Trust crates published by dtolnay, epage, cuviper, Amanieu #6697
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We discussed this in today's Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release.
This reduces our estimated audit backlog by about 184 kLOC.
For the most part, the trust records I'm adding here are identical to trust records that Mozilla is using. The fact that they've also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows:
I've chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn't use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I've chosen to be conservative about what we trust.
I've trusted one crate that Mozilla did not: libm, when published by Amanieu. We're trusting libc when published by the same author, and libm is a small extension of the same trust.
Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They've been delta-auditing the newer versions. I've chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
This PR is a step toward #6672, but I've run
cargo vet
myself rather than relying on anyone else's vetting.