Wasmtime GitHub notifications bot (Dec 14 2022 at 03:25): Wasmtime GitHub notifications bot (Dec 14 2022 at 03:25):cfallin commented on issue #5434:
I did an audit of
object's upgrade; howevercargo vetis showing an audit backlog ofhashbrown,once_cell, andahash, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?
Wasmtime GitHub notifications bot (Dec 14 2022 at 22:23):fitzgen commented on issue #5434:
or am I missing something about our policy here on core/popular crates?
Not missing anything AFAIK. Someone just has to bite the bullet and review the new deps and delta for upgraded deps.
Wasmtime GitHub notifications bot (Dec 14 2022 at 22:23):fitzgen edited a comment on issue #5434:
or am I missing something about our policy here on core/popular crates?
Not missing anything AFAIK. Someone just has to bite the bullet and review the new deps and delta for upgraded deps if Firefox folks haven't already done so.
Wasmtime GitHub notifications bot (Jan 29 2023 at 11:46):EdorianDark commented on issue #5434:
I did an audit of
object's upgrade; howevercargo vetis showing an audit backlog ofhashbrown,once_cell, andahash, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?Since there is no review process for an Rust update, all of
stdis considered trusted.
Hashbrown is part of the rust-lang organization and is used bystd::HashMap,so it is trusted if it is part ofstd.
I think that trust should be extended if it is used directly and also to its dependencies likeahashand indirect dependencies likeonce_cell.
Wasmtime GitHub notifications bot (Jan 29 2023 at 11:54):EdorianDark edited a comment on issue #5434:
I did an audit of
object's upgrade; howevercargo vetis showing an audit backlog ofhashbrown,once_cell, andahash, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?Since there is no review process for an Rust update, all of
stdis considered trusted.
Hashbrown is part of the rust-lang organization and is used bystd::HashMap,so it is trusted if it is part ofstd.
I think that trust should be extended if it is used directly and also to its dependencies likeahashand indirect dependencies likeonce_cell.EDIT: The reviews were already done in https://github.com/bytecodealliance/wasmtime/pull/5550, which will probably land soon.
Wasmtime GitHub notifications bot (Feb 09 2023 at 00:06):cfallin commented on issue #5434:
@nathanwhit would you be willing to rebase this? I think we should be close to able to merge this with vets that have happened in the meantime...
Wasmtime GitHub notifications bot (Feb 09 2023 at 01:42):nathanwhit commented on issue #5434:
@nathanwhit would you be willing to rebase this? I think we should be close to able to merge this with vets that have happened in the meantime...
Done!
Wasmtime GitHub notifications bot (Feb 09 2023 at 02:08):jameysharp commented on issue #5434:
Ah, the merged cargo-vet review for the object crate is for 0.30.1, not 0.30. If you bump to that version, I believe the cargo-vet check will pass.
In addition,
cargo-denyis failing because there are multiple versions ofahash,hashbrown, andobjectbeing pulled in by different crates. I think these have all been resolved in #5550, but that hasn't merged yet.I'm sorry that this PR is taking a long time to merge. We're still working out our processes for supply-chain review. We're learning though!
Wasmtime GitHub notifications bot (Feb 09 2023 at 17:36):EdorianDark commented on issue #5434:
@cfallin I think the best way would be to merge https://github.com/bytecodealliance/wasmtime/pull/5513, since there are object is already updated to 0.30.1
Wasmtime GitHub notifications bot (Feb 15 2023 at 17:48):EdorianDark commented on issue #5434:
Now object has been updated in master. I think with an rebase the build should succeed.
Thanks for your work!
Wasmtime GitHub notifications bot (Mar 24 2023 at 09:45):cbeuw commented on issue #5434:
Rebased this locally onto main and all tests pass (except for a filetest needing bless due to https://github.com/bytecodealliance/wasmtime/pull/5780). Any updates on this?
Wasmtime GitHub notifications bot (Mar 24 2023 at 17:19):nathanwhit commented on issue #5434:
Ah sorry, completely forgot this hadn't been merged. Thanks for the reminder!
I've rebased on top of main so it should be good to go now
Last updated: Nov 22 2024 at 16:03 UTC