From 8e68e5b18153907dae7585303a65f5cd443c4ec9 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 20:31:44 +0000 Subject: [PATCH 1/8] depends: utfcpp 4.0.6 --- depends/packages/utfcpp.mk | 4 ++-- qa/zcash/postponed-updates.txt | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/depends/packages/utfcpp.mk b/depends/packages/utfcpp.mk index 6ce7ce676d4..8936dcc415a 100644 --- a/depends/packages/utfcpp.mk +++ b/depends/packages/utfcpp.mk @@ -1,9 +1,9 @@ package=utfcpp -$(package)_version=4.0.5 +$(package)_version=4.0.6 $(package)_download_path=https://github.com/nemtrif/$(package)/archive/refs/tags $(package)_file_name=$(package)-$($(package)_version).tar.gz $(package)_download_file=v$($(package)_version).tar.gz -$(package)_sha256_hash=ffc668a310e77607d393f3c18b32715f223da1eac4c4d6e0579a11df8e6b59cf +$(package)_sha256_hash=6920a6a5d6a04b9a89b2a89af7132f8acefd46e0c2a7b190350539e9213816c0 define $(package)_stage_cmds mkdir -p $($(package)_staging_dir)$(host_prefix)/include && \ diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index bee833d0183..b137b9d3499 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -64,4 +64,3 @@ rustcxx 1.0.133 2025-02-01 rustcxx 1.0.134 2025-02-01 rustcxx 1.0.135 2025-02-01 rustcxx 1.0.136 2025-02-01 -utfcpp 4.0.6 2025-02-01 From bf4c198e6bd90657ffb751c2b413a4d0e0d07b71 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 20:35:58 +0000 Subject: [PATCH 2/8] depends: native_fmt 11.1.1 --- depends/packages/native_fmt.mk | 4 ++-- qa/zcash/postponed-updates.txt | 2 -- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/depends/packages/native_fmt.mk b/depends/packages/native_fmt.mk index d77b7694892..d5dfb236494 100644 --- a/depends/packages/native_fmt.mk +++ b/depends/packages/native_fmt.mk @@ -1,9 +1,9 @@ package=native_fmt -$(package)_version=11.0.2 +$(package)_version=11.1.1 $(package)_download_path=https://github.com/fmtlib/fmt/archive/refs/tags $(package)_download_file=$($(package)_version).tar.gz $(package)_file_name=fmt-$($(package)_version).tar.gz -$(package)_sha256_hash=6cb1e6d37bdcb756dbbe59be438790db409cdb4868c66e888d5df9f13f7c027f +$(package)_sha256_hash=482eed9efbc98388dbaee5cb5f368be5eca4893456bb358c18b7ff71f835ae43 $(package)_build_subdir=build $(package)_dependencies=native_cmake diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index b137b9d3499..4df53318c2f 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -53,8 +53,6 @@ native_cxxbridge 1.0.133 2025-02-01 native_cxxbridge 1.0.134 2025-02-01 native_cxxbridge 1.0.135 2025-02-01 native_cxxbridge 1.0.136 2025-02-01 -native_fmt 11.1.0 2025-02-01 -native_fmt 11.1.1 2025-02-01 native_xxhash 0.8.3 2025-02-01 rustcxx 1.0.129 2025-02-01 rustcxx 1.0.130 2025-02-01 From 90ef1beea4d26eba7e580727937a867a008cfa63 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 20:41:39 +0000 Subject: [PATCH 3/8] depends: native_xxhash 0.8.3 --- depends/packages/native_xxhash.mk | 4 ++-- qa/zcash/postponed-updates.txt | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/depends/packages/native_xxhash.mk b/depends/packages/native_xxhash.mk index d9652ffcce2..9fa58621dbe 100644 --- a/depends/packages/native_xxhash.mk +++ b/depends/packages/native_xxhash.mk @@ -1,9 +1,9 @@ package=native_xxhash -$(package)_version=0.8.2 +$(package)_version=0.8.3 $(package)_download_path=https://github.com/Cyan4973/xxHash/archive/refs/tags $(package)_download_file=v$($(package)_version).tar.gz $(package)_file_name=xxhash-$($(package)_version).tar.gz -$(package)_sha256_hash=baee0c6afd4f03165de7a4e67988d16f0f2b257b51d0e3cb91909302a26a79c4 +$(package)_sha256_hash=aae608dfe8213dfd05d909a57718ef82f30722c392344583d3f39050c7f29a80 define $(package)_build_cmds $(MAKE) libxxhash.a diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index 4df53318c2f..a455aeecc4f 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -53,7 +53,6 @@ native_cxxbridge 1.0.133 2025-02-01 native_cxxbridge 1.0.134 2025-02-01 native_cxxbridge 1.0.135 2025-02-01 native_cxxbridge 1.0.136 2025-02-01 -native_xxhash 0.8.3 2025-02-01 rustcxx 1.0.129 2025-02-01 rustcxx 1.0.130 2025-02-01 rustcxx 1.0.131 2025-02-01 From 9c0a8ad7763e0689acc1bedb70e9f5500af2baf4 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 20:50:46 +0000 Subject: [PATCH 4/8] depends: native_cmake 3.31.3 --- depends/packages/native_cmake.mk | 4 ++-- qa/zcash/postponed-updates.txt | 6 ------ 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/depends/packages/native_cmake.mk b/depends/packages/native_cmake.mk index 84365de2e9e..6602f468aa8 100644 --- a/depends/packages/native_cmake.mk +++ b/depends/packages/native_cmake.mk @@ -1,8 +1,8 @@ package=native_cmake -$(package)_version=3.30.4 +$(package)_version=3.31.3 $(package)_download_path=https://github.com/Kitware/CMake/releases/download/v$($(package)_version) $(package)_file_name=cmake-$($(package)_version).tar.gz -$(package)_sha256_hash=c759c97274f1e7aaaafcb1f0d261f9de9bf3a5d6ecb7e2df616324a46fe704b2 +$(package)_sha256_hash=fac45bc6d410b49b3113ab866074888d6c9e9dc81a141874446eb239ac38cb87 define $(package)_set_vars $(package)_config_opts += -DCMAKE_BUILD_TYPE:STRING=Release diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index a455aeecc4f..14eba297ef9 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -39,12 +39,6 @@ leveldb 1.23 2025-04-15 bdb 18.1.40 2026-03-01 # Postponed until 6.2.0 -native_cmake 3.30.5 2025-02-01 -native_cmake 3.30.6 2025-02-01 -native_cmake 3.31.0 2025-02-01 -native_cmake 3.31.1 2025-02-01 -native_cmake 3.31.2 2025-02-01 -native_cmake 3.31.3 2025-02-01 native_cxxbridge 1.0.129 2025-02-01 native_cxxbridge 1.0.130 2025-02-01 native_cxxbridge 1.0.131 2025-02-01 From 0aac0db81355765e2c061509b265cd7bf91fe033 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 20:52:07 +0000 Subject: [PATCH 5/8] cargo vet prune --- qa/supply-chain/audits.toml | 58 ++++++++++++++++++------------------ qa/supply-chain/config.toml | 18 +---------- qa/supply-chain/imports.lock | 44 +++++++++++++++++++++++++++ 3 files changed, 74 insertions(+), 46 deletions(-) diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index 1b1a7c9f7d4..cbb1da77523 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -3078,14 +3078,14 @@ end = "2024-09-21" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" -user-id = 6289 # Jack Grigg (str4d) -start = "2021-12-17" +user-id = 1244 # ebfull +start = "2021-06-24" end = "2024-09-21" [[trusted.incrementalmerkletree]] criteria = "safe-to-deploy" -user-id = 1244 # ebfull -start = "2021-06-24" +user-id = 6289 # Jack Grigg (str4d) +start = "2021-12-17" end = "2024-09-21" [[trusted.incrementalmerkletree]] @@ -3101,10 +3101,10 @@ start = "2024-09-25" end = "2025-10-02" [[trusted.orchard]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] -user-id = 6289 # Jack Grigg (str4d) -start = "2021-01-07" -end = "2024-09-21" +criteria = "safe-to-deploy" +user-id = 169181 # Kris Nuttycombe (nuttycom) +start = "2024-08-12" +end = "2025-10-02" [[trusted.orchard]] criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] @@ -3113,7 +3113,13 @@ start = "2022-10-19" end = "2024-09-21" [[trusted.orchard]] -criteria = "safe-to-deploy" +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 6289 # Jack Grigg (str4d) +start = "2021-01-07" +end = "2024-09-21" + +[[trusted.sapling-crypto]] +criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 169181 # Kris Nuttycombe (nuttycom) start = "2024-08-12" end = "2025-10-02" @@ -3124,12 +3130,6 @@ user-id = 6289 # Jack Grigg (str4d) start = "2024-01-26" end = "2025-03-18" -[[trusted.sapling-crypto]] -criteria = ["safe-to-deploy", "crypto-reviewed"] -user-id = 169181 # Kris Nuttycombe (nuttycom) -start = "2024-08-12" -end = "2025-10-02" - [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 # Kenny Kerr (kennykerr) @@ -3233,16 +3233,10 @@ start = "2023-03-22" end = "2024-09-21" [[trusted.zcash_primitives]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +criteria = "safe-to-deploy" user-id = 6289 # Jack Grigg (str4d) start = "2021-03-26" -end = "2024-09-21" - -[[trusted.zcash_primitives]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] -user-id = 1244 # ebfull -start = "2019-10-08" -end = "2024-09-21" +end = "2025-10-02" [[trusted.zcash_primitives]] criteria = "safe-to-deploy" @@ -3251,16 +3245,22 @@ start = "2024-08-20" end = "2025-08-26" [[trusted.zcash_primitives]] -criteria = "safe-to-deploy" +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +user-id = 1244 # ebfull +start = "2019-10-08" +end = "2024-09-21" + +[[trusted.zcash_primitives]] +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 # Jack Grigg (str4d) start = "2021-03-26" -end = "2025-10-02" +end = "2024-09-21" [[trusted.zcash_proofs]] -criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] +criteria = "safe-to-deploy" user-id = 6289 # Jack Grigg (str4d) start = "2021-03-26" -end = "2024-09-21" +end = "2025-10-02" [[trusted.zcash_proofs]] criteria = "safe-to-deploy" @@ -3269,10 +3269,10 @@ start = "2024-08-20" end = "2025-08-26" [[trusted.zcash_proofs]] -criteria = "safe-to-deploy" +criteria = ["safe-to-deploy", "crypto-reviewed", "license-reviewed"] user-id = 6289 # Jack Grigg (str4d) start = "2021-03-26" -end = "2025-10-02" +end = "2024-09-21" [[trusted.zcash_protocol]] criteria = "safe-to-deploy" diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index 41aaf9eae09..cfcd5bc0cc3 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -2,7 +2,7 @@ # cargo-vet config file [cargo-vet] -version = "0.9" +version = "0.10" [imports.bytecode-alliance] url = "https://raw.githubusercontent.com/bytecodealliance/wasmtime/main/supply-chain/audits.toml" @@ -106,10 +106,6 @@ criteria = "safe-to-deploy" version = "0.9.0" criteria = "safe-to-deploy" -[[exemptions.cipher]] -version = "0.3.0" -criteria = "safe-to-deploy" - [[exemptions.clearscreen]] version = "1.0.9" criteria = "safe-to-deploy" @@ -474,10 +470,6 @@ criteria = "safe-to-deploy" version = "0.8.0" criteria = "safe-to-deploy" -[[exemptions.sha2]] -version = "0.10.8" -criteria = "safe-to-deploy" - [[exemptions.shlex]] version = "1.3.0" criteria = "safe-to-deploy" @@ -633,11 +625,3 @@ criteria = "safe-to-deploy" [[exemptions.zerocopy-derive]] version = "0.7.35" criteria = "safe-to-deploy" - -[[exemptions.zeroize]] -version = "1.8.1" -criteria = "safe-to-deploy" - -[[exemptions.zeroize_derive]] -version = "1.3.2" -criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index efc9dcdc94a..484bc1f876d 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -292,6 +292,12 @@ criteria = "safe-to-deploy" version = "1.0.0" notes = "I am the author of this crate." +[[audits.bytecode-alliance.audits.cipher]] +who = "Andrew Brown " +criteria = "safe-to-deploy" +version = "0.4.4" +notes = "Most unsafe is hidden by `inout` dependency; only remaining unsafe is raw-splitting a slice and an unreachable hint. Older versions of this regularly reach ~150k daily downloads." + [[audits.bytecode-alliance.audits.constant_time_eq]] who = "Nick Fitzgerald " criteria = "safe-to-deploy" @@ -1228,6 +1234,11 @@ who = "Ameer Ghani " criteria = "safe-to-deploy" version = "1.12.1" +[[audits.isrg.audits.sha2]] +who = "David Cook " +criteria = "safe-to-deploy" +version = "0.10.2" + [[audits.isrg.audits.thiserror]] who = "Brandon Pitman " criteria = "safe-to-deploy" @@ -1562,6 +1573,23 @@ criteria = "safe-to-deploy" delta = "0.6.27 -> 0.6.28" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.sha2]] +who = "Mike Hommey " +criteria = "safe-to-deploy" +delta = "0.10.2 -> 0.10.6" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.sha2]] +who = "Jeff Muizelaar " +criteria = "safe-to-deploy" +delta = "0.10.6 -> 0.10.8" +notes = """ +The bulk of this is https://github.com/RustCrypto/hashes/pull/490 which adds aarch64 support along with another PR adding longson. +I didn't check the implementation thoroughly but there wasn't anything obviously nefarious. 0.10.8 has been out for more than a year +which suggests no one else has found anything either. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.mozilla.audits.socket2]] who = "Kershaw Chang " criteria = "safe-to-deploy" @@ -1609,6 +1637,22 @@ criteria = "safe-to-deploy" delta = "1.15.0 -> 1.16.0" aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" +[[audits.mozilla.audits.zeroize]] +who = "Benjamin Beurdouche " +criteria = "safe-to-deploy" +version = "1.8.1" +notes = """ +This code DOES contain unsafe code required to internally call volatiles +for deleting data. This is expected and documented behavior. +""" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + +[[audits.mozilla.audits.zeroize_derive]] +who = "Benjamin Beurdouche " +criteria = "safe-to-deploy" +version = "1.4.2" +aggregated-from = "https://hg.mozilla.org/mozilla-central/raw-file/tip/supply-chain/audits.toml" + [[audits.zcash.audits.autocfg]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" From d21cb5409fbdb269168a172bb679aff0d78ba473 Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 21:31:37 +0000 Subject: [PATCH 6/8] depends: cxx 1.0.136 --- Cargo.lock | 112 +++++++++++++++- Cargo.toml | 2 +- contrib/debian/copyright | 23 ++++ deny.toml | 1 + depends/packages/native_cxxbridge.mk | 6 +- depends/patches/native_cxxbridge/Cargo.lock | 135 ++++++++++---------- qa/supply-chain/audits.toml | 31 +++++ qa/supply-chain/imports.lock | 96 ++++++++++++++ qa/zcash/postponed-updates.txt | 18 --- 9 files changed, 330 insertions(+), 94 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 605b9360aba..4c25233419e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -65,6 +65,12 @@ version = "0.2.18" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5c6cb57a04249c6480766f7f7cef5467412af1490f8d1e243141daddada3264f" +[[package]] +name = "anstyle" +version = "1.0.10" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" + [[package]] name = "anyhow" version = "1.0.89" @@ -358,6 +364,32 @@ dependencies = [ "zeroize", ] +[[package]] +name = "clap" +version = "4.5.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84" +dependencies = [ + "clap_builder", +] + +[[package]] +name = "clap_builder" +version = "4.5.23" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838" +dependencies = [ + "anstyle", + "clap_lex", + "strsim", +] + +[[package]] +name = "clap_lex" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" + [[package]] name = "clearscreen" version = "3.0.0" @@ -371,6 +403,16 @@ dependencies = [ "winapi", ] +[[package]] +name = "codespan-reporting" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3538270d33cc669650c4b093848450d380def10c331d38c768e34cac80576e6e" +dependencies = [ + "termcolor", + "unicode-width", +] + [[package]] name = "const-oid" version = "0.9.6" @@ -471,30 +513,46 @@ dependencies = [ [[package]] name = "cxx" -version = "1.0.128" +version = "1.0.136" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "54ccead7d199d584d139148b04b4a368d1ec7556a1d9ea2548febb1b9d49f9a4" +checksum = "ad7c7515609502d316ab9a24f67dc045132d93bfd3f00713389e90d9898bf30d" dependencies = [ "cc", + "cxxbridge-cmd", "cxxbridge-flags", "cxxbridge-macro", + "foldhash", "link-cplusplus", ] +[[package]] +name = "cxxbridge-cmd" +version = "1.0.136" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c33fd49f5d956a1b7ee5f7a9768d58580c6752838d92e39d0d56439efdedc35" +dependencies = [ + "clap", + "codespan-reporting", + "proc-macro2", + "quote", + "syn 2.0.75", +] + [[package]] name = "cxxbridge-flags" -version = "1.0.128" +version = "1.0.136" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "65777e06cc48f0cb0152024c77d6cf9e4bdb4408e7b48bea993d42fa0f5b02b6" +checksum = "be0f1077278fac36299cce8446effd19fe93a95eedb10d39265f3bf67b3036c9" [[package]] name = "cxxbridge-macro" -version = "1.0.128" +version = "1.0.136" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "98532a60dedaebc4848cb2cba5023337cc9ea3af16a5b062633fabfd9f18fb60" +checksum = "3da7e4d6e74af6b79031d264b2f13c3ea70af1978083741c41ffce9308f1f24f" dependencies = [ "proc-macro2", "quote", + "rustversion", "syn 2.0.75", ] @@ -657,6 +715,12 @@ version = "1.0.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" +[[package]] +name = "foldhash" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a0d2fde1f7b3d48b8395d5f2de76c18a528bd6a9cdde438df747bfcba3e05d6f" + [[package]] name = "fpe" version = "0.6.1" @@ -1794,6 +1858,12 @@ dependencies = [ "windows-sys 0.52.0", ] +[[package]] +name = "rustversion" +version = "1.0.19" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f7c45b9784283f1b2e7fb61b42047c2fd678ef0960d4f6f1eba131594cc369d4" + [[package]] name = "rusty-fork" version = "0.3.0" @@ -1971,6 +2041,12 @@ version = "1.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "a2eb9349b6444b326872e140eb1cf5e7c522154d69e7a0ffb0fb81c06b37543f" +[[package]] +name = "strsim" +version = "0.11.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" + [[package]] name = "subtle" version = "2.4.1" @@ -2018,6 +2094,15 @@ dependencies = [ "windows-sys 0.59.0", ] +[[package]] +name = "termcolor" +version = "1.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "06794f8f6c5c898b3275aebefa6b8a1cb24cd2c6c79397ab15774837a0bc5755" +dependencies = [ + "winapi-util", +] + [[package]] name = "terminfo" version = "0.8.0" @@ -2233,6 +2318,12 @@ dependencies = [ "tinyvec", ] +[[package]] +name = "unicode-width" +version = "0.1.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "7dd6e30e90baa6f72411720665d41d89b9a3d039dc45b8faea1ddd07f617f6af" + [[package]] name = "universal-hash" version = "0.5.1" @@ -2433,6 +2524,15 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +[[package]] +name = "winapi-util" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" +dependencies = [ + "windows-sys 0.59.0", +] + [[package]] name = "winapi-x86_64-pc-windows-gnu" version = "0.4.0" diff --git a/Cargo.toml b/Cargo.toml index a6ca7f7ef17..e04dccadfee 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -72,7 +72,7 @@ wagyu-zcash-parameters = "0.2" # Rust/C++ interop # The version needs to match depends/packages/native_cxxbridge.mk -cxx = { version = "=1.0.128", features = ["c++17"] } +cxx = { version = "=1.0.136", features = ["c++17"] } # Rust threading rayon = "1.5" diff --git a/contrib/debian/copyright b/contrib/debian/copyright index 5876b95072e..5dd0c914855 100644 --- a/contrib/debian/copyright +++ b/contrib/debian/copyright @@ -190,6 +190,10 @@ Copyright: 2016-2021 isis agora lovecruft 2012 The Go Authors License: BSD-3-clause and BSD-3-clause-Google +Files: depends/*/vendored-sources/foldhash/* +Copyright: 2024 Orson Peters +License: Zlib + Files: depends/*/vendored-sources/instant/* Copyright: 2019 Sébastien Crozet License: BSD-3-clause @@ -2078,3 +2082,22 @@ License: Unicode-DFS-2016 shall not be used in advertising or otherwise to promote the sale, use or other dealings in these Data Files or Software without prior written authorization of the copyright holder. + +License: Zlib + This software is provided 'as-is', without any express or implied warranty. In + no event will the authors be held liable for any damages arising from the use of + this software. + . + Permission is granted to anyone to use this software for any purpose, including + commercial applications, and to alter it and redistribute it freely, subject to + the following restrictions: + . + 1. The origin of this software must not be misrepresented; you must not claim + that you wrote the original software. If you use this software in a product, + an acknowledgment in the product documentation would be appreciated but is + not required. + . + 2. Altered source versions must be plainly marked as such, and must not be + misrepresented as being the original software. + . + 