Wasmtime GitHub notifications bot (Jul 06 2023 at 22:45): Wasmtime GitHub notifications bot (Jul 06 2023 at 22:45):jameysharp edited PR #6697:
We discussed this in today's Wasmtime meeting and the consensus was that we trust each of these people to have a sufficient standard of care for anything they release.
This reduces our estimated audit backlog by about 184 kLOC.
For the most part, the trust records I'm adding here are identical to trust records that Mozilla is using. The fact that they've also decided these publishers are trustworthy is reassuring additional evidence for our decision. The exceptions and notable cases are as follows:
I've chosen to not trust three crates by these authors that Mozilla did not trust. I suspect Mozilla simply doesn't use these crates or has manually audited them, rather than there being any problem with the crates themselves. But I've chosen to be conservative about what we trust.
- autocfg: we only have an exception for an old version, and that version is only used transitively by wasi-crypto.
- env_logger: Mozilla has audited some versions; we should update, or add delta audits.
- thread_local: only used by tracing-subscriber which is only used in dev-dependencies.
I've trusted one crate that Mozilla did not: libm, when published by Amanieu. We're trusting libc when published by the same author, and libm is a small extension of the same trust.
Recent versions of the toml crate have been published by epage so I looked at in this process, but Mozilla only trusts the older versions which were published by alexcrichton. They've been delta-auditing the newer versions. I've chosen to follow their lead on this; Alex is a trusted contributor to Wasmtime anyway.
This PR is a step toward #6672, but I've run
cargo vetmyself rather than relying on anyone else's vetting.
Wasmtime GitHub notifications bot (Jul 07 2023 at 00:16):cfallin submitted PR review.
Wasmtime GitHub notifications bot (Jul 07 2023 at 15:04):alexcrichton merged PR #6697.
Last updated: Oct 23 2024 at 20:03 UTC