Forbid git dependencies outside of github.com/servo/ ?

[SimonSapin]

Last week, all builds of Servo started failing because the commit we were using in one of our git dependencies had been removed: #25591

To avoid that situation, we sometimes prefer forking a git repository into the servo org (where we control which branches are removed or not) and using that instead as a dependency. Should we make that a policy and enforce it?

./mach test-tidy already parses Cargo.toml and looks at the source of each package in the dependency graph. We could make it fail if any source is used other crates.io or git repositories under https://github.com/servo/

These are the repositories we would need to fork before doing that:

git+https://github.com/MeFisto94/backtrace-rs?branch=fix-strtab-freeing-crash
git+https://github.com/energymon/energymon-rust.git
git+https://github.com/energymon/energymon-sys.git
git+https://github.com/kvark/peek-poke?rev=969bd7fe2be1a83f87916dc8b388c63cfd457075
git+https://github.com/jrmuizel/raqote
git+https://github.com/pcwalton/signpost.git
git+https://github.com/pcwalton/surfman?branch=multi
git+https://github.com/asajeffrey/surfman-chains?branch=multi
git+https://github.com/gfx-rs/wgpu

[atouchet]

Many of these are gone now. The remaining external git dependencies are:

https://github.com/gfx-rs/naga
https://github.com/pcwalton/signpost
https://github.com/asajeffrey/surfman-chains
https://github.com/gfx-rs/wgpu

I think it would make more sense to just get these dependencies to release new versions on crates.io and use those rather than forking them in the servo org.