3. This notice may not be removed or altered from any source distribution. diff --git a/deny.toml b/deny.toml index d79f3ab35e3..7aa14995c66 100644 --- a/deny.toml +++ b/deny.toml @@ -25,6 +25,7 @@ allow = [ exceptions = [ { name = "arrayref", allow = ["BSD-2-Clause"] }, { name = "curve25519-dalek", allow = ["BSD-3-Clause"] }, + { name = "foldhash", allow = ["Zlib"] }, { name = "secp256k1", allow = ["CC0-1.0"] }, { name = "secp256k1-sys", allow = ["CC0-1.0"] }, { name = "subtle", allow = ["BSD-3-Clause"] }, diff --git a/depends/packages/native_cxxbridge.mk b/depends/packages/native_cxxbridge.mk index 35b609089ec..606f026ae22 100644 --- a/depends/packages/native_cxxbridge.mk +++ b/depends/packages/native_cxxbridge.mk @@ -1,14 +1,14 @@ package=native_cxxbridge # The version needs to match cxx in Cargo.toml -$(package)_version=1.0.128 +$(package)_version=1.0.136 $(package)_download_path=https://github.com/dtolnay/cxx/archive/refs/tags $(package)_file_name=native_cxxbridge-$($(package)_version).tar.gz $(package)_download_file=$($(package)_version).tar.gz -$(package)_sha256_hash=7aa61d128d75cbfb4713e0c0803efb4da6c88180327f9e2f095641b55a5d0e06 +$(package)_sha256_hash=a77e43f1e4f5bb6aba2e9a77ac928e63799d237cde6fe1aa2c26d3cc57c8ae74 $(package)_build_subdir=gen/cmd $(package)_dependencies=native_rust # This file is somewhat annoying to update, but can be done like so from the repo base: -# $ export VERSION=1.0.128 +# $ export VERSION=1.0.136 # $ rm .cargo/config.toml .cargo/.configured-for-offline # $ mkdir tmp # $ cd tmp diff --git a/depends/patches/native_cxxbridge/Cargo.lock b/depends/patches/native_cxxbridge/Cargo.lock index 5dfd4efa328..f18829a0b30 100644 --- a/depends/patches/native_cxxbridge/Cargo.lock +++ b/depends/patches/native_cxxbridge/Cargo.lock @@ -10,15 +10,15 @@ checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" [[package]] name = "anstyle" -version = "1.0.8" +version = "1.0.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1" +checksum = "55cc3b69f167a1ef2e161439aa98aed94e6028e5f9a59be9a6ffb47aef1651f9" [[package]] name = "cc" -version = "1.1.21" +version = "1.2.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "07b1695e2c7e8fc85310cde85aeaab7e3097f593c91d209d3f9df76c928100f0" +checksum = "8d6dbb628b8f8555f86d0323c2eb39e3ec81901f4b83e091db8a6a76d316a333" dependencies = [ "jobserver", "libc", @@ -33,28 +33,28 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" [[package]] name = "clang-ast" -version = "0.1.26" +version = "0.1.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "577457f7ace079a595017e4307c6e480902664ede6e4a0760747c4f498b7c996" +checksum = "4c01fb720699b43fbf9db04dbb8d2b5d037f38938e6b8153863db7532b24a86c" dependencies = [ - "rustc-hash", + "foldhash", "serde", ] [[package]] name = "clap" -version = "4.5.18" +version = "4.5.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b0956a43b323ac1afaffc053ed5c4b7c1f1800bacd1683c353aabbb752515dd3" +checksum = "3135e7ec2ef7b10c6ed8950f0f792ed96ee093fa088608f1c76e569722700c84" dependencies = [ "clap_builder", ] [[package]] name = "clap_builder" -version = "4.5.18" +version = "4.5.23" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4d72166dd41634086d5803a47eb71ae740e61d84709c36f3c34110173db3961b" +checksum = "30582fc632330df2bd26877bde0c1f4470d57c582bbc070376afcd04d8cb4838" dependencies = [ "anstyle", "clap_lex", @@ -63,9 +63,9 @@ dependencies = [ [[package]] name = "clap_lex" -version = "0.7.2" +version = "0.7.4" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1462739cb27611015575c0c11df5df7601141071f07518d56fcc1be504cbec97" +checksum = "f46ad14479a25103f283c0f10005961cf086d8dc42205bb44c46ac563475dca6" [[package]] name = "codespan-reporting" @@ -88,14 +88,16 @@ dependencies = [ [[package]] name = "cxx" -version = "1.0.128" +version = "1.0.136" dependencies = [ "cc", "cxx-build", "cxx-gen", "cxx-test-suite", + "cxxbridge-cmd", "cxxbridge-flags", "cxxbridge-macro", + "foldhash", "link-cplusplus", "rustversion", "trybuild", @@ -103,13 +105,12 @@ dependencies = [ [[package]] name = "cxx-build" -version = "1.0.128" +version = "1.0.136" dependencies = [ "cc", "codespan-reporting", "cxx", "cxx-gen", - "once_cell", "pkg-config", "proc-macro2", "quote", @@ -119,7 +120,7 @@ dependencies = [ [[package]] name = "cxx-gen" -version = "0.7.128" +version = "0.7.136" dependencies = [ "codespan-reporting", "proc-macro2", @@ -138,7 +139,7 @@ dependencies = [ [[package]] name = "cxxbridge-cmd" -version = "1.0.128" +version = "1.0.136" dependencies = [ "clap", "codespan-reporting", @@ -149,11 +150,11 @@ dependencies = [ [[package]] name = "cxxbridge-flags" -version = "1.0.128" +version = "1.0.136" [[package]] name = "cxxbridge-macro" -version = "1.0.128" +version = "1.0.136" dependencies = [ "clang-ast", "cxx", @@ -161,6 +162,7 @@ dependencies = [ "memmap", "proc-macro2", "quote", + "rustversion", "serde", "serde_derive", "serde_json", @@ -189,31 +191,37 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "flate2" -version = "1.0.33" +version = "1.0.35" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "324a1be68054ef05ad64b861cc9eaf1d623d2d8cb25b4bf2cb9cdd902b4bf253" +checksum = "c936bfdafb507ebbf50b8074c54fa31c5be9a1e7e5f467dd659697041407d07c" dependencies = [ "crc32fast", "miniz_oxide", ] +[[package]] +name = "foldhash" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "a0d2fde1f7b3d48b8395d5f2de76c18a528bd6a9cdde438df747bfcba3e05d6f" + [[package]] name = "glob" -version = "0.3.1" +version = "0.3.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d2fabcfbdc87f4758337ca535fb41a6d701b65693ce38287d856d1674551ec9b" +checksum = "a8d1add55171497b4705a648c6b583acafb01d58050a51727785f0b2c8e0a2b2" [[package]] name = "hashbrown" -version = "0.14.5" +version = "0.15.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e5274423e17b7c9fc20b6e7e208532f9b19825d82dfd615708b70edd83df41f1" +checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" [[package]] name = "indexmap" -version = "2.5.0" +version = "2.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "68b900aa2f7301e21c36462b170ee99994de34dff39a4a6a528e80e7376d07e5" +checksum = "62f822373a4fe84d4bb149bf54e584a7f4abec90e072ed49cda0edea5b95471f" dependencies = [ "equivalent", "hashbrown", @@ -221,9 +229,9 @@ dependencies = [ [[package]] name = "itoa" -version = "1.0.11" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "jobserver" @@ -236,9 +244,9 @@ dependencies = [ [[package]] name = "libc" -version = "0.2.159" +version = "0.2.169" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "561d97a539a36e26a9a5fad1ea11a3039a67714694aaa379433e580854bc3dc5" +checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a" [[package]] name = "link-cplusplus" @@ -267,19 +275,13 @@ dependencies = [ [[package]] name = "miniz_oxide" -version = "0.8.0" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1" +checksum = "4ffbe83022cedc1d264172192511ae958937694cd57ce297164951b8b3568394" dependencies = [ "adler2", ] -[[package]] -name = "once_cell" -version = "1.19.