From c16b32f1d47fc428074637e3859205f4ba9b38e2 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Thu, 16 Jun 2022 08:59:45 -0400
Subject: [PATCH] Add script and CI to make sure `ring` doesn't show up in
 arti/full

See arti#493.
---
 .gitlab-ci.yml   |  4 +++-
 maint/check_tree | 24 ++++++++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100755 maint/check_tree

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index b3c89ed09..7a7d9ce90 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -43,16 +43,18 @@ rust-checks:
   script:
     - rustup show
     - rustup component add rustfmt
-    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license
+    - ./maint/via-cargo-install-in-ci cargo-audit cargo-sort cargo-license cargo-tree
     - cargo fmt -- --check
     - ./maint/check_licenses
     - ./maint/cargo_audit
     - ./maint/cargo_sort
+    - ./maint/check_tree
   cache:
     paths:
       - cargo-audit
       - cargo-sort
       - cargo-license
+      - cargo-tree
 
 rust-latest:
   stage: build
diff --git a/maint/check_tree b/maint/check_tree
new file mode 100755
index 000000000..2f591db96
--- /dev/null
+++ b/maint/check_tree
@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Use cargo-tree to check our dependencies for crates which we must
+# not depend on unconditionally.
+
+
+forbid () {
+    local our_crate="$1"
+    local feature="$2"
+    local forbidden="$3"
+    if cargo tree -i "$forbidden" -p "$our_crate" --features "$feature" 2>/dev/null ; then
+        echo "Uh-oh: $forbidden has shown up in $our_crate/$feature."
+	exit 1
+    else
+        echo "Didn't find $forbidden in $our_crate/$feature.  Good."
+    fi
+}
+
+# We can't use these crates in arti/full, since they expose us to the old
+# OpenSSL (3BSD + SSLeay) license.
+forbid arti full ring
+forbid arti full webpki
+
+echo "Everything looks fine."