The `ring` crate needed to be exempted: it contains a large quantity of asm and native binary implementations of crypto primitives. It is a major undertaking to certify the safety of those implementations. ring also pulled in the wasm-bindgen family of crates for its wasm32-unknown-unknown target, which this project will not be using. Because we don't care about that platform, I added exemptions for all of these crates, so we don't have to audit them. The actual supply chain audits for rusttls, rustls-webpki, sct, and tokio-rustls were unremarkable. I also audited a small diff on wasm-bindgen-shared because it was trivial.
This commit is contained in:
Pat Hickey
@@ -32,6 +32,12 @@ criteria = "safe-to-deploy"
|
||||
version = "0.2.2"
|
||||
notes = "Inspected it and is a tiny crate with just type definitions"
|
||||
|
||||
[[audits.embark-studios.audits.webpki-roots]]
|
||||
who = "Johan Andersson <opensource@embark-studios.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.22.4"
|
||||
notes = "Inspected it to confirm that it only contains data definitions and no runtime code"
|
||||
|
||||
[[audits.google.audits.libfuzzer-sys]]
|
||||
who = "ChromeOS"
|
||||
criteria = "safe-to-run"
|
||||
@@ -71,6 +77,16 @@ who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.4.1"
|
||||
|
||||
[[audits.isrg.audits.untrusted]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.7.1"
|
||||
|
||||
[[audits.isrg.audits.wasm-bindgen-shared]]
|
||||
who = "David Cook <dcook@divviup.org>"
|
||||
criteria = "safe-to-deploy"
|
||||
version = "0.2.83"
|
||||
|
||||
[[audits.mozilla.audits.autocfg]]
|
||||
who = "Josh Stone <jistone@redhat.com>"
|
||||
criteria = "safe-to-deploy"
|
||||
|
||||
Reference in New Issue
Block a user