From 98c04c74308bab7c2f16c60970c3fb898c2f1a70 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 19:52:04 +0000 Subject: [PATCH 1/8] depends: Update Rust to 1.81.0 Also removes an outdated email from `Cargo.toml` --- Cargo.toml | 4 ++-- depends/packages/native_rust.mk | 18 +++++++++--------- rust-toolchain.toml | 2 +- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Cargo.toml b/Cargo.toml index f770d59fbc1..a992615d4e8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -12,14 +12,14 @@ authors = [ "Kris Nuttycombe ", "Greg Pfeil", "Larry Ruane ", - "Steven Smith " + "Steven Smith", ] homepage = "https://github.com/zcash/zcash" repository = "https://github.com/zcash/zcash" readme = "README.md" license = "MIT OR Apache-2.0" edition = "2018" -rust-version = "1.80" +rust-version = "1.81" [package.metadata.vet] store = { path = "./qa/supply-chain" } diff --git a/depends/packages/native_rust.mk b/depends/packages/native_rust.mk index 310aa2d3ee0..05680435f68 100644 --- a/depends/packages/native_rust.mk +++ b/depends/packages/native_rust.mk @@ -3,16 +3,16 @@ package=native_rust # ./contrib/devtools/update-rust-hashes.sh # The Rust compiler should use the same LLVM version as the Clang compiler; you # can check this with `rustc --version -v`. -$(package)_version=1.80.1 +$(package)_version=1.81.0 $(package)_download_path=https://static.rust-lang.org/dist $(package)_file_name_linux=rust-$($(package)_version)-x86_64-unknown-linux-gnu.tar.gz -$(package)_sha256_hash_linux=9eedaea9719914a0f4673899aa11693607f25486569913fcca5905ef1da784ec +$(package)_sha256_hash_linux=4ca7c24e573dae2f382d8d266babfddc307155e1a0a4025f3bc11db58a6cab3e $(package)_file_name_darwin=rust-$($(package)_version)-x86_64-apple-darwin.tar.gz -$(package)_sha256_hash_darwin=4fcc0dad8b47066e13877e2839760ef1f40754a90a8fe83ecd4a1f14bf63c71a +$(package)_sha256_hash_darwin=f74d8ad24cc3cbfb825da98a08d98319565e4d18ec2c3e9503bf0a33c81ba767 $(package)_file_name_freebsd=rust-$($(package)_version)-x86_64-unknown-freebsd.tar.gz -$(package)_sha256_hash_freebsd=d7f4f66c3cc97616bcd37d9f63ed14c3c22c72a467f308453df2f1b128ffe0bc +$(package)_sha256_hash_freebsd=b96ebbc043058eedebccd20f1d01e64f2241107665fe2336e6927966d8b9d8d3 $(package)_file_name_aarch64_linux=rust-$($(package)_version)-aarch64-unknown-linux-gnu.tar.gz -$(package)_sha256_hash_aarch64_linux=4ae791da82be6e7223f4f6cd477799624481aa1011e17c37753a57d257f89198 +$(package)_sha256_hash_aarch64_linux=ef4da9c1ecd56bbbb36f42793524cce3062e6a823ae22cb679a945c075c7755b # Mapping from GCC canonical hosts to Rust targets # If a mapping is not present, we assume they are identical, unless $host_os is @@ -21,10 +21,10 @@ $(package)_rust_target_x86_64-pc-linux-gnu=x86_64-unknown-linux-gnu $(package)_rust_target_x86_64-w64-mingw32=x86_64-pc-windows-gnu # Mapping from Rust targets to SHA-256 hashes -$(package)_rust_std_sha256_hash_aarch64-unknown-linux-gnu=2465f0df2ee35d32bd9690e05dd84d9c38bf81e8a5e9fd940d7347b66447c97f -$(package)_rust_std_sha256_hash_x86_64-apple-darwin=8fe1bd5ac9fb8741d3049b753a6eabec0e88d9c2c0276fdff34f868b35edda41 -$(package)_rust_std_sha256_hash_x86_64-pc-windows-gnu=4fb82d57b0422ad31894529d3b45f84c41dec92009e643aa66fc4f418178b475 -$(package)_rust_std_sha256_hash_x86_64-unknown-freebsd=b293f4ad4baa7298b2ccff0da3224b1e9bb64e34d5d1158d0a03fea37adb0402 +$(package)_rust_std_sha256_hash_aarch64-unknown-linux-gnu=234673e33b7a523818a81dc233ba636ffc5e4c94b9766f12e19a63c985ed7d21 +$(package)_rust_std_sha256_hash_x86_64-apple-darwin=ce8ad1cf2c5a7948a8f468025a5985a5249ba2fdf3303ef753170904451b4fa4 +$(package)_rust_std_sha256_hash_x86_64-pc-windows-gnu=08fdb3e632bd0571e2a41f728147ea20a6e2fb193836abb56c541178796f580d +$(package)_rust_std_sha256_hash_x86_64-unknown-freebsd=9dbff8d29bd32bab0c68a2cda0fb38059cca6fbd962a8f243400388c104cb225 define rust_target $(if $($(1)_rust_target_$(2)),$($(1)_rust_target_$(2)),$(if $(findstring darwin,$(3)),x86_64-apple-darwin,$(if $(findstring freebsd,$(3)),x86_64-unknown-freebsd,$(2)))) diff --git a/rust-toolchain.toml b/rust-toolchain.toml index e17bbf13ea4..251f956ffda 100644 --- a/rust-toolchain.toml +++ b/rust-toolchain.toml @@ -1,3 +1,3 @@ [toolchain] -channel = "1.80.0" +channel = "1.81.0" components = ["clippy", "rustfmt"] From fcc271ee940e5f929113012b4d010b0a840cbe83 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 20:20:24 +0000 Subject: [PATCH 2/8] depends: native_cmake 3.30.3 --- depends/packages/native_cmake.mk | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/depends/packages/native_cmake.mk b/depends/packages/native_cmake.mk index 3f1cba2b54e..54fb9cb5453 100644 --- a/depends/packages/native_cmake.mk +++ b/depends/packages/native_cmake.mk @@ -1,8 +1,8 @@ package=native_cmake -$(package)_version=3.30.2 +$(package)_version=3.30.3 $(package)_download_path=https://github.com/Kitware/CMake/releases/download/v$($(package)_version) $(package)_file_name=cmake-$($(package)_version).tar.gz -$(package)_sha256_hash=46074c781eccebc433e98f0bbfa265ca3fd4381f245ca3b140e7711531d60db2 +$(package)_sha256_hash=6d5de15b6715091df7f5441007425264bdd477809f80333fdf95f846aaff88e4 define $(package)_set_vars $(package)_config_opts += -DCMAKE_BUILD_TYPE:STRING=Release From ab4ac589072a816349c7632e0f6e544d819f193f Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 22:14:39 +0000 Subject: [PATCH 3/8] depends: cxx 1.0.128 --- Cargo.lock | 12 ++-- Cargo.toml | 2 +- depends/packages/native_cxxbridge.mk | 6 +- depends/patches/native_cxxbridge/Cargo.lock | 80 ++++++++++----------- qa/supply-chain/audits.toml | 14 ++++ qa/supply-chain/imports.lock | 6 ++ 6 files changed, 70 insertions(+), 50 