Nuke openssl and git2

[Jake-Shadle]

cargo-deny requires openssl due to its use of git2 for cloning/fetching advisory databases, which is ironic because the original use case we had for cargo-deny was banning openssl from our codebase because it is such a gigantic pain in the ass.

We have 2 options:

• Use gitoxide to replace git2 and thus get rid of openssl
• Avoid git altogether and just fetch the advisory databases source tarball. This would work well for the official advisory database on github, but we also have support for custom advisory databases, which complicates that a little bit. Though at the same time I literally don't know if anyone has actually used that feature.

This is somewhat complicated due to the standalone feature which brings in cargo as a dependency, but it has recently begun experimenting with gitoxide as well, though I'm not sure if everything works without it/openssl, but I imagine openssl is still required even if git2 is not used due to the use of curl, but that could be at least a section to tackle separate from git to just completely nuke openssl if one doesn't want it from cargo.

Related: rustsec/rustsec#750

[repi]

yes we really should get rid of it! would be wonderful and slim down things.

would be all for gitoxide also, the git usage here is pretty basic right.

but we also have support for custom advisory databases, which complicates that a little bit. Though at the same time I literally don't know if anyone has actually used that feature.

feels like a custom advisory database in different format is probably unlikely used by anyone? one could also support it with an optional feature that could bring in git2 if it is strong need for it by someone and they can't convert to the similar tarball format.