Whitelist rustc dependencies #48456
Whitelist rustc dependencies #48456
Conversation
|
(rust_highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
Hopefully, travis fails because I haven't added any files to the whitelist yet! 😛 |
|
Hmmm... It seems that it only runs stage0 tidy? How do I get my tidy to work... |
|
@mark-i-m travis...isn't failing? |
| saw_dir = true; | ||
| let dir = t!(dir); | ||
|
|
||
| // skip our exceptions | ||
| for exception in EXCEPTIONS { | ||
| if dir.path() | ||
| if EXCEPTIONS.iter().any(|exception| { |
src/tools/tidy/src/deps.rs
Outdated
| }| { | ||
| WHITELIST | ||
| .iter() | ||
| .all(|&(wname, wversion)| name != wname || version != wversion) |
There was a problem hiding this comment.
seems like it would be nice if we could report what needs to be added to the whitelist
|
Ok, it should fail now 🤞 |
Lol, that's what I get for using |
|
Hmm... it looks like paths are incorrect... |
|
It looks like a spurious failure... I just want to know what path the |
|
So currently, I'm having path failures. I'm looking for a |
kennytm
added
S-waiting-on-author
|
@mark-i-m that looks like it's perhaps failing to spawn |
|
Ok, it seems to be working 🎉 There are currently two variables which need to be hardcoded into tidy, though:
So we have a choice:
|
src/tools/tidy/src/deps.rs
Outdated
| #[allow(dead_code)] manifest_path: String, | ||
| } | ||
|
|
||
| // Not used, but needed to not confuse serde :P |
There was a problem hiding this comment.
Hm if these aren't used, are they needed? I think serde should ignore unused fields by default?
There was a problem hiding this comment.
Hmm... When I tried that it was giving me deserialization errors. I will take another look.
src/tools/tidy/src/deps.rs
Outdated
|
|
||
| // Whitelist of crates rustc is allowed to depend on. Avoid adding to the list if possible. | ||
| static WHITELIST: &'static [(&'static str, &'static str)] = &[ | ||
| // ("advapi32-sys", "0.2.0"), |
There was a problem hiding this comment.
I think it's probably ok to only check the name of the dependency and not worry about the version for now, upgrading across major versions and such tends to not bring in too large of a change at least!
There was a problem hiding this comment.
I argue that it's important for security purposes to whitelist exact versions and to vet those versions before before upgrading in any way.
There was a problem hiding this comment.
Oh sure yeah, but I think we'll want to consider this further down the road. If we were to lock down all the versions of everything it'd cause I think picking up deps from crates.io to be too painful (or otherwise routine updates)
There was a problem hiding this comment.
I think this is part of the downside of having a super-awesome dependency system: it becomes easy to have too many dependencies. Argue that that makes code quality, security, and build times all worse.
There was a problem hiding this comment.
Sure but I think it's also best to do this incrementally rather than all at once, can this switch to just verifying the names through a whitelist?
There was a problem hiding this comment.
I can if you would like, but I would really like not to. I feel like adding a bit of friction to adding and updating dependencies would be healthy; in this case, you would need to update WHITELIST. We can later have an RFC to potentially add more restrictions to PRs that change WHITELIST... I see that as an incremental approach as well (we add a mechanism, then add policy through an RFC).
|
@alexcrichton Ok, so I am now only checking the dependencies of |
src/tools/tidy/src/deps.rs
Outdated
| resolve: Resolve, | ||
|
|
||
| // Not used, but needed to not confuse serde :P | ||
| #[allow(dead_code)] packages: Vec<Package>, |
There was a problem hiding this comment.
Could this get removed? If not, how come?
src/tools/tidy/src/deps.rs
Outdated
| unapproved.append(&mut bad); | ||
| } | ||
|
|
||
| // Remove duplicates |
There was a problem hiding this comment.
Perhaps this could be passed around as &mut BTreeSet<Crate<'a>>?
|
Can this please remove the version checking as well? That happens anyway when |
|
@alexcrichton done 👍 Let me know what you think :) |
|
I will uncomment the whitelist itself when the build fails... |
|
Ok, I uncommented the whitelist. |
mark-i-m
changed the title
|
Looks good to me! I think a few more deps may need to be added though? |
|
Oh, hmm... I wonder how that happened 😖 Fixed 👍 |
|
Looks like another crate is missing? Although I don't know how core got in there... |
|
Hmm... different versions of a crate may have different dependencies... I think this should be fixed now. Once again, I will wait for build failure and then enable the whitelist. |
|
@alexcrichton Hmm... I tried rebasing on the latest master, but I didn't get any conflicts locally. Do you know what's going on here? |
|
Ah yeah sometimes bors is not so good at merges... @bors: r+ |
|
📌 Commit e5d2920 has been approved by |
bors
added
S-waiting-on-bors
Whitelist rustc dependencies As per https://internals.rust-lang.org/t/rustc-dependency-policy/6537/8?u=nikomatsakis cc @alexcrichton @nikomatsakis
|
💔 Test failed - status-appveyor |
bors
added
S-waiting-on-review
As per https://internals.rust-lang.org/t/rustc-dependency-policy/6537/8?u=nikomatsakis
cc @alexcrichton @nikomatsakis