy"
[[exemptions.unix_path]]
version = "1.0.1"
criteria = "safe-to-run"
[[exemptions.unix_str]]
version = "1.0.0"
criteria = "safe-to-run"
[[exemptions.uuid]]
version = "0.8.2"
criteria = "safe-to-deploy"
[[exemptions.webrtc-sdp]]
version = "0.3.9"
criteria = "safe-to-deploy"
[[exemptions.winapi]]
version = "0.3.9"
criteria = "safe-to-deploy"
[[exemptions.winapi-i686-pc-windows-gnu]]
version = "0.4.0"
criteria = "safe-to-deploy"
[[exemptions.winapi-x86_64-pc-windows-gnu]]
version = "0.4.0"
criteria = "safe-to-deploy"
[[exemptions.wio]]
version = "0.2.2"
criteria = "safe-to-deploy"
[[exemptions.xml-rs]]
version = "0.8.4"
criteria = "safe-to-deploy"