Add cargo vet for auditing dependencies and SIP #1023
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Radu Matei <radu.matei@fermyon.com>
Signed-off-by: Radu Matei <radu.matei@fermyon.com>
lann
approved these changes
Jan 13, 2023
vdice
reviewed
Jan 17, 2023
Co-authored-by: Vaughn Dice <vaughn.dice@fermyon.com> Signed-off-by: Radu Matei <radu@matei.ai>
vdice
approved these changes
Jan 17, 2023
michelleN
reviewed
Jan 19, 2023
| name: Run Rust audits | ||
| on: | ||
| schedule: | ||
| - cron: '0 0 * * *' |
There was a problem hiding this comment.
Looks like this runs nightly. What happens if an audit fails? Does a github issue get opened up?
There was a problem hiding this comment.
From #1023 (comment)
The main reason it's not on PRs is that we should only trust an audit coming from a maintainer, not from someone submitting a PR.
Ideally, when maintainers would submit a PR, any changes in dependencies would be included in the PR. But that should not be the case with non-maintainers — hence running this every day, and maintainers should ensure the check is passing.
michelleN
approved these changes
Jan 20, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
rendered SIP — https://github.com/radu-matei/spin/blob/cargo-vet/docs/content/sips/009-auditing-third-party-dependencies.md
The main question I have for this PR is: should it be expanded to support
cargo audit, orcargo denyas well?The reason I felt this one should be a SIP is because it involves a new process from maintainers, whereas
cargo auditorcargo deny, while extremely useful, are mostly automated checks.Happy to amend the SIP and include them if we think adding them together makes more sense.
Signed-off-by: Radu Matei radu.matei@fermyon.com