Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cannot skip ring and md5 #24

Closed
tshepang opened this issue Aug 30, 2019 · 4 comments
Closed

cannot skip ring and md5 #24

tshepang opened this issue Aug 30, 2019 · 4 comments
Labels
bug Something isn't working

Comments

@tshepang
Copy link
Contributor

tshepang commented Aug 30, 2019
edited
Loading

I have a simple deny.toml that only has allow. Among my deps is md5 and ring.

❯ cargo deny check --config ../deny.toml
Aug 30 19:18:55.244 INFO checking crates, count: 376
stage: license_check
 Aug 30 19:18:56.490 ERRO unable to determine license with high confidence, src: text=/home/tshepang/.cargo/registry/src/github.com-1ecc6299db9ec823/md5-0.6.1/LICENSE.md,hash=0xa7154852, score: 0.7099567, crate: md5@0.6.1
 Aug 30 19:18:56.490 ERRO unable to determine license with high confidence, src: text=/home/tshepang/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.14.6/LICENSE,hash=0xbd0eed23, score: 0.6644706, crate: ring@0.14.6
 Aug 30 19:18:56.490 ERRO encountered 2 license errors
failed license check

There seems to be no way to skip them

...
skip = [
    { name = "ring" },
    { name = "md5" },
]

After that addition, I get this instead:

❯ cargo deny check --config ../deny.toml
Aug 30 19:23:27.574 INFO checking crates, count: 376
stage: license_check
 Aug 30 19:23:28.832 WARN crate no longer skipped due to additional license, src: metadata, license: Apache-2.0, crate: md5@0.6.1
 Aug 30 19:23:28.832 ERRO unable to determine license with high confidence, src: text=/home/tshepang/.cargo/registry/src/github.com-1ecc6299db9ec823/md5-0.6.1/LICENSE.md,hash=0xa7154852, score: 0.7099567, crate: md5@0.6.1
 Aug 30 19:23:28.832 WARN crate no longer skipped due to finding a license that could be identified, src: text=/home/tshepang/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.14.6/LICENSE,hash=0xbd0eed23, crate: ring@0.14.6
 Aug 30 19:23:28.832 ERRO unable to determine license with high confidence, src: text=/home/tshepang/.cargo/registry/src/github.com-1ecc6299db9ec823/ring-0.14.6/LICENSE,hash=0xbd0eed23, score: 0.6644706, crate: ring@0.14.6
 Aug 30 19:23:28.833 WARN encountered 2 license warnings
 Aug 30 19:23:28.833 ERRO encountered 2 license errors
failed license check
@tshepang tshepang added the bug Something isn't working label Aug 30, 2019
@Jake-Shadle
Copy link
Member

This kind of a duplicate of #16.

You need to do a couple of things to properly skip these.

  • You need to ignore the license files that have lower scores than the threshold you set, and it will only be checked if the hash changes.
  • When skipping license checks for a crate, you need to specify the license information it does have, so that if a new version changes any of the licensing, the crate won't be skipped any longer and you need to reevaluate it.

There is #17, feel free to add any suggestions on a config that would be less weird, I will hopefully be doing a lot of changes to cargo-deny next week, so hopefully this can be made better then! (or at least add examples for cases like these)

@tshepang
Copy link
Contributor Author

tshepang commented Aug 30, 2019
edited
Loading

hmm, rather complex... ended up with this

[licenses]
allow = [
  "Panoptix",
  "Apache-2.0",
  "BSL-1.0",
  "BSD-2-Clause",
  "BSD-2-Clause-FreeBSD",
  "BSD-3-Clause",
  "CC0-1.0", # used only by constant_time_eq
  "ISC",
  "LLVM-exception",
  "MIT",
  "MPL-2.0",
  "Unlicense",
  "Unicode-DFS-2016",
  "Zlib",
]

skip = [
    { name = "ring", licenses = [] },
    { name = "webpki", licenses = [] },
]

[[licenses.ignore]]
name = "rustls"
license_files = [
    { path = "LICENSE", hash = 0xe567c411 },
]

[[licenses.ignore]]
name = "sct"
license_files = [
    { path = "LICENSE", hash = 0xb7619ae7 },
]

[[licenses.ignore]]
name = "crossbeam-channel"
license_files = [
    { path = "LICENSE-THIRD-PARTY", hash = 0xc6242648 },
]

[[licenses.ignore]]
name = "md5"
license_files = [
    { path = "LICENSE.md", hash = 0xa7154852 },
]

[[licenses.ignore]]
name = "ring"
license_files = [
    { path = "LICENSE", hash = 0xbd0eed23 },
]

[[licenses.ignore]]
name = "rlua"
license_files = [
    { path = "LICENSE", hash = 0xe027ffe4 },
]

[[licenses.ignore]]
name = "sqlite"
license_files = [
    { path = "LICENSE.md", hash = 0xc9f05859 },
]

[[licenses.ignore]]
name = "sqlite3-src"
license_files = [
    { path = "LICENSE.md", hash = 0xc880abc2 },
]

[[licenses.ignore]]
name = "sqlite3-sys"
license_files = [
    { path = "LICENSE.md", hash = 0xd3e3f782 },
]

[[licenses.ignore]]
name = "webpki"
license_files = [
    { path = "LICENSE", hash = 0x1c7e6c },
]

@Jake-Shadle
Copy link
Member

Thanks for posting your config, there are definitely some of the same one in our main project as well, and it reminded me of #23, which will probably end up following a model similar to the proposed change in #18, ie pulling a git repo with information on specific crates. A similar thing could be done with these more complicated license files so that everyone who uses them doesn't have to have an identical config.

@briansmith
Copy link

FYI: I intend to keep https://github.com/briansmith/ring/blob/main/deny.toml up to date with what's necessary to include ring.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@briansmith @tshepang @Jake-Shadle