Stream: git-wasmtime

Topic: wasmtime / issue #9727 [cargo vet] Trust Google's aggrega...


view this post on Zulip Wasmtime GitHub notifications bot (Dec 04 2024 at 13:11):

tschneidereit added the dependencies label to Issue #9727.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 04 2024 at 13:11):

tschneidereit opened issue #9727:

Feature

Google is aggregating cargo vet audits from Fuchsia, Chromium, ChromiumOS, and some internal projects, in a single place. We should switch to importing that aggregation.

Benefit

Switching to the aggregation from our current import of the Fuchsia and Chromium audits would give us more coverage now and in an ongoing manner.

Implementation

It's probably as simple as switching the import, but for all I know there might be a need to evaluate some of Google's custom audit criteria and see how to apply them. ("For all I know", because I didn't deeply check whether there's anything new compared to our current imports.)

Alternatives

Keep things as they are

view this post on Zulip Wasmtime GitHub notifications bot (Dec 06 2024 at 22:43):

fitzgen commented on issue #9727:

I would be in favor of this.

It's probably as simple as switching the import, but for all I know there might be a need to evaluate some of Google's custom audit criteria and see how to apply them. ("For all I know", because I didn't deeply check whether there's anything new compared to our current imports.)

I skimmed the custom audit criteria and they seem reasonable. I don't think we should adopt their criteria for our uses, but I don't think they will get in our way and I don't think they are lowering audit standards.


Last updated: Dec 23 2024 at 13:07 UTC