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" - [[package]] name = "pkg-config" version = "0.3.31" @@ -288,33 +290,27 @@ checksum = "953ec861398dccce10c670dfeaf3ec4911ca479e9c02154b3a215178c5f566f2" [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0" dependencies = [ "unicode-ident", ] [[package]] name = "quote" -version = "1.0.37" +version = "1.0.38" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" +checksum = "0e4dccaaaf89514f546c693ddc140f729f958c247918a13380cccc6078391acc" dependencies = [ "proc-macro2", ] -[[package]] -name = "rustc-hash" -version = "2.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "583034fd73374156e66797ed8e5b0d5690409c9226b22d87cb7f19821c05d152" - [[package]] name = "rustversion" -version = "1.0.17" +version = "1.0.19" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "955d28af4278de8121b7ebeb796b6a45735dc01436d898801014aced2773a3d6" +checksum = "f7c45b9784283f1b2e7fb61b42047c2fd678ef0960d4f6f1eba131594cc369d4" [[package]] name = "ryu" @@ -330,18 +326,18 @@ checksum = "a3cf7c11c38cb994f3d40e8a8cde3bbd1f72a435e4c49e85d6553d8312306152" [[package]] name = "serde" -version = "1.0.210" +version = "1.0.217" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" +checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.210" +version = "1.0.217" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" +checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0" dependencies = [ "proc-macro2", "quote", @@ -350,9 +346,9 @@ dependencies = [ [[package]] name = "serde_json" -version = "1.0.128" +version = "1.0.134" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ff5456707a1de34e7e37f2a6fd3d3f808c318259cbd01ab6377795054b483d8" +checksum = "d00f4175c42ee48b15416f6193a959ba3a0d67fc699a0db9ad12df9f83991c7d" dependencies = [ "itoa", "memchr", @@ -383,15 +379,21 @@ checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f" [[package]] name = "syn" -version = "2.0.77" +version = "2.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9f35bcdf61fd8e7be6caf75f429fdca8beb3ed76584befb503b1569faee373ed" +checksum = "987bc0be1cdea8b10216bd06e2ca407d40b9543468fafd3ddfb02f36e77f71f3" dependencies = [ "proc-macro2", "quote", "unicode-ident", ] +[[package]] +name = "target-triple" +version = "0.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "42a4d50cdb458045afc8131fd91b64904da29548bcb63c7236e0844936c13078" + [[package]] name = "termcolor" version = "1.4.1" @@ -437,24 +439,25 @@ dependencies = [ [[package]] name = "trybuild" -version = "1.0.99" +version = "1.0.101" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "207aa50d36c4be8d8c6ea829478be44a372c6a77669937bb39c698e52f1491e8" +checksum = "8dcd332a5496c026f1e14b7f3d2b7bd98e509660c04239c58b0ba38a12daded4" dependencies = [ "dissimilar", "glob", "serde", "serde_derive", "serde_json", + "target-triple", "termcolor", "toml", ] [[package]] name = "unicode-ident" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" +checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83" [[package]] name = "unicode-width" @@ -568,9 +571,9 @@ checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" [[package]] name = "winnow" -version = "0.6.20" +version = "0.6.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "36c1fec1a2bb5866f07c25f68c26e565c4c200aebb96d7e55710c19d3e8ac49b" +checksum = "e6f5bb5257f2407a5425c6e749bfd9692192a73e70a6060516ac04f889087d68" dependencies = [ "memchr", ] diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index cbb1da77523..715a3b112f1 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -712,6 +712,18 @@ notes = """ used as the ZST `SyncUnsafeCell>` to fix an LLVM miscompilation. """ +[[audits.cxx]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.128 -> 1.0.136" +notes = """ +- Change to build script is to raise MSRV. +- Changes to `unsafe` blocks are a refactor to expose pointers from `UniquePtr`. + The existing usages are effectively unaltered. +- The hasher is changed from SipHash-1-3 to foldhash-q. This means the hasher is + faster, but no longer resistant to HashDoS. +""" + [[audits.cxxbridge-flags]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -778,6 +790,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.121 -> 1.0.122" +[[audits.cxxbridge-flags]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.135 -> 1.0.136" + [[audits.cxxbridge-macro]] who = "Daira Hopwood " criteria = "safe-to-deploy" @@ -873,6 +890,15 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.126 -> 1.0.128" +[[audits.cxxbridge-macro]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.128 -> 1.0.136" +notes = """ +Changes to generated `unsafe` code are to add the new `unsafe` annotations added +in Rust 1.82 to the `extern` blocks. +""" + [[audits.der]] who = "Daira-Emma Hopwood " criteria = "safe-to-deploy" @@ -2172,6 +2198,11 @@ criteria = "safe-to-deploy" delta = "0.38.28 -> 0.38.32" notes = "Cursory review." +[[audits.rustversion]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.18 -> 1.0.19" + [[audits.ryu]] who = "Jack Grigg " criteria = "safe-to-deploy" diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 484bc1f876d..76167804d3f 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -326,6 +326,15 @@ criteria = "safe-to-deploy" delta = "0.3.0 -> 0.3.1" notes = "Just a dependency version bump and a bug fix for redox" +[[audits.bytecode-alliance.audits.foldhash]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "0.1.3" +notes = """ +Only a minor amount of `unsafe` code in this crate related to global per-process +initialization which looks correct to me. +""" + [[audits.bytecode-alliance.audits.futures-channel]] who = "Pat Hickey " criteria = "safe-to-deploy" @@ -655,6 +664,32 @@ criteria = "safe-to-deploy" delta = "1.0.126 -> 1.0.128" aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.cxxbridge-flags]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.128 -> 1.0.129" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.cxxbridge-flags]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.129 -> 1.0.130" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.cxxbridge-flags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.130 -> 1.0.131" +notes = "no grep hits for cipher, crypto, fs, net, or unsafe" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.cxxbridge-flags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.131 -> 1.0.135" +notes = "No code changes in the delta" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.fastrand]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -665,6 +700,13 @@ that the RNG here is not cryptographically secure. """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.foldhash]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "0.1.3 -> 0.1.4" +notes = "No changes to safety-relevant code" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.httpdate]] who = "George Burgess IV " criteria = "safe-to-deploy" @@ -843,6 +885,60 @@ The delta just 1) inlines/expands `impl ToTokens` that used to be handled via """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.rustversion]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.14" +notes = """ +Grepped for `-i cipher`, `-i crypto`, `'\bfs\b'``, `'\bnet\b'``, `'\bunsafe\b'`` +and there were no hits except for: + +* Using trivially-safe `unsafe` in test code: + + ``` + tests/test_const.rs:unsafe fn _unsafe() {} + tests/test_const.rs:const _UNSAFE: () = unsafe { _unsafe() }; + ``` + +* Using `unsafe` in a string: + + ``` + src/constfn.rs: \"unsafe\" => Qualifiers::Unsafe, + ``` + +* Using `std::fs` in `build/build.rs` to write `${OUT_DIR}/version.expr` + which is later read back via `include!` used in `src/lib.rs`. + +Version `1.0.6` of this crate has been added to Chromium in +https://source.chromium.org/chromium/chromium/src/+/28841c33c77833cc30b286f9ae24c97e7a8f4057 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.14 -> 1.0.15" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.15 -> 1.0.16" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.16 -> 1.0.17" +notes = "Just updates windows compat" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.rustversion]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.17 -> 1.0.18" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.serde]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" diff --git a/qa/zcash/postponed-updates.txt b/qa/zcash/postponed-updates.txt index 14eba297ef9..ea4c9363eeb 100644 --- a/qa/zcash/postponed-updates.txt +++ b/qa/zcash/postponed-updates.txt @@ -37,21 +37,3 @@ leveldb 1.23 2025-04-15 # We're never updating to this version bdb 18.1.40 2026-03-01 - -# Postponed until 6.2.0 -native_cxxbridge 1.0.129 2025-02-01 -native_cxxbridge 1.0.130 2025-02-01 -native_cxxbridge 1.0.131 2025-02-01 -native_cxxbridge 1.0.132 2025-02-01 -native_cxxbridge 1.0.133 2025-02-01 -native_cxxbridge 1.0.134 2025-02-01 -native_cxxbridge 1.0.135 2025-02-01 -native_cxxbridge 1.0.136 2025-02-01 -rustcxx 1.0.129 2025-02-01 -rustcxx 1.0.130 2025-02-01 -rustcxx 1.0.131 2025-02-01 -rustcxx 1.0.132 2025-02-01 -rustcxx 1.0.133 2025-02-01 -rustcxx 1.0.134 2025-02-01 -rustcxx 1.0.135 2025-02-01 -rustcxx 1.0.136 2025-02-01 From 907a477c7ff77aaa7f543bb890fd1062ea76df9b Mon Sep 17 00:00:00 2001 From: Jack Grigg Date: Thu, 2 Jan 2025 22:05:49 +0000 Subject: [PATCH 7/8] cargo update --- Cargo.lock | 193 +++++++++++++++++----------- contrib/debian/copyright | 83 ++++++------ deny.toml | 2 +- qa/supply-chain/audits.toml | 61 ++++++++- qa/supply-chain/config.toml | 12 +- qa/supply-chain/imports.lock | 242 ++++++++++++++++++++++++++++++----- 6 files changed, 432 insertions(+), 161 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 4c25233419e..4cbe647926b 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -124,9 +124,9 @@ checksum = "8a32fd6af2b5827bce66c29053ba0e7c42b9dcab01835835058558c10851a46b" [[package]] name = "bech32" -version = "0.9.1" +version = "0.11.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d86b93f97252c47b41663388e6d155714a9d0c398b99f1005cbc5f978b29f445" +checksum = "d965446196e3b7decd44aa7ee49e31d630118f90ef12f97900f262eb915c951d" [[package]] name = "bellman" @@ -181,18 +181,18 @@ dependencies = [ [[package]] name = "bit-set" -version = "0.5.3" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0700ddab506f33b20a03b13996eccd309a48e5ff77d0d95926aa0210fb4e95f1" +checksum = "08807e080ed7f9d5433fa9b275196cfc35414f66a0c79d864dc51a0d825231a3" dependencies = [ "bit-vec", ] [[package]] name = "bit-vec" -version = "0.6.3" +version = "0.8.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "349f9b6a179ed607305526ca489b34ad0a41aed5f7980fa90eb03160b69598fb" +checksum = "5e764a1d40d510daf35e07be9eb06e75770908c27d411ee6c92109c9840eaaf7" [[package]] name = "bitflags" @@ -425,6 +425,15 @@ version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6" +[[package]] +name = "core2" +version = "0.3.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "239fa3ae9b63c2dc74bd3fa852d4792b8b305ae64eeede946265b6af62f1fff3" +dependencies = [ + "memchr", +] + [[package]] name = "cpufeatures" version = "0.2.14" @@ -436,18 +445,18 @@ dependencies = [ [[package]] name = "crossbeam-channel" -version = "0.5.13" +version = "0.5.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "33480d6946193aa8033910124896ca395333cae7e2d1113d1fef6c3272217df2" +checksum = "06ba6d68e24814cb8de6bb986db8222d3a027d15872cabc0d18817bc3c0e4471" dependencies = [ "crossbeam-utils", ] [[package]] name = "crossbeam-deque" -version = "0.8.5" +version = "0.8.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "613f8cc01fe9cf1a3eb3d7f488fd2fa8388403e97039e2f73692932e291a770d" +checksum = "9dd111b7b7f7d55b72c0a6ae361660ee5853c9af73f70c3c2ef6858b950e2e51" dependencies = [ "crossbeam-epoch", "crossbeam-utils", @@ -464,9 +473,9 @@ dependencies = [ [[package]] name = "crossbeam-utils" -version = "0.8.20" +version = "0.8.21" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80" +checksum = "d0a5c400df2834b80a4c3327b3aad3a4c4cd4de0629063962b03235697506a28" [[package]] name = "crunchy" @@ -508,7 +517,7 @@ checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -535,7 +544,7 @@ dependencies = [ "codespan-reporting", "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -553,7 +562,7 @@ dependencies = [ "proc-macro2", "quote", "rustversion", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -670,9 +679,9 @@ dependencies = [ [[package]] name = "f4jumble" -version = "0.1.0" +version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0a83e8d7fd0c526af4aad893b7c9fe41e2699ed8a776a6c74aecdeafe05afc75" +checksum = "0d42773cb15447644d170be20231a3268600e0c4cea8987d013b93ac973d3cf7" dependencies = [ "blake2b_simd", ] @@ -743,30 +752,30 @@ checksum = "e6d5a32815ae3f33302d95fdcb2ce17862f8c65363dcfd29360480ba1001fc9c" [[package]] name = "futures-channel" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "eac8f7d7865dcb88bd4373ab671c8cf4508703796caa2b1985a9ca867b3fcb78" +checksum = "2dff15bf788c671c1934e366d07e30c1814a8ef514e1af724a602e8a2fbe1b10" dependencies = [ "futures-core", ] [[package]] name = "futures-core" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dfc6580bb841c5a68e9ef15c77ccc837b40a7504914d52e47b8b0e9bbda25a1d" +checksum = "05f29059c0c2090612e8d742178b0580d2dc940c837851ad723096f87af6663e" [[package]] name = "futures-task" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "38d84fa142264698cdce1a9f9172cf383a0c82de1bddcf3092901442c4097004" +checksum = "f90f7dce0722e95104fcb095585910c0977252f286e354b5e3bd38902cd99988" [[package]] name = "futures-util" -version = "0.3.30" +version = "0.3.31" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6401deb83407ab3da39eba7e33987a73c3df0c82b4bb5813ee871c19c41d48" +checksum = "9fa08315bb612088cc391249efdc3bc77536f16c91f6cf495e6fbe85b20a4a81" dependencies = [ "futures-core", "futures-task", @@ -835,18 +844,20 @@ dependencies = [ [[package]] name = "halo2_gadgets" -version = "0.3.0" +version = "0.3.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "126a150072b0c38c7b573fe3eaf0af944a7fed09e154071bf2436d3f016f7230" +checksum = "73a5e510d58a07d8ed238a5a8a436fe6c2c79e1bb2611f62688bc65007b4e6e7" dependencies = [ "arrayvec", "bitvec", "ff", "group", + "halo2_poseidon", "halo2_proofs", "lazy_static", "pasta_curves", "rand", + "sinsemilla", "subtle", "uint", ] @@ -857,6 +868,18 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "47716fe1ae67969c5e0b2ef826f32db8c3be72be325e1aa3c1951d06b5575ec5" +[[package]] +name = "halo2_poseidon" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fa3da60b81f02f9b33ebc6252d766f843291fb4d2247a07ae73d20b791fc56f" +dependencies = [ + "bitvec", + "ff", + "group", + "pasta_curves", +] + [[package]] name = "halo2_proofs" version = "0.3.0" @@ -987,9 +1010,9 @@ dependencies = [ [[package]] name = "incrementalmerkletree" -version = "0.7.0" +version = "0.7.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d45063fbc4b0a37837f6bfe0445f269d13d730ad0aa3b5a7f74aa7bf27a0f4df" +checksum = "216c71634ac6f6ed13c2102d64354c0a04dcbdc30e31692c5972d3974d8b6d97" dependencies = [ "either", "proptest", @@ -999,9 +1022,9 @@ dependencies = [ [[package]] name = "incrementalmerkletree-testing" -version = "0.1.0" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6959842a2ad15e423a7c39b77555039efdccf50a1a43cce43827fc2f881c27d2" +checksum = "dc7fb094e413bc6daea7b30a6f2c749e47fd07e98691c6ef3b3423d4ef4b7fb6" dependencies = [ "incrementalmerkletree", "proptest", @@ -1028,15 +1051,15 @@ dependencies = [ [[package]] name = "ipnet" -version = "2.10.0" +version = "2.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "187674a687eed5fe42285b40c6291f9a01517d415fad1c3cbc6a9f778af7fcd4" +checksum = "ddc24109865250148c2e0f3d25d4f0f479571723792d3802153c60922a4fb708" [[package]] name = "itoa" -version = "1.0.11" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" +checksum = "d75a2a4b1b190afb6f5425f10f6a8f959d2ea0b9c2b1d79553551850539e4674" [[package]] name = "js-sys" @@ -1222,9 +1245,9 @@ checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" [[package]] name = "memuse" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2145869435ace5ea6ea3d35f59be559317ec9a0d04e1812d5f185a87b6d36f1a" +checksum = "3d97bbf43eb4f088f8ca469930cde17fa036207c9a5e02ccc5107c4e8b17c964" dependencies = [ "nonempty", ] @@ -1266,7 +1289,7 @@ checksum = "38b4faf00617defe497754acde3024865bc143d44a86799b24e191ecff91354f" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -1293,9 +1316,9 @@ checksum = "68354c5c6bd36d73ff3feceb05efa59b6acb7626617f4962be322a825e61f79a" [[package]] name = "miniz_oxide" -version = "0.8.0" +version = "0.8.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e2d80299ef12ff69b16a84bb182e3b9df68b5a91574d3d4fa6e41b65deec4df1" +checksum = "4ffbe83022cedc1d264172192511ae958937694cd57ce297164951b8b3568394" dependencies = [ "adler2", ] @@ -1382,7 +1405,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "071dfc062690e90b734c0b2273ce72ad0ffa95f0c74596bc250dcfd960262841" dependencies = [ "autocfg", - "libm", ] [[package]] @@ -1406,9 +1428,9 @@ dependencies = [ [[package]] name = "once_cell" -version = "1.19.0" +version = "1.20.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92" +checksum = "1261fe7e33c73b354eab43b1273a57c8f967d0391e80353e51f764ac02cf6775" [[package]] name = "opaque-debug" @@ -1603,18 +1625,18 @@ dependencies = [ [[package]] name = "proc-macro2" -version = "1.0.86" +version = "1.0.92" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77" +checksum = "37d3544b3f2748c54e147655edb5025752e2303145b5aefb3c3ea2c78b973bb0" dependencies = [ "unicode-ident", ] [[package]] name = "proptest" -version = "1.5.0" +version = "1.6.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4c2511913b88df1637da85cc8d96ec8e43a3f8bb8ccb71ee1ac240d6f3df58d" +checksum = "14cae93065090804185d3b75f0bf93b8eeda30c7a9b4a33d3bdb3988d6229e50" dependencies = [ "bit-set", "bit-vec", @@ -1944,22 +1966,22 @@ checksum = "61697e0a1c7e512e84a621326239844a24d8207b4669b41bc18b32ea5cbf988b" [[package]] name = "serde" -version = "1.0.210" +version = "1.0.217" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8e3592472072e6e22e0a54d5904d9febf8508f65fb8552499a1abc7d1078c3a" +checksum = "02fc4265df13d6fa1d00ecff087228cc0a2b5f3c0e87e258d8b94a156e984c70" dependencies = [ "serde_derive", ] [[package]] name = "serde_derive" -version = "1.0.210" +version = "1.0.217" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "243902eda00fad750862fc144cea25caca5e20d615af0a81bee94ca738f1df1f" +checksum = "5a9bf7cf98d04a2b28aead066b7496853d4779c9cc183c440dbac457641e19a0" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -1997,6 +2019,17 @@ dependencies = [ "rand_core", ] +[[package]] +name = "sinsemilla" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3d268ae0ea06faafe1662e9967cd4f9022014f5eeb798e0c302c876df8b7af9c" +dependencies = [ + "group", + "pasta_curves", + "subtle", +] + [[package]] name = "siphasher" version = "0.3.11" @@ -2066,9 +2099,9 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.75" +version = "2.0.94" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f6af063034fc1935ede7be0122941bafa9bacb949334d090b77ca98b5817c7d9" +checksum = "987bc0be1cdea8b10216bd06e2ca407d40b9543468fafd3ddfb02f36e77f71f3" dependencies = [ "proc-macro2", "quote", @@ -2133,7 +2166,7 @@ checksum = "08904e7672f5eb876eaaf87e0ce17857500934f4981c4a0ab2b4aa98baac7fc3" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -2179,9 +2212,9 @@ dependencies = [ [[package]] name = "tinyvec" -version = "1.8.0" +version = "1.8.