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8a784dd7bef..4efa28ef2e0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -471,9 +471,9 @@ dependencies = [ [[package]] name = "cxx" -version = "1.0.126" +version = "1.0.128" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3c4eae4b7fc8dcb0032eb3b1beee46b38d371cdeaf2d0c64b9944f6f69ad7755" +checksum = "54ccead7d199d584d139148b04b4a368d1ec7556a1d9ea2548febb1b9d49f9a4" dependencies = [ "cc", "cxxbridge-flags", @@ -483,15 +483,15 @@ dependencies = [ [[package]] name = "cxxbridge-flags" -version = "1.0.126" +version = "1.0.128" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "719d6197dc016c88744aff3c0d0340a01ecce12e8939fc282e7c8f583ee64bc6" +checksum = "65777e06cc48f0cb0152024c77d6cf9e4bdb4408e7b48bea993d42fa0f5b02b6" [[package]] name = "cxxbridge-macro" -version = "1.0.126" +version = "1.0.128" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "35de3b547387863c8f82013c4f79f1c2162edee956383e4089e1d04c18c4f16c" +checksum = "98532a60dedaebc4848cb2cba5023337cc9ea3af16a5b062633fabfd9f18fb60" dependencies = [ "proc-macro2", "quote", diff --git a/Cargo.toml b/Cargo.toml index a992615d4e8..b1c17b25cb7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -72,7 +72,7 @@ wagyu-zcash-parameters = "0.2" # Rust/C++ interop # The version needs to match depends/packages/native_cxxbridge.mk -cxx = { version = "=1.0.126", features = ["c++17"] } +cxx = { version = "=1.0.128", features = ["c++17"] } # Rust threading rayon = "1.5" diff --git a/depends/packages/native_cxxbridge.mk b/depends/packages/native_cxxbridge.mk index bb91c1bc0b7..35b609089ec 100644 --- a/depends/packages/native_cxxbridge.mk +++ b/depends/packages/native_cxxbridge.mk @@ -1,14 +1,14 @@ package=native_cxxbridge # The version needs to match cxx in Cargo.toml -$(package)_version=1.0.126 +$(package)_version=1.0.128 $(package)_download_path=https://github.com/dtolnay/cxx/archive/refs/tags $(package)_file_name=native_cxxbridge-$($(package)_version).tar.gz $(package)_download_file=$($(package)_version).tar.gz -$(package)_sha256_hash=9ad1aecb0dae3e9419c240a5acc1ab5a19194b6eee15c53c2b4a941192ba1a18 +$(package)_sha256_hash=7aa61d128d75cbfb4713e0c0803efb4da6c88180327f9e2f095641b55a5d0e06 $(package)_build_subdir=gen/cmd $(package)_dependencies=native_rust # This file is somewhat annoying to update, but can be done like so from the repo base: -# $ export VERSION=1.0.124 +# $ export VERSION=1.0.128 # $ rm .cargo/config.toml .cargo/.configured-for-offline # $ mkdir tmp # $ cd tmp diff --git a/depends/patches/native_cxxbridge/Cargo.lock b/depends/patches/native_cxxbridge/Cargo.lock index 309993c6799..5dfd4efa328 100644 --- a/depends/patches/native_cxxbridge/Cargo.lock +++ b/depends/patches/native_cxxbridge/Cargo.lock @@ -16,9 +16,9 @@ checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1" [[package]] name = "cc" -version = "1.1.13" +version = "1.1.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72db2f7947ecee9b03b510377e8bb9077afa27176fdbff55c51027e976fdcc48" +checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" dependencies = [ "jobserver", "libc", @@ -43,18 +43,18 @@ dependencies = [ [[package]] name = "clap" -version = "4.5.16" +version = "4.5.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ed6719fffa43d0d87e5fd8caeab59be1554fb028cd30edc88fc4369b17971019" +checksum = "b0956a43b323ac1afaffc053ed5c4b7c1f1800bacd1683c353aabbb752515dd3" dependencies = [ "clap_builder", ] [[package]] name = "clap_builder" -version = "4.5.15" +version = "4.5.18" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "216aec2b177652e3846684cbfe25c9964d18ec45234f0f5da5157b207ed1aab6" +checksum = "4d72166dd41634086d5803a47eb71ae740e61d84709c36f3c34110173db3961b" dependencies = [ "anstyle", "clap_lex", @@ -88,7 +88,7 @@ dependencies = [ [[package]] name = "cxx" -version = "1.0.126" +version = "1.0.128" dependencies = [ "cc", "cxx-build", @@ -103,7 +103,7 @@ dependencies = [ [[package]] name = "cxx-build" -version = "1.0.126" +version = "1.0.128" dependencies = [ "cc", "codespan-reporting", @@ -119,7 +119,7 @@ dependencies = [ [[package]] name = "cxx-gen" -version = "0.7.126" +version = "0.7.128" dependencies = [ "codespan-reporting", "proc-macro2", @@ -138,7 +138,7 @@ dependencies = [ [[package]] name = "cxxbridge-cmd" -version = "1.0.126" +version = "1.0.128" dependencies = [ "clap", "codespan-reporting", @@ -149,11 +149,11 @@ dependencies = [ [[package]] name = "cxxbridge-flags" -version = "1.0.126" +version = "1.0.128" [[package]] name = "cxxbridge-macro" -version = "1.0.126" +version = "1.0.128" dependencies = [ "clang-ast", "cxx", @@ -189,9 +189,9 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "flate2" -version = "1.0.32" +version = "1.0.33" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c0596c1eac1f9e04ed902702e9878208b336edc9d6fddc8a48387349bab3666" +checksum = "324a1be68054ef05ad64b861cc9eaf1d623d2d8cb25b4bf2cb9cdd902b4bf253" dependencies = [ "crc32fast", "miniz_oxide", @@ -211,9 +211,9 @@ checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" [[package]] name = "indexmap" -version = "2.4.0" +version = "2.5.