From 279c82b09321c1275ce8f1d025c1abb331072320 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Wed, 12 Apr 2023 18:04:29 +0000 Subject: [PATCH] Tell `cargo-vet` to ignore patched dependencies The book page on Rust is updated to describe how to patch dependencies, so `cargo-vet` can be kept passing while patches are present. --- doc/book/src/dev/rust.md | 34 ++++++++++++++++++++++++++++++++++ qa/supply-chain/config.toml | 27 +++++++++++++++++++++++++++ 2 files changed, 61 insertions(+) diff --git a/doc/book/src/dev/rust.md b/doc/book/src/dev/rust.md index f4bad9be5..fe5616744 100644 --- a/doc/book/src/dev/rust.md +++ b/doc/book/src/dev/rust.md @@ -64,6 +64,40 @@ To add dependencies that are compatible with the reproducible build system, you ./zcutil/build.sh ``` +## Using an unpublished Rust dependency + +Occasionally we may need to depend on an unpublished git revision of a crate. +We sometimes want to prove out API changes to the `zcash_*` Rust crates by +migrating `zcashd` to them first, before making a public crate release. Or we +might need to cut a `zcashd` release before some upstream dependency has +published a fix we need. In these cases, we use patch dependencies. + +For example, to use an unpublished version of the `orchard` crate that includes +a new API, add the following patch to `Cargo.toml`: + +``` +[dependencies] +# This dependency is listed with a version, meaning it comes from crates.io; the +# patch goes into a [patch.crates-io] section. +orchard = "0.4" +... + +[patch.crates-io] +orchard = { git = "https://github.com/zcash/orchard.git", rev = "..." } +``` + +Note that if the git repository contains a workspace of interconnected crates +(for example, https://github.com/zcash/librustzcash), you will need to provide +patches for each of the dependencies that reference the same git revision. + +You also need to update `.cargo/config.offline` to add a replacement definition +for each `(git, rev)` pair. Run `./test/lint/lint-cargo-patches.sh` to get the +lines that need to be present. + +Finally, `./qa/supply-chain/config.toml` needs to be updated to ignore patched +dependencies. Run `cargo vet regenerate audit-as-crates-io`, and then ensure the +newly-added lines are of the form `audit-as-crates-io = false`. + ## Using a local Rust dependency During development, you can use a locally checked out version of a dependency diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index ece7c4909..d3e4a08ab 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -19,6 +19,33 @@ url = "https://raw.githubusercontent.com/divviup/libprio-rs/main/supply-chain/au [imports.mozilla] url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" +[policy.equihash] +audit-as-crates-io = false + +[policy.f4jumble] +audit-as-crates-io = false + +[policy.orchard] +audit-as-crates-io = false + +[policy.zcash_address] +audit-as-crates-io = false + +[policy.zcash_encoding] +audit-as-crates-io = false + +[policy.zcash_history] +audit-as-crates-io = false + +[policy.zcash_note_encryption] +audit-as-crates-io = false + +[policy.zcash_primitives] +audit-as-crates-io = false + +[policy.zcash_proofs] +audit-as-crates-io = false + [[exemptions.addr2line]] version = "0.17.0" criteria = "safe-to-deploy"