cfallin commented on issue #5434:
I did an audit of
object
's upgrade; howevercargo vet
is showing an audit backlog ofhashbrown
,once_cell
, andahash
, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?
fitzgen commented on issue #5434:
or am I missing something about our policy here on core/popular crates?
Not missing anything AFAIK. Someone just has to bite the bullet and review the new deps and delta for upgraded deps.
fitzgen edited a comment on issue #5434:
or am I missing something about our policy here on core/popular crates?
Not missing anything AFAIK. Someone just has to bite the bullet and review the new deps and delta for upgraded deps if Firefox folks haven't already done so.
EdorianDark commented on issue #5434:
I did an audit of
object
's upgrade; howevercargo vet
is showing an audit backlog ofhashbrown
,once_cell
, andahash
, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?Since there is no review process for an Rust update, all of
std
is considered trusted.
Hashbrown is part of the rust-lang organization and is used bystd::HashMap,
so it is trusted if it is part ofstd
.
I think that trust should be extended if it is used directly and also to its dependencies likeahash
and indirect dependencies likeonce_cell
.
EdorianDark edited a comment on issue #5434:
I did an audit of
object
's upgrade; howevercargo vet
is showing an audit backlog ofhashbrown
,once_cell
, andahash
, and I don't really feel qualified to audit those at all. Anyone else want to take a crack at it (@alexcrichton, @fitzgen, @jameysharp, @elliottt maybe?) or am I missing something about our policy here on core/popular crates?Since there is no review process for an Rust update, all of
std
is considered trusted.
Hashbrown is part of the rust-lang organization and is used bystd::HashMap,
so it is trusted if it is part ofstd
.
I think that trust should be extended if it is used directly and also to its dependencies likeahash
and indirect dependencies likeonce_cell
.EDIT: The reviews were already done in https://github.com/bytecodealliance/wasmtime/pull/5550, which will probably land soon.
cfallin commented on issue #5434:
@nathanwhit would you be willing to rebase this? I think we should be close to able to merge this with vets that have happened in the meantime...
nathanwhit commented on issue #5434:
@nathanwhit would you be willing to rebase this? I think we should be close to able to merge this with vets that have happened in the meantime...
Done!
jameysharp commented on issue #5434:
Ah, the merged cargo-vet review for the object crate is for 0.30.1, not 0.30. If you bump to that version, I believe the cargo-vet check will pass.
In addition,
cargo-deny
is failing because there are multiple versions ofahash
,hashbrown
, andobject
being pulled in by different crates. I think these have all been resolved in #5550, but that hasn't merged yet.I'm sorry that this PR is taking a long time to merge. We're still working out our processes for supply-chain review. We're learning though!
EdorianDark commented on issue #5434:
@cfallin I think the best way would be to merge https://github.com/bytecodealliance/wasmtime/pull/5513, since there are object is already updated to 0.30.1
EdorianDark commented on issue #5434:
Now object has been updated in master. I think with an rebase the build should succeed.
Thanks for your work!
cbeuw commented on issue #5434:
Rebased this locally onto main and all tests pass (except for a filetest needing bless due to https://github.com/bytecodealliance/wasmtime/pull/5780). Any updates on this?
nathanwhit commented on issue #5434:
Ah sorry, completely forgot this hadn't been merged. Thanks for the reminder!
I've rebased on top of main so it should be good to go now
Last updated: Dec 23 2024 at 12:05 UTC