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93ead53efc7ea8ed3cfb0c79fc8023fbb782a5432b52830b6518941cebe6505c" +checksum = "68b900aa2f7301e21c36462b170ee99994de34dff39a4a6a528e80e7376d07e5" dependencies = [ "equivalent", "hashbrown", @@ -236,9 +236,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.158" +version = "0.2.159" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5" [[package]] name = "link-cplusplus" @@ -282,9 +282,9 @@ checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" [[package]] name = "pkg-config" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d231b230927b5e4ad203db57bbcbee2802f6bce620b1e4a9024a07d94e2907ec" +checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "proc-macro2" @@ -297,9 +297,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.36" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] @@ -330,18 +330,18 @@ checksum = "a3cf7c11c38cb994f3d40e8a8cde3bbd1f72a435e4c49e85d6553d8312306152" [[package]] name = "serde" -version = "1.0.208" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cff085d2cb684faa248efb494c39b68e522822ac0de72ccf08109abde717cfb2" +checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.208" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24008e81ff7613ed8e5ba0cfaf24e2c2f1e5b8a0495711e44fcd4882fca62bcf" +checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" dependencies = [ "proc-macro2", "quote", @@ -350,9 +350,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.125" +version = "1.0.128" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "83c8e735a073ccf5be70aa8066aa984eaf2fa000db6c8d0100ae605b366d31ed" +checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" dependencies = [ "itoa", "memchr", @@ -362,9 +362,9 @@ dependencies = [ [[package]] name = "serde_spanned" -version = "0.6.7" +version = "0.6.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d" +checksum = "87607cb1398ed59d48732e575a4c28a7a8ebf2454b964fe3f224f2afc07909e1" dependencies = [ "serde", ] @@ -383,9 +383,9 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "syn" -version = "2.0.75" +version = "2.0.77" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6af063034fc1935ede7be0122941bafa9bacb949334d090b77ca98b5817c7d9" +checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" dependencies = [ "proc-macro2", "quote", @@ -424,9 +424,9 @@ dependencies = [ [[package]] name = "toml_edit" -version = "0.22.20" +version = "0.22.22" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "583c44c02ad26b0c3f3066fe629275e50627026c51ac2e595cca4c230ce1ce1d" +checksum = "4ae48d6208a266e853d946088ed816055e556cc6028c5e8e2b84d9fa5dd7c7f5" dependencies = [ "indexmap", "serde", @@ -452,15 +452,15 @@ dependencies = [ [[package]] name = "unicode-ident" -version = "1.0.12" +version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" +checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" [[package]] name = "unicode-width" -version = "0.1.13" +version = "0.1.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0336d538f7abc86d282a4189614dfaa90810dfc2c6f6427eaf88e16311dd225d" +checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af" [[package]] name = "winapi" @@ -568,9 +568,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "0.6.18" +version = "0.6.20" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68a9bda4691f099d435ad181000724da8e5899daa10713c2d432552b9ccd3a6f" +checksum = "36c1fec1a2bb5866f07c25f68c26e565c4c200aebb96d7e55710c19d3e8ac49b" dependencies = [ "memchr", ] diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index f7a52f2f858..72147f25800 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -678,6 +678,15 @@ notes = """ `isize` to check if it is an alias for `[u]int8_t`. """ +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.126 -> 1.0.128" +notes = """ +`unsafe` changes are to copy the `SyncUnsafeCell` type from nightly Rust. It is +used as the ZST `SyncUnsafeCell>` to fix an LLVM miscompilation. +""" + [[audits.cxxbridge-flags]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -834,6 +843,11 @@ criteria = "safe-to-deploy" delta = "1.0.122 -> 1.0.124" notes = "Only changes to lints." +[[audits.cxxbridge-macro]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.126 -> 1.0.128" + [[audits.der]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 934c031e582..d246754c4b3 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -562,6 +562,12 @@ delta = "1.0.124 -> 1.0.126" notes = "No changes in this delta" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.cxxbridge-flags]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.126 -> 1.0.128" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" From 46dee901fa95ca3e3bbf88196a8457af2b5dcc87 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 22:18:01 +0000 Subject: [PATCH 4/8] cargo vet prune --- qa/supply-chain/config.toml | 20 ----------- qa/supply-chain/imports.lock | 66 ++++++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 20 deletions(-) diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index a4f2fe96d8c..5c4481106fa 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -42,18 +42,10 @@ criteria = "safe-to-deploy" version = "1.1.1" criteria = "safe-to-deploy" -[[exemptions.allocator-api2]] -version = "0.2.14" -criteria = "safe-to-deploy" - [[exemptions.anyhow]] version = "1.0.86" criteria = "safe-to-deploy" -[[exemptions.arrayvec]] -version = "0.7.6" -criteria = "safe-to-deploy" - [[exemptions.backtrace]] version = "0.3.73" criteria = "safe-to-deploy" @@ -98,10 +90,6 @@ criteria = "safe-to-deploy" version = "0.5.0" criteria = "safe-to-deploy" -[[exemptions.byteorder]] -version = "1.4.3" -criteria = "safe-to-deploy" - [[exemptions.bytes]] version = "1.7.1" criteria = "safe-to-deploy" @@ -302,10 +290,6 @@ criteria = "safe-to-deploy" version = "0.4.14" criteria = "safe-to-deploy" -[[exemptions.log]] -version = "0.4.22" -criteria = "safe-to-deploy" - [[exemptions.memchr]] version = "2.6.3" criteria = "safe-to-deploy" @@ -578,10 +562,6 @@ criteria = "safe-to-deploy" version = "0.1.23" criteria = "safe-to-deploy" -[[exemptions.tracing-core]] -version = "0.1.30" -criteria = "safe-to-deploy" - [[exemptions.typenum]] version = "1.15.0" criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index d246754c4b3..90f053d89aa 