Cargo deny config

[repi]

How about adding our deny.toml from our main project to the template here and make sure all of our open source crates use it in CI?

I think we want to both disallow more crates and also verify that the dependencies in our open source crates do use compatible licenses. And a good start for that would be to have a shared base deny.toml as well as make cargo-deny part of the standard CI config for all of our crates from the beginning.

Some of our crates may have different or additional rules though, but having a base template or master file would make it a lot easier.

This would also have the benefit of making public our main cargo-deny configuration for visibility/transparency to other projects.

[repi]

Thoughts @Jake-Shadle @arirawr ?

[arirawr]

From a visibility perspective it seems good - do you have a link to the current list of crates @repi ?

[Jake-Shadle]

Yah, by default it could just be the licenses we allow, and, obviously,

[bans]
deny = [
    # You can never be too sure
    { name = "openssl" },
]

[repi]

It is in our private main monorepo so can't post a link here, but this is how our full deny.toml looks like now soon:

[bans]
multiple_versions = "deny"
deny = [
    { name = "openssl" },
    
    # we don't want to use any XML and some of these are 4 year old dependencies
    { name = "RustyXml" },
    { name = "serde-xml-rs" },

    # term is not fully maintained, and termcolor is replacing it
    { name = "term" },

    # dirs crate has a lot of dependencies and there are better alternatives
    { name = "dirs" },
    { name = "dirs-sys" },

    # color-backtrace is nice but brings in too many dependencies and that are often outdated, so not worth it for us.
    { name = "color-backtrace" }
]
skip = [
    # wasmer-runtime-core uses old blake2b_simd
    { name = "blake2b_simd", version = "=0.4.1" },    
    # Both `metal` and `winit` use older versions of cocoa
    { name = "cocoa", version = "=0.18.4" },
    # rayon/rayon-core use very old versions of crossbeam crates,
    # so skip them for now until rayon updates them
    { name = "crossbeam-deque", version = "=0.6.3" },
    { name = "lock_api", version = "<=0.2.0" },
    # rmp uses an ancient version of num-traits
    { name = "num-traits", version = "=0.1.43" },
    # tokio-reactor, wasmer, and winit all use an older version
    # of parking_lot
    { name = "parking_lot", version = "<=0.8.0" },
    { name = "parking_lot_core", version = "<=0.5.0" },
    # multiple crates use old percent-encoding
    { name = "percent-encoding", version = "<=1.0" },
    # rand 0.6.5 -> 0.7.0 was a large change, many crates
    # haven't updated yet
    { name = "rand", version = "=0.6.5" },
    { name = "rand_chacha", version = "=0.1.1" },
    { name = "rand_core", version = "=0.4.2" },
    { name = "rand_core", version = "=0.3.1" },
    { name = "rand_hc", version = "=0.1.0" },
    { name = "rand_pcg", version = "=0.1.2" },
    # lots of transitive dependencies use the pre-1.0 version
    # of scopeguard
    { name = "scopeguard", version = "=0.3.3" },

    # a lot of crates still use the old url 1.7 instead of 2.0
    { name = "url", version = "=1.7" },
    { name = "idna", version = "=0.1.5" },

    # embed-resource uses an older version of winreg
    { name = "winreg", version = "=0.5.1" },
    # tons of transitive dependencies use the older winapi version
    { name = "winapi", version = "=0.2.8" },

    # some macro crates use the pre 1.0 syn dependencies
    { name = "syn", version = "<=0.15" },
    { name = "proc-macro2", version = "<=0.4" },
    { name = "quote", version = "<=0.6" },
    { name = "unicode-xid", version = "=0.1" },
]

[licenses]
unlicensed = "deny"
unknown = "deny"
# We want really high confidence when inferring licenses from text
confidence_threshold = 0.92
allow = [
    "Embark-Proprietary",
    "Apache-2.0",
    "BSD-2-Clause",
    "BSD-2-Clause-FreeBSD",
    "BSD-3-Clause",
    "BSL-1.0",
    "CC0-1.0",
    "FTL",
    "ISC",
    "LLVM-exception",
    "MIT",
    "MPL-2.0",
    "Unicode-DFS-2016",
    "Unlicense",
    "Zlib",
]
skip = [
    # ring has a rather complicated LICENSE file due to reasons spelled out
    # in said LICENSE file, but is basically OpenSSL for older parts, and ISC
    # for newer parts
    { name = "ring", licenses = [] },
    # webpki uses an ISC license but it only has a 0.83 confidence level
    { name = "webpki", licenses = [] },
]

[[licenses.ignore]]
name = "rustls"
license_files = [
    # This is a top-level LICENSE that just spells out the *actual* 3
    # licenses that can be used with the crate, which askalono is unable
    # to score
    { path = "LICENSE", hash = 0xe567c411 },
]

[[licenses.ignore]]
name = "ct-logs"
license_files = [
    # This license is copied from rustls
    { path = "LICENSE", hash = 0xe567c411 },
]

[[licenses.ignore]]
name = "hyper-rustls"
license_files = [
    # This license is copied from rustls
    { path = "LICENSE", hash = 0x3154a1c7 },
]

[[licenses.ignore]]
name = "sct"
license_files = [
    # Exact same scenario as with rustls et al
    { path = "LICENSE", hash = 0xb7619ae7 },
]

[[licenses.ignore]]
name = "crossbeam-channel"
license_files = [
    # This contains multiple licenses which lowers confidence scores,
    # but is basically a CC-BY-3.0
    { path = "LICENSE-THIRD-PARTY", hash = 0xc6242648 },
]

[[licenses.ignore]]
name = "ring"
license_files = [
    { path = "LICENSE", hash = 0xbd0eed23 },
]

[[licenses.ignore]]
name = "webpki-roots"
license_files = [
    # This appears to be an automatically generated file, but does
    # contain a MPL-2.0 license in the text, which is also used
    # in the license field
    { path = "LICENSE", hash = 0x6c919c48 },
]

[[licenses.ignore]]
name = "webpki"
license_files = [
    # askalono can correctly identify the license as ISC, but it
    # has a lower confidence of ~0.83 due to modifications, so
    # ignore it specifically so we can raise our confidence threshold
    # quite high so other licenses don't slip through
    { path = "LICENSE", hash = 0x1c7e6c },
]

If we use the full one we do have to have some mechanism of propagating it from our main monorepo to the template and to all the individual crate repos. But that also goes for all the other files in this template repo if/when we do changes on them

[repi]

But can be a good start with just a minimal deny.toml in all of our open source crates also

[arirawr]

Looks great to me - we can just keep it updated with comments on why certain things are excluded.

[arirawr]

@repi any thoughts on what the minimal version would look like? With only the must-haves that apply across all our projects.