Trust crates published by dtolnay, epage, cuviper, Amanieu #6697
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cfallin
approved these changes
Jul 6, 2023
|
Oops, I typo'd David Tolnay's username so he's not actually in this PR. I want to clean that up before merging. |
We discussed this in today's Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release. This reduces our estimated audit backlog by about 184 kLOC. For the most part, the trust records I'm adding here are identical to trust records that Mozilla is using. The fact that they've also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows: I've chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn't use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I've chosen to be conservative about what we trust. - autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto. - env_logger: Mozilla has audited some versions; we should update, or add delta audits. - thread_local: only used by tracing-subscriber which is only used in dev-dependencies. I've trusted one crate that Mozilla did not: libm, when published by Amanieu. We're trusting libc when published by the same author, and libm is a small extension of the same trust. Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They've been delta-auditing the newer versions. I've chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
jameysharp
changed the title
|
Now that I've correctly added dtolnay to this PR, I'd appreciate re-review before we merge this. |
cfallin
approved these changes
Jul 7, 2023
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We discussed this in today's Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release.
This reduces our estimated audit backlog by about 184 kLOC.
For the most part, the trust records I'm adding here are identical to trust records that Mozilla is using. The fact that they've also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows:
I've chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn't use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I've chosen to be conservative about what we trust.
I've trusted one crate that Mozilla did not: libm, when published by Amanieu. We're trusting libc when published by the same author, and libm is a small extension of the same trust.
Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They've been delta-auditing the newer versions. I've chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
This PR is a step toward #6672, but I've run
cargo vetmyself rather than relying on anyone else's vetting.