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -222,6 +222,15 @@ Unsafe code, but its logic looks good to me. Necessary given what it is doing. Well tested, has quickchecks. """ +[[audits.bytecode-alliance.audits.arrayvec]] +who = "Nick Fitzgerald " +criteria = "safe-to-deploy" +version = "0.7.2" +notes = """ +Well documented invariants, good assertions for those invariants in unsafe code, +and tested with MIRI to boot. LGTM. +""" + [[audits.bytecode-alliance.audits.base64]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -321,6 +330,12 @@ This is a minor update which has some testing affordances as well as some updated math algorithms. """ +[[audits.bytecode-alliance.audits.log]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.4.20 -> 0.4.22" +notes = "Mostly updates around the key-value implementation of this crate, but nothing out of place." + [[audits.bytecode-alliance.audits.mach2]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -535,6 +550,13 @@ delta = "2.5.0 -> 2.6.0" notes = "The changes from the previous version are negligible and thus it retains the same properties." aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.byteorder]] +who = "danakj " +criteria = "safe-to-deploy" +version = "1.5.0" +notes = "Unsafe review in https://crrev.com/c/5838022" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.cxxbridge-flags]] who = "danakj " criteria = "safe-to-deploy" @@ -1020,6 +1042,19 @@ end = "2024-05-03" notes = "All code written or reviewed by Manish" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.allocator-api2]] +who = "Nicolas Silva " +criteria = "safe-to-deploy" +version = "0.2.18" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.arrayvec]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +delta = "0.7.2 -> 0.7.6" +notes = "Manually verified new unsafe pointer arithmetic." +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.bit-set]] who = "Aria Beingessner " criteria = "safe-to-deploy" @@ -1212,6 +1247,26 @@ criteria = "safe-to-deploy" version = "0.4.1" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.log]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +version = "0.4.17" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Jan-Erik Rediger " +criteria = "safe-to-deploy" +delta = "0.4.17 -> 0.4.18" +notes = "One dependency removed, others updated (which we don't rely on), some APIs (which we don't use) changed." +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + +[[audits.mozilla.audits.log]] +who = "Kagami Sascha Rosylight " +criteria = "safe-to-deploy" +delta = "0.4.18 -> 0.4.20" +notes = "Only cfg attribute and internal macro changes and module refactorings" +aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" + [[audits.mozilla.audits.mach2]] who = "Gabriele Svelto " criteria = "safe-to-deploy" @@ -1312,6 +1367,17 @@ criteria = "safe-to-deploy" delta = "0.2.10 -> 0.2.18" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.tracing-core]] +who = "Alex Franchuk " +criteria = "safe-to-deploy" +version = "0.1.30" +notes = """ +Most unsafe code is in implementing non-std sync primitives. Unsafe impls are +logically correct and justified in comments, and unsafe code is sound and +justified in comments. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.typenum]] who = "Mike Hommey " criteria = "safe-to-deploy" From 15a9f521b303bdbf50d44c2fbe1559218244c375 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 22:43:13 +0000 Subject: [PATCH 5/8] cargo update --- Cargo.lock | 106 +++++++-------- qa/supply-chain/audits.toml | 41 ++++++ qa/supply-chain/config.toml | 20 +-- qa/supply-chain/imports.lock | 257 ++++++++++++++++++++++++++++++----- 4 files changed, 324 insertions(+), 100 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4efa28ef2e0..d14eea0073f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -4,18 +4,18 @@ version = 3 [[package]] name = "addr2line" -version = "0.22.0" +version = "0.24.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6e4503c46a5c0c7844e948c9a4d6acd9f50cccb4de1c48eb9e291ea17470c678" +checksum = "f5fb1d8e4442bd405fdfd1dacb42792696b0cf9cb15882e5d097b742a676d375" dependencies = [ "gimli", ] [[package]] -name = "adler" -version = "1.0.2" +name = "adler2" +version = "2.0.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" +checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" [[package]] name = "aead" @@ -67,15 +67,15 @@ checksum = "5c6cb57a04249c6480766f7f7cef5467412af1490f8d1e243141daddada3264f" [[package]] name = "anyhow" -version = "1.0.86" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b3d1d046238990b9cf5bcde22a3fb3584ee5cf65fb2765f454ed428c7a0063da" +checksum = "86fdf8605db99b54d3cd748a44c6d04df638eb5dafb219b135d0149bd0db01f6" [[package]] name = "arrayref" -version = "0.3.8" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9d151e35f61089500b617991b791fc8bfd237ae50cd5950803758a179b41e67a" +checksum = "76a2e8124351fda1ef8aaaa3bbd7ebbcb486bbcd4225aca0aa0d84bb2db8fecb" [[package]] name = "arrayvec" @@ -91,17 +91,17 @@ checksum = "0c4b4d0bd25bd0b74681c0ad21497610ce1b7c91b1022cd21c80c6fbdd9476b0" [[package]] name = "backtrace" -version = "0.3.73" +version = "0.3.74" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5cc23269a4f8976d0a4d2e7109211a419fe30e8d88d677cd60b6bc79c5732e0a" +checksum = "8d82cb332cdfaed17ae235a638438ac4d4839913cc2af585c3c6746e8f8bee1a" dependencies = [ "addr2line", - "cc", "cfg-if", "libc", "miniz_oxide", "object", "rustc-demangle", + "windows-targets", ] [[package]] @@ -289,9 +289,9 @@ checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" [[package]] name = "bytes" -version = "1.7.1" +version = "1.7.