From 19679a6f13e68c446727a067aaf49a5303d4ab0c Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 16 Jun 2022 08:45:10 -0400
Subject: [PATCH 1/5] Remove rustls from tor-rtcompat/full

This is another consequence of the `ring` license issue; see #493.
---
 crates/tor-rtcompat/Cargo.toml | 2 +-
 crates/tor-rtcompat/src/lib.rs | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/crates/tor-rtcompat/Cargo.toml b/crates/tor-rtcompat/Cargo.toml
index 404c0862b..62cf7b5da 100644
--- a/crates/tor-rtcompat/Cargo.toml
+++ b/crates/tor-rtcompat/Cargo.toml
@@ -14,7 +14,7 @@ repository = "https://gitlab.torproject.org/tpo/core/arti.git/"
 [features]
 
 default = []
-full = ["async-std", "tokio", "native-tls", "rustls"]
+full = ["async-std", "tokio", "native-tls"]
 
 async-std = ["async-std-crate", "async-io", "async_executors/async_std"]
 tokio = ["tokio-crate", "tokio-util", "async_executors/tokio_tp"]
diff --git a/crates/tor-rtcompat/src/lib.rs b/crates/tor-rtcompat/src/lib.rs
index 91d362a7b..2fb3cc4fb 100644
--- a/crates/tor-rtcompat/src/lib.rs
+++ b/crates/tor-rtcompat/src/lib.rs
@@ -96,7 +96,9 @@
 //!   crate for TLS support
 //! * `static` -- link the native TLS library statically (enables the `vendored` feature of the
 //!   `native-tls` crate).
-//! * `rustls` -- build with the [rustls](https://github.com/rustls/rustls) crate for TLS support
+//! * `rustls` -- build with the [rustls](https://github.com/rustls/rustls) crate for TLS support.  Note that `rustls` uses the `ring` crate, which uses
+//!    the old (3BSD/SSLEay) OpenSSL license, which may introduce licensing
+//!    compatibility issues.
 //!
 //! By default, *this* crate doesn't enable any features. However, you're almost certainly
 //! using this as part of the `arti-client` crate, which will enable `tokio` and `native-tls` in

From c16b32f1d47fc428074637e3859205f4ba9b38e2 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 16 Jun 2022 08:59:45 -0400
Subject: [PATCH 2/5] Add script and CI to make sure `ring` doesn't show up in
 arti/full

See arti#493.
---
 .gitlab-ci.yml   |  4 +++-
 maint/check_tree | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100755 maint/check_tree

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b3c89ed09..7a7d9ce90 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -43,16 +43,18 @@ rust-checks:
   script:
     - rustup show
     - rustup component add rustfmt
-    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license
+    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license cargo-tree
     - cargo fmt -- --check
     - ./maint/check_licenses
     - ./maint/cargo_audit
     - ./maint/cargo_sort
+    - ./maint/check_tree
   cache:
     paths:
       - cargo-audit
       - cargo-sort
       - cargo-license
+      - cargo-tree
 
 rust-latest:
   stage: build
diff --git a/maint/check_tree b/maint/check_tree
new file mode 100755
index 000000000..2f591db96
--- /dev/null
+++ b/maint/check_tree
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Use cargo-tree to check our dependencies for crates which we must
+# not depend on unconditionally.
+
+
+forbid () {
+    local our_crate="$1"
+    local feature="$2"
+    local forbidden="$3"
+    if cargo tree -i "$forbidden" -p "$our_crate" --features "$feature" 2>/dev/null ; then
+        echo "Uh-oh: $forbidden has shown up in $our_crate/$feature."
+	exit 1
+    else
+        echo "Didn't find $forbidden in $our_crate/$feature.  Good."
+    fi
+}
+
+# We can't use these crates in arti/full, since they expose us to the old
+# OpenSSL (3BSD + SSLeay) license.
+forbid arti full ring
+forbid arti full webpki
+
+echo "Everything looks fine."

From 349f9d5000e61094e496fac14d15a1f73f7cc84d Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 16 Jun 2022 15:54:21 -0400
Subject: [PATCH 3/5] Don't install cargo-tree: It's built-in.

---
 .gitlab-ci.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 7a7d9ce90..5148da3a6 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -43,7 +43,7 @@ rust-checks:
   script:
     - rustup show
     - rustup component add rustfmt
-    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license cargo-tree
+    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license
     - cargo fmt -- --check
     - ./maint/check_licenses
     - ./maint/cargo_audit
@@ -54,7 +54,6 @@ rust-checks:
       - cargo-audit
       - cargo-sort
       - cargo-license
-      - cargo-tree
 
 rust-latest:
   stage: build

From 677f1b8af095ead955be0e58dde1b241e0d42ddb Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 16 Jun 2022 16:13:11 -0400
Subject: [PATCH 4/5] Update check_tree to better detect errors in cargo-tree.

---
 maint/check_tree | 32 ++++++++++++++++++++++++++------
 1 file changed, 26 insertions(+), 6 deletions(-)

diff --git a/maint/check_tree b/maint/check_tree
index 2f591db96..e688bf80c 100755
--- a/maint/check_tree
+++ b/maint/check_tree
@@ -3,17 +3,37 @@
 # Use cargo-tree to check our dependencies for crates which we must
 # not depend on unconditionally.
 
+set -eu
 
 forbid () {
     local our_crate="$1"
     local feature="$2"
     local forbidden="$3"
-    if cargo tree -i "$forbidden" -p "$our_crate" --features "$feature" 2>/dev/null ; then
-        echo "Uh-oh: $forbidden has shown up in $our_crate/$feature."
-	exit 1
-    else
-        echo "Didn't find $forbidden in $our_crate/$feature.  Good."
-    fi
+
+    set +e
+    cargo tree --prefix=none -p "$our_crate" --features "$feature" \
+	  --format="    {p}" | grep "^    $forbidden"
+    local result="${PIPESTATUS[*]}"
+    set -e
+
+    case "$result" in
+	"0 0")
+	    # cargo-tree succeeded, and so did grep: we found the
+	    # forbidden package.
+            echo "Uh-oh: $forbidden has shown up in $our_crate/$feature."
+    	    exit 1
+	    ;;
+	"0 1")
+	    # cargo-tree succeeded, and grep failed: we didn't find the
+	    # forbidden package.
+	    echo "Didn't find $forbidden in $our_crate/$feature.  Good."
+	    ;;
+	*)
+	    # cargo-tree failed (or maybe grep is gruesomely nonstandard)
+	    echo "cargo tree failed unexpectedly when checking for $forbidden in $our_crate/$feature" >&2
+	    exit 1
+	    ;;
+    esac
 }
 
 # We can't use these crates in arti/full, since they expose us to the old

From bf15abbb976fcafaeebd1b97acb74a5735563f85 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 17 Jun 2022 08:41:38 -0400
Subject: [PATCH 5/5] Avoid matching crate names by prefix.

---
 maint/check_tree | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/maint/check_tree b/maint/check_tree
index e688bf80c..959bf8613 100755
--- a/maint/check_tree
+++ b/maint/check_tree
@@ -12,7 +12,11 @@ forbid () {
 
     set +e
     cargo tree --prefix=none -p "$our_crate" --features "$feature" \
-	  --format="    {p}" | grep "^    $forbidden"
+	  --format="    {p}" | grep "^    $forbidden "
+    # Note that the space in the grep pattern above is necessary to
+    # make sure we don't match prefixes.  (The cargo tree output will be
+    # something like "    cratename v1.2.3".)
+
     local result="${PIPESTATUS[*]}"
     set -e