timsaucer opened a new issue, #7648:
URL: https://github.com/apache/arrow-rs/issues/7648
**Is your feature request related to a problem or challenge? Please describe
what you are trying to do.**
In some downstream projects we are using `cargo deny` to limit the number of
dependencies and to verify we do not have security vulnerabilities. It would be
nice to add a configuration file to this repo and to work through issues that
exist when you run it.
**Describe the solution you'd like**
- Add `deny.toml` to this repository
- Add `cargo deny` check to CI
- Update all upstream repositories with PRs to bring dependencies up to date
so we can remove duplicates
**Describe alternatives you've considered**
Leave as is and let downstream repos handle issues
**Additional context**
During my testing I found I needed to make updates to the following upstream
repositories to remove duplicates:
- `const-random-macro`
- `phf_generator`
- `ring`
- `object_store`
- `tracing`, `tracing-core`, and `tracing-subscriber`
- `lz4_flex`
- `tonic`
My plan is to open PRs for each of these repos with the updates needed and
to post those PRs into this issue. Once all are closed we should have a very
clean build. The one I didn't try to tackle was `windows-sys` because it was
different in at least three different trees that would need updating and this
is already a fair amount of work.
Here is an example `deny.toml` we could include:
```
[graph]
targets = [
{ triple = "aarch64-apple-darwin" },
{ triple = "i686-pc-windows-gnu" },
{ triple = "i686-pc-windows-msvc" },
{ triple = "i686-unknown-linux-gnu" },
{ triple = "wasm32-unknown-unknown" },
{ triple = "x86_64-apple-darwin" },
{ triple = "x86_64-pc-windows-gnu" },
{ triple = "x86_64-pc-windows-msvc" },
{ triple = "x86_64-unknown-linux-gnu" },
{ triple = "x86_64-unknown-linux-musl" },
{ triple = "x86_64-unknown-redox" },
]
all-features = true
[advisories]
version = 2
ignore = [
"RUSTSEC-2024-0436", # https://rustsec.org/advisories/RUSTSEC-2024-0436 -
paste is unmaintained - https://github.com/dtolnay/paste
]
[bans]
multiple-versions = "deny"
wildcards = "allow" # We use them for examples
deny = [
]
skip = [
]
skip-tree = [
{ name = "windows-sys" },
]
[licenses]
version = 2
private = { ignore = true }
confidence-threshold = 0.93 # We want really high confidence when inferring
licenses from text
allow = [
"Apache-2.0 WITH LLVM-exception", #
https://spdx.org/licenses/LLVM-exception.html
"Apache-2.0", #
https://tldrlegal.com/license/apache-license-2.0-(apache-2.0)
"BSD-2-Clause", #
https://tldrlegal.com/license/bsd-2-clause-license-(freebsd)
"BSD-3-Clause", #
https://tldrlegal.com/license/bsd-3-clause-license-(revised)
"BSL-1.0", #
https://tldrlegal.com/license/boost-software-license-1.0-explained
"CC0-1.0", #
https://creativecommons.org/publicdomain/zero/1.0/
"CDLA-Permissive-2.0", # https://cdla.dev/permissive-2-0/
"ISC", #
https://www.tldrlegal.com/license/isc-license
"MIT", #
https://tldrlegal.com/license/mit-license
"Unicode-3.0", # https://www.unicode.org/license.txt
"Zlib", #
https://tldrlegal.com/license/zlib-libpng-license-(zlib)
]
exceptions = []
[sources]
unknown-registry = "deny"
unknown-git = "deny"
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
