radicle-dev
Add chore cargo-deny
Signed-off-by: MissM [email protected]
Cargo-deny action by the lovely Embark crowd can be used to note on advisories / licenses upon PR / push
I've set so any advisory will not trash CI completely suddenly.
We can have separate audit job that runs periodically and raises Issues automatically upon any new advisory
EDIT: the deny action obviously fails atm
Licensing clarifications needed - besides the ones that FSF has decided on already as copyleft / compatible:
- ring (think TLS) - Same story as with radicle-link - Basically MIT, ISC aaaand OpenSSL (ring borrowed code from BoringSSL which took code from OpenSSL) but supposedly OpenSSL moved to Apache 2.0 https://www.openssl.org/blog/blog/2017/03/22/license/ some time after 2017 but question is what happened to BoringSSL code and thereafter to code in ring that came from nobody guess what version of OpenSSL - IANAL
- rad-inspect brings colored_json which is Eclipse License 2.0 and is not compatible with GPL when not dual licensed according to FSF: https://directory.fsf.org/wiki/License:EPL-2.0 - https://github.com/radicle-dev/radicle-cli/pull/229
Advisories - Security / Errors
We can either deal with or supress them after evaluating impact if any -
RUSTSEC-2020-0043 - DoS - Insufficient size checks in outgoing buffer in ws allows remote attacker to run the process OOM
Crate ws is brought by walletconnect we have no control of - direct fork exists as parity-ws - https://github.com/housleyjk/ws-rs/issues/291
RUSTSEC-2020-0159, RUSTSEC-2020-0071 - #231 - clarify & bump chrono features/time dependency
Advisories - Informational / Warns
Usually we nudge people to move away from these and may contain unsound / other concerns but no concrete threats
Unmaintained cbor, ansi_term, ...
