Stream: general

Topic: cargo vet and dependency upgraades

view this post on Zulip nagisa (Oct 26 2023 at 14:54):

I’m attempting to upgrade target-lexicon dependency to 0.12.12 in the Cargo.toml, but that leads to cargo vet complaining about this not having been audited, despite the [[trusted.target-lexicon]] in audits.toml. I tried running cargo vet locally as well, but can’t really figure out what are the steps to get the information about the crate updated correctly. I’ve reviewed the changes between the current version and 0.12.12, but running cargo vet certify target-lexicon 0.12.12 ends up adding 

+[[audits.target-lexicon]]
+who = "Simonas Kazlauskas <git@kazlauskas.me>"
+criteria = "safe-to-deploy"
+version = "0.12.12"
+

rather than a diff based audit I would have expected. And yet I can’t find any indication that target-lexicon has been audited before. There's a [[trusted.target-lexicon]] section, but as seen in the PR that’s not good enough for whatever reason?

dep: target-lexicon: 0.12.3 -> 0.12.12 by nagisa · Pull Request #7378 · bytecodealliance/wasmtime
Largely just additions of new targets and such, as well as support for serde. I personally am motivated to make this change, as the downstream development we’re doing depends on the target added in...

view this post on Zulip nagisa (Oct 26 2023 at 14:55):

So the question then is, what’s the right way to mark 0.12.12 as good?

view this post on Zulip Pat Hickey (Oct 26 2023 at 17:28):

The target-lexicon crate is maintained by Dan, who is also a core maintainer of Wasmtime, so we have cargo vet configured to automatically trust all target-lexicon crates published by dan, see audits.toml:3262

view this post on Zulip Pat Hickey (Oct 26 2023 at 17:30):

when I update the crate locally and then just run cargo vet, it fills in the import of the 0.12.12 version automatically

[phickey@pch-tower:src/wasmtime]% cargo update -p target-lexicon
    Updating crates.io index
    Updating target-lexicon v0.12.3 -> v0.12.12
[phickey@pch-tower:src/wasmtime]% cargo vet
Vetting Succeeded (260 fully audited, 32 partially audited, 84 exempted)
 WARN Your supply-chain has unnecessary exemptions which could be relaxed or pruned.
 WARN   Consider running `cargo vet prune` to prune unnecessary exemptions and imports.
[phickey@pch-tower:src/wasmtime]% git diff
diff --git a/Cargo.lock b/Cargo.lock
index 43c3d1089..eb98babe7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2605,9 +2605,9 @@ dependencies = [

 [[package]]
 name = "target-lexicon"
-version = "0.12.3"
+version = "0.12.12"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d7fa7e55043acb85fca6b3c01485a2eeb6b69c5d21002e273c79e465f43b7ac1"
+checksum = "14c39fd04924ca3a864207c66fc2cd7d22d7c016007f9ce846cbb9326331930a"

 [[package]]
 name = "tempfile"
diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock
index 9a5b1830e..f8eb0fea5 100644
--- a/supply-chain/imports.lock
+++ b/supply-chain/imports.lock
@@ -715,6 +715,13 @@ user-id = 6825
 user-login = "sunfishcode"
 user-name = "Dan Gohman"

+[[publisher.target-lexicon]]
+version = "0.12.12"
+when = "2023-10-19"
+user-id = 6825
+user-login = "sunfishcode"
+user-name = "Dan Gohman"
+
 [[publisher.termcolor]]
 version = "1.1.3"
 when = "2022-03-02"

view this post on Zulip Pat Hickey (Oct 26 2023 at 17:32):

at any rate, commits to the cargo vet files are only accepted from core wasmtime contributors, in part to maintain our own supply chain security and in part because our vets are imported by other projects who transitively trust just our core contributors. so, whenever you make a PR to update something like this, just leave the cargo vet failures in CI and wait for a core contributor to make a PR like https://github.com/bytecodealliance/wasmtime/pull/7380/, then merge with main once the vet PR lands.

Add audit for target-lexicon upgrade by alexcrichton · Pull Request #7380 · bytecodealliance/wasmtime
Added for #7378

Last updated: Nov 22 2024 at 17:03 UTC