Allow webpki in deny.toml

[altonen]

According to the Github repository it's licensed under custom, ISC-style license. The author says that some of the files in tests/ are not under ISC but doesn't mention what the license is. Anyway, it's not like we have a choice with this because it's a dependency of libp2p

https:/briansmith/webpki
briansmith/webpki#246 (comment)

[TheQuantumPhysicist]

Seems OK to me. Please message @muursh to ensure he's OK with it as well.

[altonen]

https:/briansmith/ring/blob/main/deny.toml
https:/briansmith/webpki/blob/main/deny.toml

[altonen]

Any cargo-deny experts interested in helping wit these new errors? There are 11 duplicate crate errors, here's one example for socket2:

libp2p-dns -> async-std-resolver -> trust-dns-resolver -> ipconfig -> socket2 v0.3.19

libp2p-uds -> async-std -> async-io -> socket2 v0.4.2

[TheQuantumPhysicist]

Any cargo-deny experts interested in helping wit these new errors? There are 11 duplicate crate errors, here's one example for socket2:

libp2p-dns -> async-std-resolver -> trust-dns-resolver -> ipconfig -> socket2 v0.3.19

libp2p-uds -> async-std -> async-io -> socket2 v0.4.2

Well, if both come from the same library, then there's no way around it except to skip it.

[altonen]

I'll just ignore the ones that are from libp2p then. I can't even test this locally because it segfault on my machine, I love cargo-deny. Sorry for incoming spam

[muursh]

Yeah fine by me to add it. And yeah for all the duplicates within a dependency the only way around that is to add rules to skip them which isn't a great solution but it's the only one there is

[altonen]

There's a problem, we also need to change the versions of digest and blake2 but the code we right now have in crypto/ has been written using the latest versions whereas the updated versions are 0.9.0 and 0.9.2, respectively, This means that some of the code has to be rewritten.

The digest code isn't too bad I suppose, apart from removing OutputSizeUser but the BLAKE2 is a lot of work because it has been written for the compile-time output size types but those are not available in 0.9.2 so most of the code has to be rewritten. Any volunteers?

Or do we make digest and blake2 also exceptions? I would prefer this option

[TheQuantumPhysicist]

There's a problem, we also need to change the versions of digest and blake2 but the code we right now have in crypto/ has been written using the latest versions whereas the updated versions are 0.9.0 and 0.9.2, respectively, This means that some of the code has to be rewritten.

The digest code isn't too bad I suppose, apart from removing OutputSizeUser but the BLAKE2 is a lot of work because it has been written for the compile-time output size types but those are not available in 0.9.2 so most of the code has to be rewritten. Any volunteers?

Or do we make digest and blake2 also exceptions? I would prefer this option

It seems to be inevitable to add digest libraries to exceptions. I was gonna do that for Tari (and I remember doing it for sha/sha2/sha3/blake/ripmd, but maybe I was able to skip that because I skipped adding tari_utilties eventually... I don't remember). So if you have to add them to exceptions, that's OK from my end.

[muursh]

Yeah as I just said on slack the one thing we need to be careful of what changed between versions to make sure there aren't crypto issues being fixed between versions but yeah right now the versions mentioned here are fine. We just need to be careful about which versions we use in the future but yeah adding a skip rule here is fine for me too