Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update cargo deny #12178

Merged
merged 4 commits into from
Mar 1, 2024
Merged

Update cargo deny #12178

merged 4 commits into from
Mar 1, 2024

Conversation

ameknite
Copy link
Contributor

@ameknite ameknite commented Feb 28, 2024

Objective

Cargo-deny has being updated and now some keys are being deprecated.
Fix these warnings:

warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:6:16 │ vulnerability = "deny"
  │ ^^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:7:17 │ unmaintained = "deny"
  │ ^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:9:19 │ notice = "deny"
  │ ^^^^^^

warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:13:113 │ unlicensed = "deny"
   │ ^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:14:114 │ copyleft = "deny"
   │ ^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see https://github.com/EmbarkStudios/cargo-deny/pull/611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:15:115 │ default = "deny"
   │ ^^^^^^^

warning[deprecated]: this key has been moved to [graph]
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:1:11 │ all-features = true
  │ ^^^^^^^^^^^^

This also fix ci by temporarily skipping the check for cpal dependencies.
#11917 (comment)

Solution

@TrialDragon TrialDragon added the C-Dependencies A change to the crates that Bevy depends on label Feb 28, 2024
@alice-i-cecile alice-i-cecile added the A-Build-System Related to build systems or continuous integration label Feb 28, 2024
Copy link
Member

@BD103 BD103 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After looking over the relevant documentation and release notes, this looks good. I'm not particularly familiar with cargo-deny, though, so take my review with a grain of salt. :)

(Make sure to follow up with François's review, though.)

exceptions = [
{ name = "unicode-ident", allow = [
"Unicode-DFS-2016",
] },
{ name = "symphonia", allow = [
"MPL-2.0",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we may just want to make a blanket exception for weak-copyleft licenses like MPL. Any strong-copyleft (i.e. GPL), should remain disallowed due to their virality.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah but: #10544 (comment)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, my stance is currently "weak-copyleft only in very optional components, and preference to avoid".

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK sounds good to me. If that's the case I think we may just want to only allow it if and only if the crate itself is platform agnostic, which I think Symphonia is (cpal is the platform integration for audio, Symphonia is primarily there to provide encoders/decoders), and to prefer more permissive alternatives where available.

@james7132 james7132 added this pull request to the merge queue Mar 1, 2024
Merged via the queue into bevyengine:main with commit 499c978 Mar 1, 2024
29 checks passed
spectria-limina pushed a commit to spectria-limina/bevy that referenced this pull request Mar 9, 2024
# Objective

Cargo-deny has being updated and now some keys are being deprecated.
Fix these warnings:
<details>

```rs
warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:6:1
  │
6 │ vulnerability = "deny"
  │ ^^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:7:1
  │
7 │ unmaintained = "deny"
  │ ^^^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:9:1
  │
9 │ notice = "deny"
  │ ^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:13:1
   │
13 │ unlicensed = "deny"
   │ ^^^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:14:1
   │
14 │ copyleft = "deny"
   │ ^^^^^^^^

warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details
   ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:15:1
   │
15 │ default = "deny"
   │ ^^^^^^^

warning[deprecated]: this key has been moved to [graph]
  ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:1:1
  │
1 │ all-features = true
  │ ^^^^^^^^^^^^
```
</details>

This also fix ci by temporarily skipping the check for cpal
dependencies.
bevyengine#11917 (comment)



## Solution

- Remove keys deprecated.
- Update the list of licenses allowed. (All these licenses are already
being use for some dependencies)
- Skip cpal dependencies to avoid falining in CI, while we wait for new
releases
bevyengine#11917 (comment)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-Build-System Related to build systems or continuous integration C-Dependencies A change to the crates that Bevy depends on
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants