Skip to content
This repository has been archived by the owner on Dec 17, 2024. It is now read-only.

Incorporate cargo-deny into build #32

Open
tuommaki opened this issue Jan 12, 2024 · 2 comments
Open

Incorporate cargo-deny into build #32

tuommaki opened this issue Jan 12, 2024 · 2 comments

Comments

@tuommaki
Copy link
Contributor

Incorporate cargo-deny into our build to

  • Verify dependency licenses.
  • Check for vulnerable dependencies.
@distributedstatemachine

i want to pick this up and not sure where the builds happens , or if the cd system is external . However , its currently failing on some licencese. Do you want to use the default deny.toml , or do you have bespoke criteria ?

Here is the current output of cargo-deny check

@tuommaki
Copy link
Contributor Author

where the builds happens

We use GitHub Actions as our CI platform. Right now, we are finishing the implementation of first devnet version of the node and the work takes place in proto branch.

Do you want to use the default deny.toml , or do you have bespoke criteria ?

We do have following criterias:

  • Our code is dual-licensed with MIT and Apache 2, therefore all our dependencies must be compatible with this.
  • Vulnerability checks must be strict.

Due to nature of these topics, this configuration is very critical to be correct and as I'm responsible for this, I need to fully understand the configuration myself. I don't have time to go through all the cargo-deny documentation right now and therefore I will not merge any external PRs related to this, but if you want to help nonetheless, you can submit preliminary version of the configuration and I'll go through it later when possible.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants