Merge branch 'ring_out_the_old' into 'main'

Enforce no-ring-in-arti/full (and make it true) See merge request tpo/core/arti!592
2022-06-17 13:42:38 +00:00 · 2022-06-17 13:42:38 +00:00 · a3d8a425c4
parent 9ae57e8bc4 bf15abbb97
commit a3d8a425c4
4 changed files with 53 additions and 2 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -48,6 +48,7 @@ rust-checks:
    - ./maint/check_licenses
    - ./maint/cargo_audit
    - ./maint/cargo_sort
+    - ./maint/check_tree
  cache:
    paths:
      - cargo-audit
--- a/crates/tor-rtcompat/Cargo.toml
+++ b/crates/tor-rtcompat/Cargo.toml
@ -14,7 +14,7 @@ repository = "https://gitlab.torproject.org/tpo/core/arti.git/"
 [features]

 default = []
-full = ["async-std", "tokio", "native-tls", "rustls"]
+full = ["async-std", "tokio", "native-tls"]

 async-std = ["async-std-crate", "async-io", "async_executors/async_std"]
 tokio = ["tokio-crate", "tokio-util", "async_executors/tokio_tp"]
--- a/crates/tor-rtcompat/src/lib.rs
+++ b/crates/tor-rtcompat/src/lib.rs
@ -96,7 +96,9 @@
 //!   crate for TLS support
 //! * `static` -- link the native TLS library statically (enables the `vendored` feature of the
 //!   `native-tls` crate).
-//! * `rustls` -- build with the [rustls](https://github.com/rustls/rustls) crate for TLS support
+//! * `rustls` -- build with the [rustls](https://github.com/rustls/rustls) crate for TLS support.  Note that `rustls` uses the `ring` crate, which uses
+//!    the old (3BSD/SSLEay) OpenSSL license, which may introduce licensing
+//!    compatibility issues.
 //!
 //! By default, *this* crate doesn't enable any features. However, you're almost certainly
 //! using this as part of the `arti-client` crate, which will enable `tokio` and `native-tls` in
--- a/maint/check_tree
+++ b/maint/check_tree
@ -0,0 +1,48 @@
+#!/bin/bash
+#
+# Use cargo-tree to check our dependencies for crates which we must
+# not depend on unconditionally.
+
+set -eu
+
+forbid () {
+    local our_crate="$1"
+    local feature="$2"
+    local forbidden="$3"
+
+    set +e
+    cargo tree --prefix=none -p "$our_crate" --features "$feature" \
+	  --format="    {p}" | grep "^    $forbidden "
+    # Note that the space in the grep pattern above is necessary to
+    # make sure we don't match prefixes.  (The cargo tree output will be
+    # something like "    cratename v1.2.3".)
+
+    local result="${PIPESTATUS[*]}"
+    set -e
+
+    case "$result" in
+	"0 0")
+	    # cargo-tree succeeded, and so did grep: we found the
+	    # forbidden package.
+            echo "Uh-oh: $forbidden has shown up in $our_crate/$feature."
+    	    exit 1
+	    ;;
+	"0 1")
+	    # cargo-tree succeeded, and grep failed: we didn't find the
+	    # forbidden package.
+	    echo "Didn't find $forbidden in $our_crate/$feature.  Good."
+	    ;;
+	*)
+	    # cargo-tree failed (or maybe grep is gruesomely nonstandard)
+	    echo "cargo tree failed unexpectedly when checking for $forbidden in $our_crate/$feature" >&2
+	    exit 1
+	    ;;
+    esac
+}
+
+# We can't use these crates in arti/full, since they expose us to the old
+# OpenSSL (3BSD + SSLeay) license.
+forbid arti full ring
+forbid arti full webpki
+
+echo "Everything looks fine."