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8318a53db07bb3f8dca91a600466bdb3f2eaadeedfdbcf02e1accbad9271ba50" +checksum = "428d9aa8fbc0670b7b8d6030a7fadd0f86151cae55e4dbbece15f3780a3dfaf3" [[package]] name = "cbc" @@ -379,15 +379,15 @@ checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" [[package]] name = "constant_time_eq" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f7144d30dcf0fafbce74250a3963025d8d52177934239851c917d29f1df280c2" +checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" [[package]] name = "cpufeatures" -version = "0.2.13" +version = "0.2.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51e852e6dc9a5bed1fae92dd2375037bf2b768725bf3be87811edee3249d09ad" +checksum = "608697df725056feaccfa42cffdaeeec3fccc4ffc38358ecd19b243e716a78e0" dependencies = [ "libc", ] @@ -621,9 +621,9 @@ dependencies = [ [[package]] name = "fastrand" -version = "2.1.0" +version = "2.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9fc0510504f03c51ada170672ac806f1f105a88aa97a5281117e1ddc3368e51a" +checksum = "e8c02a5121d4ea3eb16a80748c74f5549a5665e4c21333c6098f283870fbdea6" [[package]] name = "ff" @@ -733,9 +733,9 @@ dependencies = [ [[package]] name = "gimli" -version = "0.29.0" +version = "0.31.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40ecd4077b5ae9fd2e9e169b102c6c330d0605168eb0e8bf79952b256dbefffd" +checksum = "32085ea23f3234fc7846555e85283ba4de91e21016dc0455a16286d87a292d64" [[package]] name = "group" @@ -954,9 +954,9 @@ dependencies = [ [[package]] name = "ipnet" -version = "2.9.0" +version = "2.10.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8f518f335dce6725a761382244631d86cf0ccb2863413590b31338feb467f9c3" +checksum = "187674a687eed5fe42285b40c6291f9a01517d415fad1c3cbc6a9f778af7fcd4" [[package]] name = "itoa" @@ -1007,9 +1007,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.158" +version = "0.2.159" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d8adc4bb1803a324070e64a98ae98f38934d91957a99cfb3a43dcbc01bc56439" +checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5" [[package]] name = "libm" @@ -1219,11 +1219,11 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" [[package]] name = "miniz_oxide" -version = "0.7.4" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b8a240ddb74feaf34a79a7add65a741f3167852fba007066dcac1ca548d89c08" +checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1" dependencies = [ - "adler", + "adler2", ] [[package]] @@ -1323,9 +1323,9 @@ dependencies = [ [[package]] name = "object" -version = "0.36.3" +version = "0.36.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "27b64972346851a39438c60b341ebc01bba47464ae329e55cf343eb93964efd9" +checksum = "084f1a5821ac4c651660a94a7153d27ac9d8a53736203f58b31945ded098070a" dependencies = [ "memchr", ] @@ -1498,9 +1498,9 @@ dependencies = [ [[package]] name = "portable-atomic" -version = "1.7.0" +version = "1.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da544ee218f0d287a911e9c99a39a8c9bc8fcad3cb8db5959940044ecfc67265" +checksum = "d30538d42559de6b034bc76fd6dd4c38961b1ee5c6c56e3808c50128fdbc22ce" [[package]] name = "powerfmt" @@ -1580,9 +1580,9 @@ checksum = "a1d01941d82fa2ab50be1e79e6714289dd7cde78eba4c074bc5a4374f650dfe0" [[package]] name = "quote" -version = "1.0.36" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fa76aaf39101c457836aec0ce2316dbdc3ab723cdda1c6bd4e6ad4208acaca7" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] @@ -1764,18 +1764,18 @@ checksum = "719b953e2095829ee67db738b3bfa9fa368c94900df327b3f07fe6e794d2fe1f" [[package]] name = "rustc_version" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bfa0f585226d2e68097d4f95d113b15b83a82e819ab25717ec0590d9584ef366" +checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92" dependencies = [ "semver", ] [[package]] name = "rustix" -version = "0.38.34" +version = "0.38.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "70dc5ec042f7a43c4a73241207cecc9873a06d45debb38b329f8541d85c2730f" +checksum = "8acb788b847c24f28525660c4d7758620a7210875711f79e7f663cc152726811" dependencies = [ "bitflags 2.6.0", "errno", @@ -1864,18 +1864,18 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.208" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cff085d2cb684faa248efb494c39b68e522822ac0de72ccf08109abde717cfb2" +checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.208" +version = "1.0.210" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24008e81ff7613ed8e5ba0cfaf24e2c2f1e5b8a0495711e44fcd4882fca62bcf" +checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" dependencies = [ "proc-macro2", "quote", @@ -2023,18 +2023,18 @@ dependencies = [ [[package]] name = "thiserror" -version = "1.0.63" +version = "1.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c0342370b38b6a11b6cc11d6a805569958d54cfa061a29969c3b5ce2ea405724" +checksum = "d50af8abc119fb8bb6dbabcfa89656f46f84aa0ac7688088608076ad2b459a84" dependencies = [ "thiserror-impl", ] [[package]] name = "thiserror-impl" -version = "1.0.63" +version = "1.0.64" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261" +checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3" dependencies = [ "proc-macro2", "quote", @@ -2099,9 +2099,9 @@ checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" [[package]] name = "tokio" -version = "1.39.3" +version = "1.40.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9babc99b9923bfa4804bd74722ff02c0381021eafa4db9949217e3be8e84fff5" +checksum = "e2b070231665d27ad9ec9b8df639893f46727666c6767db40317fbe920a5d998" dependencies = [ "backtrace", "libc", @@ -2210,9 +2210,9 @@ checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94" [[package]] name = "unicode-ident" -version = "1.0.12" +version = "1.0.