Imported audits may change imports.lock each time cargo vet is run
#272
Comments
Delaying fetching audits until there is a failure may not be the best option as there are also violations which can be recorded, and someone running I'm not sure how much I like this approach, as it means that the imports can be quite out-of-date in some cases, and that updates are somewhat arbitrary, and relate more to what specific commands the person doing a local cargo update happens to run (e.g. whether they run Something like this might work best if it was instead that when running Definitely opens some interesting questions about which commands would work off of what version of the universe, and whether they should be allowed to trigger an update.
This could potentially be something with the current approach which we take to importing remote audits (where they're extracted and stored locally in a toml file), though is somewhat counter to the approach which we have been taking in #238,#261 which are trying to preserve the verbatim remote sources to report errors etc. directly against the source line numbers. Perhaps we could work around that by only doing that when running an unlocked import (by fetching the remote sources), and not get nice errors when running a locked version which depends on If we were to do this, we'd probably need to have commands like If we decide to go this approach, we probably shouldn't merge #261 as-is, as we don't actually want to preserve imported files 1:1 with upstream in @Gankra How reasonably can we actually determine which remote audits we depend on for a |
|
I'm persuaded that it would be valuable to only cache the imports that are actually used. This would substantially reduce incidental noise in a world where people were pumping out lots of audits and make it trivial to inspect the actual trust points. Non-CI runs will already need to re-fetch everything (since we'll want to ensure that the cache isn't stale), so we can use those full copies for error reporting. |
|
That sounds like a reasonable solution with only importing and storing what is used. We (Embark) recently moved our initial audits to a shared public file as well and also import from Firefox and Bytecode Alliance, so 3 imports in total which does even now early on add up to quite a bit of additions on on runs and including lots of crates we do not actually use in many projects (but some we do, hence the import). |
|
This should be better now with #296. The next time you run after the update, audits you're not using should disappear, and new audits should (generally) only be imported for a package when they are needed. |
In the future we want `cargo vet` to be used by
`third_party/rust/PRESUBMIT.py` and when used in this mode, we want
`cargo vet` to be somewhat hermetic. This CL helps with that by
ensuring that `--locked --frozen` switches work when used as follows:
```
$ tools/crates/run_cargo_vet.py check \
--locked --frozen \
--no-minimize-exemptions --no-registry-suggestions \
--output-format=json
{
"conclusion": "success",
"vetted_fully": [
{
"name": "aho-corasick",
"version": "1.1.2"
},
...
```
The CL achieves the above by:
* Reintroducing a pre-populated `imports.lock` file.
- Having this in the repo means that code reviews will explicitly
include information about newly imported audits.
- Note that (per mozilla/cargo-vet#272)
`imports.lock` should hopefully see minimal churn, because it
should only cover imports that are actually used.
- In a sense, this CL reverts/reconsiders `imports.lock`-related parts
of https://crrev.com/c/5368308
* Tweaking `vet_config.toml.hbs` to produce `config.toml` with the exact
formatting expected by `cargo vet`.
- This has some downsides - e.g. we loose the
'@generated by tools/crates/gnrt vendor. Do not edit.' comment.
- This is necessary because even formatting-only discrepancies trigger
an error in `--locked` mode: "A file in the store is not correctly
formatted [...] run `cargo vet` without --locked to reformat files
in the store"
- This is somewhat related to
mozilla/cargo-vet#589
- In a sense, this CL makes obsolete the `config.toml`-related parts
of https://crrev.com/c/5368308. OTOH, detecting changes to
`config.toml` (including a comments-only change) is not harmful, so
let's leave the detection logic in place (in `run_cargo_vet.py).
Bug: 41494083
Change-Id: Ia5967fa8e8b13b885f703810ef84c5d79030dfae
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5368743
Reviewed-by: danakj <danakj@chromium.org>
Commit-Queue: Łukasz Anforowicz <lukasza@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1275813}
After a discussion with Wasmtime folks and @bholley yesterday about using
cargo vetin the Bytecode Alliance, specifically the Wasmtime project, it sounded like we would likely want to get into a situation where audits are imported from Firefox (and perhaps vice-versa one day). In doing so though it sounded like each timecargo vetis run locally by Wasmtime contributors that theimports.lockwould continue to grow with the audits added to Firefox.One situation that we were worried about was where a contributor sends a PR with changes to
imports.lock, presumably imported from Firefox. When checking this locally to verify thatimports.lockdoesn't change for us it sounded likeimports.lockcould indeed change if Firefox added more audits relative to when the contributor themsleves rancargo vet. I believe this was becauseimports.locklargely copied theaudits.tomlfrom imported files without filter for what was actually used. This felt surprising because we would not be able to guarantee locally that runningcargo vetwouldn't actually change theimports.lockfile if the contributor had correctly runcargo vetto import an audit from Firefox.Two possible ideas we thought might mitigate this were:
audits.tomlfrom improted sources could be delayed until there's an actual audit failure. This still sort of runs the issue of something needs to check thatimports.lockis indeed contained in the remoteaudits.tomlimports.lockcould be filtered to a subset of imported audits which apply to the crates in the local dependency graph. This way so long as Firefox doesn't remove audits for example no matter what new crates were added we'd still generate the sameimports.locklocally.The text was updated successfully, but these errors were encountered: