Add cargo vet configuration

Since we only target Linux x86_64 machines, I ignored all the obvious
Windows/WASM/Redox dependencies. In the future it seems like we should
be able to set an explicit target for this (mozilla/cargo-vet#63).

We import the Firefox audits to help reduce review load; the SecureDrop
security model relies on Firefox already via Tor Browser.

Refs #6500

supply-chain/audits.toml

@@ -0,0 +1,14 @@
+
+# cargo-vet audits file
+
+[[audits.libc]]
+who = "Kunal Mehta <legoktm@debian.org>"
+criteria = "safe-to-deploy"
+version = "0.2.126"
+notes = "Managed by Rust project"
+
+[[audits.rustversion]]
+who = "Kunal Mehta <legoktm@debian.org>"
+criteria = "safe-to-deploy"
+delta = "1.0.9 -> 1.0.11"
+

supply-chain/config.toml

@@ -0,0 +1,61 @@
+
+# cargo-vet config file
+
+[imports.firefox]
+url = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml"
+
+[policy.js-sys]
+criteria = []
+notes = "WASM-only"
+
+[policy.redox_syscall]
+criteria = []
+notes = "Redox OS-only"
+
+[policy.redox_users]
+criteria = []
+notes = "Redox OS-only"
+
+[policy.redwood]
+audit-as-crates-io = false
+
+[policy.wasi]
+criteria = []
+notes = "WASM-only"
+
+[policy.wasm-bindgen]
+criteria = []
+notes = "WASM-only"
+
+[policy.winapi]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows-sys]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows_aarch64_gnullvm]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows_aarch64_msvc]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows_i686_gnu]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows_x86_64_gnu]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows_x86_64_gnullvm]
+criteria = []
+notes = "Windows-only"
+
+[policy.windows_x86_64_msvc]
+criteria = []
+notes = "Windows-only"
+