Stream: git-wasmtime

Topic: wasmtime / issue #5434 cranelift: Implement TLS on aarch6...


view this post on Zulip Wasmtime GitHub notifications bot (Dec 14 2022 at 03:25):

cfallin commented on issue #5434:

I did an audit of object's upgrade; however cargo vet is showing an audit backlog of hashbrown, once_cell, and ahash, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?

view this post on Zulip Wasmtime GitHub notifications bot (Dec 14 2022 at 22:23):

fitzgen commented on issue #5434:

or am I missing something about our policy here on core/popular crates?

Not missing anything AFAIK. Someone just has to bite the bullet and review the new deps and delta for upgraded deps.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 14 2022 at 22:23):

fitzgen edited a comment on issue #5434:

or am I missing something about our policy here on core/popular crates?

Not missing anything AFAIK. Someone just has to bite the bullet and review the new deps and delta for upgraded deps if Firefox folks haven't already done so.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 29 2023 at 11:46):

EdorianDark commented on issue #5434:

I did an audit of object's upgrade; however cargo vet is showing an audit backlog of hashbrown, once_cell, and ahash, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?

Since there is no review process for an Rust update, all of std is considered trusted.
Hashbrown is part of the rust-lang organization and is used by std::HashMap, so it is trusted if it is part of std.
I think that trust should be extended if it is used directly and also to its dependencies like ahash and indirect dependencies like once_cell .

view this post on Zulip Wasmtime GitHub notifications bot (Jan 29 2023 at 11:54):

EdorianDark edited a comment on issue #5434:

I did an audit of object's upgrade; however cargo vet is showing an audit backlog of hashbrown, once_cell, and ahash, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?

Since there is no review process for an Rust update, all of std is considered trusted.
Hashbrown is part of the rust-lang organization and is used by std::HashMap, so it is trusted if it is part of std.
I think that trust should be extended if it is used directly and also to its dependencies like ahash and indirect dependencies like once_cell .

EDIT: The reviews were already done in https://github.com/bytecodealliance/wasmtime/pull/5550, which will probably land soon.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 09 2023 at 00:06):

cfallin commented on issue #5434:

@nathanwhit would you be willing to rebase this? I think we should be close to able to merge this with vets that have happened in the meantime...

view this post on Zulip Wasmtime GitHub notifications bot (Feb 09 2023 at 01:42):

nathanwhit commented on issue #5434:

@nathanwhit would you be willing to rebase this? I think we should be close to able to merge this with vets that have happened in the meantime...

Done!

view this post on Zulip Wasmtime GitHub notifications bot (Feb 09 2023 at 02:08):

jameysharp commented on issue #5434:

Ah, the merged cargo-vet review for the object crate is for 0.30.1, not 0.30. If you bump to that version, I believe the cargo-vet check will pass.

In addition, cargo-deny is failing because there are multiple versions of ahash, hashbrown, and object being pulled in by different crates. I think these have all been resolved in #5550, but that hasn't merged yet.

I'm sorry that this PR is taking a long time to merge. We're still working out our processes for supply-chain review. We're learning though!

view this post on Zulip Wasmtime GitHub notifications bot (Feb 09 2023 at 17:36):

EdorianDark commented on issue #5434:

@cfallin I think the best way would be to merge https://github.com/bytecodealliance/wasmtime/pull/5513, since there are object is already updated to 0.30.1

view this post on Zulip Wasmtime GitHub notifications bot (Feb 15 2023 at 17:48):

EdorianDark commented on issue #5434:

Now object has been updated in master. I think with an rebase the build should succeed.
Thanks for your work!

view this post on Zulip Wasmtime GitHub notifications bot (Mar 24 2023 at 09:45):

cbeuw commented on issue #5434:

Rebased this locally onto main and all tests pass (except for a filetest needing bless due to https://github.com/bytecodealliance/wasmtime/pull/5780). Any updates on this?

view this post on Zulip Wasmtime GitHub notifications bot (Mar 24 2023 at 17:19):

nathanwhit commented on issue #5434:

Ah sorry, completely forgot this hadn't been merged. Thanks for the reminder!

I've rebased on top of main so it should be good to go now


Last updated: Dec 23 2024 at 12:05 UTC