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" +checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" [[package]] name = "unicode-normalization" @@ -2656,9 +2656,9 @@ dependencies = [ [[package]] name = "zcash_spec" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b7a3bf58b673cb3dacd8ae09ba345998923a197ab0da70d6239d8e8838949e9b" +checksum = "1840a18eb788adab921c26e930c0aaaca509cd31090f176d1d8bbee15ddca855" dependencies = [ "blake2b_simd", ] diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index 72147f25800..683f8c90e76 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -140,6 +140,12 @@ who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.3.6 -> 0.3.8" +[[audits.arrayref]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.8 -> 0.3.9" +notes = "Changes to `unsafe` lines are to make some existing `unsafe fn`s `const`." + [[audits.backtrace]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -306,6 +312,11 @@ There is significant use of `unsafe` code, but safety requirements are well docu and appear correct as far as I can see. """ +[[audits.bytes]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.7.1 -> 1.7.2" + [[audits.cc]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -407,6 +418,11 @@ criteria = "safe-to-deploy" delta = "0.2.6 -> 0.3.0" notes = "Replaces some `unsafe` code by bumping MSRV to 1.66 (to access `core::hint::black_box`)." +[[audits.constant_time_eq]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.0 -> 0.3.1" + [[audits.cpufeatures]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -438,6 +454,15 @@ who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" delta = "0.2.11 -> 0.2.12" +[[audits.cpufeatures]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.13 -> 0.2.14" +notes = """ +New `unsafe` block is to call `sysctlbyname` to detect DIT on Apple ARM64, which +is done in the same way as existing target feature checks on that arch. +""" + [[audits.crossbeam-channel]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -985,6 +1010,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.0.2 -> 2.1.0" +[[audits.fastrand]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.1.1" + [[audits.ff]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1334,6 +1364,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.8.0 -> 2.9.0" +[[audits.ipnet]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.9.0 -> 2.10.0" + [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -2125,6 +2160,12 @@ execute arbitrary code. But when this crate is used within a build script, `$RUS be set correctly by `cargo`. """ +[[audits.rustc_version]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.4.0 -> 0.4.1" +notes = "Changes to `Command` usage are to add support for `RUSTC_WRAPPER`." + [[audits.rustix]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 5c4481106fa..2346b168bdc 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -43,11 +43,11 @@ version = "1.1.1" criteria = "safe-to-deploy" [[exemptions.anyhow]] -version = "1.0.86" +version = "1.0.89" criteria = "safe-to-deploy" [[exemptions.backtrace]] -version = "0.3.73" +version = "0.3.74" criteria = "safe-to-deploy" [[exemptions.base64ct]] @@ -275,7 +275,7 @@ version = "1.2.0" criteria = "safe-to-deploy" [[exemptions.libc]] -version = "0.2.158" +version = "0.2.159" criteria = "safe-to-deploy" [[exemptions.libm]] @@ -339,7 +339,7 @@ version = "1.13.1" criteria = "safe-to-deploy" [[exemptions.object]] -version = "0.36.3" +version = "0.36.4" criteria = "safe-to-deploy" [[exemptions.once_cell]] @@ -391,7 +391,7 @@ version = "0.7.2" criteria = "safe-to-deploy" [[exemptions.portable-atomic]] -version = "1.7.0" +version = "1.8.0" criteria = "safe-to-deploy" [[exemptions.ppv-lite86]] @@ -482,14 +482,6 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.serde]] -version = "1.0.208" -criteria = "safe-to-deploy" - -[[exemptions.serde_derive]] -version = "1.0.208" -criteria = "safe-to-deploy" - [[exemptions.sha2]] version = "0.10.8" criteria = "safe-to-deploy" @@ -543,7 +535,7 @@ version = "0.3.30" criteria = "safe-to-deploy" [[exemptions.tokio]] -version = "1.39.3" +version = "1.40.0" criteria = "safe-to-deploy" [[exemptions.tower-service]] diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 90f053d89aa..1bd8f97dd7d 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -175,8 +175,8 @@ user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_spec]] -version = "0.1.0" -when = "2023-12-07" +version = "0.1.1" +when = "2024-09-20" user-id = 6289 user-login = "str4d" user-name = "Jack Grigg" @@ -207,11 +207,17 @@ criteria = "safe-to-deploy" delta = "0.20.0 -> 0.21.0" notes = "This version bump updated some dependencies and optimized some internals. All looks good." -[[audits.bytecode-alliance.audits.adler]] +[[audits.bytecode-alliance.audits.addr2line]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "1.0.2" -notes = "This is a small crate which forbids unsafe code and is a straightforward implementation of the adler hashing algorithm." +delta = "0.22.0 -> 0.24.1" +notes = "Lots of internal code refactorings and code movement. Nothing out of place however." + +[[audits.bytecode-alliance.audits.adler2]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.0.0" +notes = "Fork of the original `adler` crate, zero unsfae code, works in `no_std`, does what it says on th tin." [[audits.bytecode-alliance.audits.arrayref]] who = "Nick Fitzgerald " @@ -299,6 +305,12 @@ criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." +[[audits.bytecode-alliance.audits.gimli]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.29.0 -> 0.31.0" +notes = "Various