Whitelist rustc dependencies

[mark-i-m]

As per https://internals.rust-lang.org/t/rustc-dependency-policy/6537/8?u=nikomatsakis

cc @alexcrichton @nikomatsakis

[rust-highfive]

r? @alexcrichton

(rust_highfive has picked a reviewer for you, use r? to override)

[mark-i-m]

Hopefully, travis fails because I haven't added any files to the whitelist yet! 😛

[mark-i-m]

Hmmm... It seems that it only runs stage0 tidy? How do I get my tidy to work...

[nikomatsakis]

@mark-i-m travis...isn't failing?

[nikomatsakis]

Any idea why travis seems happy?

[nikomatsakis]

Any idea why travis seems happy?

[nikomatsakis]

👍

[nikomatsakis]

seems like it would be nice if we could report what needs to be added to the whitelist

[mark-i-m]

Ok, it should fail now 🤞

[mark-i-m]

MAKE IT FAILgit statusgit status

Lol, that's what I get for using !!!! in a git commit message...

[mark-i-m]

Hmm... it looks like paths are incorrect...

[mark-i-m]

It looks like a spurious failure... I just want to know what path the Cargo.toml for the argument of tidy is at.

[mark-i-m]

So currently, I'm having path failures. I'm looking for a Cargo.toml in /checkout/src/Cargo.toml and there isn't one... does anyone know the correct place to find it?

[00:05:02] * 534 error codes
[00:05:02] * highest error code: E0908
[00:05:02] * 175 features
[00:05:02] Getting metadata from "/checkout/src/Cargo.toml"
[00:05:02] thread 'main' panicked at 'Unable to run `cargo metadata`: Os { code: 2, kind: NotFound, message: "No such file or directory" }', libcore/result.rs:945:5
[00:05:02] note: Run with `RUST_BACKTRACE=1` for a backtrace.
[00:05:02] 
[00:05:02] 
[00:05:02] command did not execute successfully: "/checkout/obj/build/x86_64-unknown-linux-gnu/stage0-tools-bin/tidy" "/checkout/src" "--no-vendor" "--quiet"
[00:05:02] expected success, got: exit code: 101
[00:05:02] 
[00:05:02] 
[00:05:02] failed to run: /checkout/obj/build/bootstrap/debug/bootstrap test src/tools/tidy
[00:05:02] Build completed unsuccessfully in 0:01:57
[00:05:02] Makefile:74: recipe for target 'tidy' failed
[00:05:02] make: *** [tidy] Error 1

[alexcrichton]

@mark-i-m that looks like it's perhaps failing to spawn cargo rather than failing to find Cargo.toml? By default I believe cargo isn't in PATH so rustbuild may need to pass the path to cargo down to the tidy script.

[mark-i-m]

Ok, it seems to be working 🎉

There are currently two variables which need to be hardcoded into tidy, though:

• The set of crates whose dependencies we want to check (currently those corresponding to the compiler)
• The whitelist itself

So we have a choice:

• It is conceivable that we want to have different whitelists for rustc, libstd, tooling, books, etc... In that case, maybe those variables shouldn't be hardcoded into tidy but passed in from somewhere else.
• The simple solution for now is to just hardcode into tidy the whitelist for rustc and always check the 'librustc*' and 'libsyntax*' crates.

[alexcrichton]

Looking good! I think it's fine to hardcode the crates to check and whitelist in the code itself. For the crates to check you can probably just probe the entire dependency graph for dependencies from crates.io starting from rustc and rustc_trans.

[alexcrichton]

Looking good! I think it's fine to hardcode the crates to check and whitelist in the code itself. For the crates to check you can probably just probe the entire dependency graph for dependencies from crates.io starting from rustc and rustc_trans.

[alexcrichton]

Hm if these aren't used, are they needed? I think serde should ignore unused fields by default?

[mark-i-m]

Hmm... When I tried that it was giving me deserialization errors. I will take another look.

[alexcrichton]

I think it's probably ok to only check the name of the dependency and not worry about the version for now, upgrading across major versions and such tends to not bring in too large of a change at least!

[mark-i-m]

I argue that it's important for security purposes to whitelist exact versions and to vet those versions before before upgrading in any way.

[alexcrichton]

Oh sure yeah, but I think we'll want to consider this further down the road. If we were to lock down all the versions of everything it'd cause I think picking up deps from crates.io to be too painful (or otherwise routine updates)

[mark-i-m]

I think this is part of the downside of having a super-awesome dependency system: it becomes easy to have too many dependencies. Argue that that makes code quality, security, and build times all worse.

[alexcrichton]

Sure but I think it's also best to do this incrementally rather than all at once, can this switch to just verifying the names through a whitelist?

[mark-i-m]

I can if you would like, but I would really like not to. I feel like adding a bit of friction to adding and updating dependencies would be healthy; in this case, you would need to update WHITELIST. We can later have an RFC to potentially add more restrictions to PRs that change WHITELIST... I see that as an incremental approach as well (we add a mechanism, then add policy through an RFC).

[mark-i-m]

@alexcrichton Ok, so I am now only checking the dependencies of rustc and rustc_trans. (I will uncomment the whitelist when the build fails). I designed the Crate type so that we can easily turn on/off version checking, as you choose.

[alexcrichton]

Could this get removed? If not, how come?

[mark-i-m]

done

[alexcrichton]

Perhaps this could be passed around as &mut BTreeSet<Crate<'a>>?

[mark-i-m]

done

[alexcrichton]

Can this please remove the version checking as well? That happens anyway when Cargo.lock changes and is reviewed. The purpose of this feature is to prevent accidental inclusion of extra crates from crates.io or otherwise alert ourselves to new dependencies.

[mark-i-m]

@alexcrichton done 👍

Let me know what you think :)

[mark-i-m]

I will uncomment the whitelist itself when the build fails...

[mark-i-m]

Ok, I uncommented the whitelist.

[alexcrichton]

Looks good to me!

I think a few more deps may need to be added though?

[mark-i-m]

Oh, hmm... I wonder how that happened 😖

Fixed 👍

[alexcrichton]

Looks like another crate is missing? Although I don't know how core got in there...

[mark-i-m]

Hmm... different versions of a crate may have different dependencies... I think this should be fixed now.

Once again, I will wait for build failure and then enable the whitelist.

[mark-i-m]

@alexcrichton Hmm... I tried rebasing on the latest master, but I didn't get any conflicts locally. Do you know what's going on here?

[alexcrichton]

Ah yeah sometimes bors is not so good at merges...

@bors: r+

[bors]

📌 Commit e5d2920 has been approved by alexcrichton

[bors]

⌛️ Testing commit e5d2920 with merge 1733a61...

[bors]

💔 Test failed - status-appveyor

[alexcrichton]

All dist jobs passed, merging manually

• Travis
• AppVeyor