-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow webpki in deny.toml #76
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Seems OK to me. Please message @muursh to ensure he's OK with it as well.
ff485e7
to
54edb41
Compare
Any cargo-deny experts interested in helping wit these new errors? There are 11 duplicate crate errors, here's one example for
|
Well, if both come from the same library, then there's no way around it except to skip it. |
I'll just ignore the ones that are from libp2p then. I can't even test this locally because it segfault on my machine, I love cargo-deny. Sorry for incoming spam |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah fine by me to add it. And yeah for all the duplicates within a dependency the only way around that is to add rules to skip them which isn't a great solution but it's the only one there is
There's a problem, we also need to change the versions of The digest code isn't too bad I suppose, apart from removing Or do we make |
It seems to be inevitable to add digest libraries to exceptions. I was gonna do that for Tari (and I remember doing it for sha/sha2/sha3/blake/ripmd, but maybe I was able to skip that because I skipped adding tari_utilties eventually... I don't remember). So if you have to add them to exceptions, that's OK from my end. |
Yeah as I just said on slack the one thing we need to be careful of what changed between versions to make sure there aren't crypto issues being fixed between versions but yeah right now the versions mentioned here are fine. We just need to be careful about which versions we use in the future but yeah adding a skip rule here is fine for me too |
According to the Github repository it's licensed under custom, ISC-style license. The author says that some of the files in
tests/
are not under ISC but doesn't mention what the license is. Anyway, it's not like we have a choice with this because it's a dependency of libp2phttps://github.com/briansmith/webpki
briansmith/webpki#246 (comment)