updates here and there, nothing too major, what you'd expect from a DWARF parsing crate." + [[audits.bytecode-alliance.audits.hashbrown]] who = "Chris Fallin " criteria = "safe-to-deploy" @@ -347,6 +359,26 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.7.1" +notes = """ +This crate is a Rust implementation of zlib compression/decompression and has +been used by default by the Rust standard library for quite some time. It's also +a default dependency of the popular `backtrace` crate for decompressing debug +information. This crate forbids unsafe code and does not otherwise access system +resources. It's originally a port of the `miniz.c` library as well, and given +its own longevity should be relatively hardened against some of the more common +compression-related issues. +""" + +[[audits.bytecode-alliance.audits.miniz_oxide]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "0.7.1 -> 0.8.0" +notes = "Minor updates, using new Rust features like `const`, no major changes." + [[audits.bytecode-alliance.audits.nu-ansi-term]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -376,6 +408,11 @@ criteria = "safe-to-deploy" version = "0.1.21" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.rustix]] +who = "Dan Gohman " +criteria = "safe-to-deploy" +delta = "0.38.34 -> 0.38.37" + [[audits.bytecode-alliance.audits.semver]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -431,11 +468,6 @@ criteria = "safe-to-deploy" version = "0.2.4" notes = "Implements a concurrency primitive with atomics, and is not obviously incorrect" -[[audits.bytecode-alliance.audits.unicode-ident]] -who = "Pat Hickey " -criteria = "safe-to-deploy" -version = "1.0.8" - [[audits.bytecode-alliance.audits.want]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -666,22 +698,6 @@ are made about the safety of either of those libraries. :) """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.miniz_oxide]] -who = "Lukasz Anforowicz " -criteria = "safe-to-deploy" -version = "0.7.4" -notes = ''' -Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'` -and there were no hits, except for some mentions of "unsafe" in the `README.md` -and in a comment in `src/deflate/core.rs`. The comment discusses whether a -function should be treated as unsafe, but there is no actual `unsafe` code, so -the crate meets the `ub-risk-0` criteria. - -Note that some additional, internal notes about an older version of this crate -can be found at go/image-crate-chromium-security-review. -''' -aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" - [[audits.google.audits.nom]] who = "danakj@chromium.org" criteria = "safe-to-deploy" @@ -784,6 +800,155 @@ criteria = "safe-to-deploy" delta = "1.0.35 -> 1.0.36" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.quote]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.36 -> 1.0.37" +notes = """ +The delta just 1) inlines/expands `impl ToTokens` that used to be handled via +`primitive!` macro and 2) adds `impl ToTokens` for `CStr` and `CString`. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.197" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'`, `'\bnet\b'`, `'\bunsafe\b'`. + +There were some hits for `net`, but they were related to serialization and +not actually opening any connections or anything like that. + +There were 2 hits of `unsafe` when grepping: +* In `fn as_str` in `impl Buf` +* In `fn serialize` in `impl Serialize for net::Ipv4Addr` + +Unsafe review comments can be found in https://crrev.com/c/5350573/2 (this +review also covered `serde_json_lenient`). + +Version 1.0.130 of the crate has been added to Chromium in +https://crrev.com/c/3265545. The CL description contains a link to a +(Google-internal, sorry) document with a mini security review. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.197 -> 1.0.198" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.198 -> 1.0.201" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.201 -> 1.0.202" +notes = "Trivial changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.202 -> 1.0.203" +notes = "s/doc_cfg/docsrs/ + tuple_impls/tuple_impl_body-related changes" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.203 -> 1.0.204" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.204 -> 1.0.207" +notes = "The small change in `src/private/ser.rs` should have no impact on `ub-risk-2`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.207 -> 1.0.209" +notes = """ +The delta carries fairly small changes in `src/private/de.rs` and +`src/private/ser.rs` (see https://crrev.com/c/5812194/2..5). AFAICT the +delta has no impact on the `unsafe`, `from_utf8_unchecked`-related parts +of the crate (in `src/de/format.rs` and `src/ser/impls.rs`). +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.197" +notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.197 -> 1.0.201" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.201 -> 1.0.202" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.202 -> 1.0.203" +notes = "Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.203 -> 1.0.204" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.204 -> 1.0.207" +notes = 'Grepped for \"unsafe\", \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.207 -> 1.0.209" +notes = ''' +There are no code changes in this delta - see https://crrev.com/c/5812194/2..5 + +I've neverthless also grepped for `-i cipher`, `-i crypto`, `\bfs\b`, +`\bnet\b`, and `\bunsafe\b`. There were no hits. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.serde_derive]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.209 -> 1.0.210" +notes = "Almost no new code - just feature rearrangement" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.tinyvec]] who = "Adrian Taylor " criteria = "safe-to-deploy" @@ -802,6 +967,29 @@ criteria = "safe-to-deploy" delta = "1.7.0 -> 1.8.0" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.unicode-ident]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.12" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +All two functions from the public API of this crate use `unsafe` to avoid bound +checks for an array access. Cross-module analysis shows that the offsets can +be statically proven to be within array bounds. More details can be found in +the unsafe review CL at https://crrev.com/c/5350386. + +This crate has been added to Chromium in https://crrev.com/c/3891618. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.unicode-ident]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.12 -> 1.0.13" +notes = "Lots of table updates, and tables are assumed correct with unsafe `.get_unchecked()`, so ub-risk-2 is appropriate" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.isrg.audits.base64]] who = "Tim Geoghegan " criteria = "safe-to-deploy" @@ -1018,11 +1206,21 @@ who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" +[[audits.isrg.audits.thiserror]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.64" + [[audits.isrg.audits.thiserror-impl]] who = "Brandon Pitman " criteria = "safe-to-deploy" delta = "1.0.40 -> 1.0.43" +[[audits.isrg.audits.thiserror-impl]] +who = "Brandon Pitman " +criteria = "safe-to-deploy" +delta = "1.0.63 -> 1.0.64" + [[audits.isrg.audits.universal-hash]] who = "David Cook " criteria = "safe-to-deploy" @@ -1384,13 +1582,6 @@ criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" -[[audits.mozilla.audits.unicode-ident]] -who = "Jan-Erik Rediger " -criteria = "safe-to-deploy" -delta = "1.0.8 -> 1.0.9" -notes = "Dependency updates only" -aggregated-from = "https://raw.githubusercontent.com/mozilla/glean/main/supply-chain/audits.toml" - [[audits.zcash.audits.autocfg]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" From 155e095f2a5c66e2ef30ed17453d80cde11ace07 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 22:43:39 +0000 Subject: [PATCH 6/8] qa: Postpone Boost, LevelDB, and Clang updates --- qa/zcash/postponed-updates.txt | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index ec135b6b820..fb99d734174 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -5,17 +5,19 @@ # # Boost 1.84.0 causes gtests to fail on macOS. -boost 1.84.0 2024-09-15 -boost 1.85.0 2024-09-15 -boost 1.86.0 2024-09-15 -native_b2 1.84.0 2024-09-15 -native_b2 1.85.0 2024-09-15 -native_b2 1.86.0 2024-09-15 +boost 1.84.0 2024-12-15 +boost 1.85.0 2024-12-15 +boost 1.86.0 2024-12-15 +native_b2 1.84.0 2024-12-15 +native_b2 1.85.0 2024-12-15 +native_b2 1.86.0 2024-12-15 # Clang and Rust are currently pinned to LLVM 18 +libcxx 19.1.0 2024-12-15 +native_clang 19.1.0 2024-12-15 # We follow upstream Bitcoin Core's LevelDB updates -leveldb 1.23 2024-09-15 +leveldb 1.23 2024-12-15 # We're never updating to this version bdb 18.1.40 2025-03-01 From f9b972837c581f482a94f18974fadd7b96c2bcb8 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 25 Sep 2024 22:52:17 +0000 Subject: [PATCH 7/8] Fix clippy lints for 1.81 --- src/rust/bin/wallet_tool.rs | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/rust/bin/wallet_tool.rs b/src/rust/bin/wallet_tool.rs index 01f49638904..fdb1b288506 100644 --- a/src/rust/bin/wallet_tool.rs +++ b/src/rust/bin/wallet_tool.rs @@ -499,14 +499,13 @@ fn run(opts: &CliOptions) -> anyhow::Result<()> { )); Ok(()) }) - .map_err(|e| { + .inspect_err(|_| { println!(concat!( "\nzcash-wallet-tool was unable to communicate to zcashd that the\n", "backup was confirmed. This can happen if zcashd stopped, in which\n", "case you should try again. If zcashd is still running, please seek\n", "help or try to use 'zcash-cli -stdin walletconfirmbackup' manually.\n" )); - e })?; Ok(()) } @@ -531,10 +530,7 @@ fn prompt(input: &mut Stdin) -> anyhow::Result { } fn strip(input: &SecretString) -> &str { - input - .expose_secret() - .trim_end_matches(|c| c == '\r' || c == '\n') - .trim() + input.expose_secret().trim_end_matches(['\r', '\n']).trim() } fn ordinal(num: usize) -> String { From 31ffb08e90fa97d3bf20c74983e78e01880f745e Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 26 Sep 2024 01:46:32 +0000 Subject: [PATCH 8/8] Remove `#[should_panic]` tests of `extern "C"` functions These are now incorrect tests after the changes in 1.81.0 to cause uncaught unwinds in `extern "C"` functions to abort. --- src/rust/src/tests/zip339.rs | 28 ---------------------------- 1 file changed, 28 deletions(-) diff --git a/src/rust/src/tests/zip339.rs b/src/rust/src/tests/zip339.rs index 3ff54e0f2fa..fb28fa72fd6 100644 --- a/src/rust/src/tests/zip339.rs +++ b/src/rust/src/tests/zip339.rs @@ -16,39 +16,11 @@ fn test_try_from_language() { assert!(bip0039::Language::try_from(Language(1234)).is_err()); } -#[test] -#[should_panic] -fn test_null_entropy_to_phrase_panics() { - zip339_entropy_to_phrase(Language(0), ptr::null(), 0); -} - #[test] fn test_free_null_phrase_is_noop() { zip339_free_phrase(ptr::null_mut()); } -#[test] -#[should_panic] -fn test_validate_null_phrase_panics() { - zip339_validate_phrase(Language(0), ptr::null()); -} - -#[test] -#[should_panic] -fn test_null_phrase_to_seed_panics() { - zip339_phrase_to_seed(Language(0), ptr::null(), ptr::NonNull::dangling().as_ptr()); -} - -#[test] -#[should_panic] -fn test_phrase_to_seed_with_null_buffer_panics() { - zip339_phrase_to_seed( - Language(0), - ptr::NonNull::dangling().as_ptr(), - ptr::null_mut(), - ); -} - #[test] fn test_known_answers() { let mut entropy = [0u8; 32];