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "445e881f4f6d382d5f27c034e25eb92edd7c784ceab92a0937db7f2e9471b938" +checksum = "022db8904dfa342efe721985167e9fcd16c29b226db4397ed752a761cfce81e8" dependencies = [ "tinyvec_macros", ] @@ -2243,7 +2276,7 @@ checksum = "34704c8d6ebcbc939824180af020566b01a7c01f80641264eba0999f6c2b6be7" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -2305,9 +2338,9 @@ checksum = "eaea85b334db583fe3274d12b4cd1880032beab409c0d774be044d4480ab9a94" [[package]] name = "unicode-ident" -version = "1.0.13" +version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e91b56cd4cadaeb79bbf1a5645f6b4f8dc5bde8834ad5894a8db35fda9efa1fe" +checksum = "adb9e6ca4f869e1180728b7950e35922a7fc6397f7b641499e8f3ef06e50dc83" [[package]] name = "unicode-normalization" @@ -2354,7 +2387,7 @@ checksum = "d674d135b4a8c1d7e813e2f8d1c9a58308aee4a680323066025e53132218bd91" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -2453,7 +2486,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", "wasm-bindgen-shared", ] @@ -2475,7 +2508,7 @@ checksum = "afc340c74d9005395cf9dd098506f7f44e38f2b4a21c6aaacf9a105ea5e1e836" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -2644,12 +2677,13 @@ checksum = "213b7324336b53d2414b2db8537e56544d981803139155afa84f76eeebb7a546" [[package]] name = "zcash_address" -version = "0.6.0" +version = "0.6.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ff95eac82f71286a79c750e674550d64fb2b7aadaef7b89286b2917f645457d" +checksum = "9b955fe87f2d9052e3729bdbeb0e94975355f4fe39f7d26aea9457bec6a0bb55" dependencies = [ "bech32", "bs58", + "core2", "f4jumble", "zcash_encoding", "zcash_protocol", @@ -2657,11 +2691,11 @@ dependencies = [ [[package]] name = "zcash_encoding" -version = "0.2.1" +version = "0.2.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "052d8230202f0a018cd9b5d1b56b94cd25e18eccc2d8665073bcea8261ab87fc" +checksum = "3654116ae23ab67dd1f849b01f8821a8a156f884807ff665eac109bf28306c4d" dependencies = [ - "byteorder", + "core2", "nonempty", ] @@ -2678,9 +2712,9 @@ dependencies = [ [[package]] name = "zcash_note_encryption" -version = "0.4.0" +version = "0.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5b4580cd6cee12e44421dac43169be8d23791650816bdb34e6ddfa70ac89c1c5" +checksum = "77efec759c3798b6e4d829fcc762070d9b229b0f13338c40bf993b7b609c2272" dependencies = [ "chacha20", "chacha20poly1305", @@ -2754,11 +2788,13 @@ dependencies = [ [[package]] name = "zcash_protocol" -version = "0.4.0" +version = "0.4.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6bc22b9155b2c7eb20105cd06de170d188c1bc86489b92aa3fda7b8da8d96acf" +checksum = "82cb36b15b5a1be70b30c32ce40372dead6561df8a467e297f96b892873a63a2" dependencies = [ + "core2", "document-features", + "hex", "incrementalmerkletree", "incrementalmerkletree-testing", "memuse", @@ -2767,9 +2803,9 @@ dependencies = [ [[package]] name = "zcash_spec" -version = "0.1.1" +version = "0.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1840a18eb788adab921c26e930c0aaaca509cd31090f176d1d8bbee15ddca855" +checksum = "9cede95491c2191d3e278cab76e097a44b17fde8d6ca0d4e3a22cf4807b2d857" dependencies = [ "blake2b_simd", ] @@ -2792,7 +2828,7 @@ checksum = "fa4f8080344d4671fb4e831a13ad1e68092748387dfc4f55e356242fae12ce3e" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] @@ -2812,16 +2848,17 @@ checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ "proc-macro2", "quote", - "syn 2.0.75", + "syn 2.0.94", ] [[package]] name = "zip32" -version = "0.1.1" +version = "0.1.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4226d0aee9c9407c27064dfeec9d7b281c917de3374e1e5a2e2cfad9e09de19e" +checksum = "2e9943793abf9060b68e1889012dafbd5523ab5b125c0fcc24802d69182f2ac9" dependencies = [ "blake2b_simd", "memuse", "subtle", + "zcash_spec", ] diff --git a/contrib/debian/copyright b/contrib/debian/copyright index 5dd0c914855..63b63c6c131 100644 --- a/contrib/debian/copyright +++ b/contrib/debian/copyright @@ -239,8 +239,8 @@ Copyright: 2016-2020 meh License: WTFPL Files: depends/*/vendored-sources/unicode-ident/src/tables.rs -Copyright: 1991-2022 Unicode, Inc -License: Unicode-DFS-2016 +Copyright: 1991-2023 Unicode, Inc. +License: Unicode-3.0 Comment: This entry is for code in the unicode-ident crate generated from Unicode data tables. The license of the unicode-ident crate itself is MIT/Expat or Apache-2.0. @@ -2035,53 +2035,46 @@ License: Ring-BoringSSL OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -License: Unicode-DFS-2016 - UNICODE, INC. LICENSE AGREEMENT - DATA FILES AND SOFTWARE +License: Unicode-3.0 + UNICODE LICENSE V3 . - See Terms of Use - for definitions of Unicode Inc.’s Data Files and Software. + COPYRIGHT AND PERMISSION NOTICE . - NOTICE TO USER: Carefully read the following legal agreement. - BY DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING UNICODE INC.'S - DATA FILES ("DATA FILES"), AND/OR SOFTWARE ("SOFTWARE"), - YOU UNEQUIVOCALLY ACCEPT, AND AGREE TO BE BOUND BY, ALL OF THE - TERMS AND CONDITIONS OF THIS AGREEMENT. - IF YOU DO NOT AGREE, DO NOT DOWNLOAD, INSTALL, COPY, DISTRIBUTE OR USE - THE DATA FILES OR SOFTWARE. + Copyright © 1991-2023 Unicode, Inc. . - COPYRIGHT AND PERMISSION NOTICE + NOTICE TO USER: Carefully read the following legal agreement. BY + DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING DATA FILES, AND/OR + SOFTWARE, YOU UNEQUIVOCALLY ACCEPT, AND AGREE TO BE BOUND BY, ALL OF THE + TERMS AND CONDITIONS OF THIS AGREEMENT. IF YOU DO NOT AGREE, DO NOT + DOWNLOAD, INSTALL, COPY, DISTRIBUTE OR USE THE DATA FILES OR SOFTWARE. + . + Permission is hereby granted, free of charge, to any person obtaining a + copy of data files and any associated documentation (the "Data Files") or + software and any associated documentation (the "Software") to deal in the + Data Files or Software without restriction, including without limitation + the rights to use, copy, modify, merge, publish, distribute, and/or sell + copies of the Data Files or Software, and to permit persons to whom the + Data Files or Software are furnished to do so, provided that either (a) + this copyright and permission notice appear with all copies of the Data + Files or Software, or (b) this copyright and permission notice appear in + associated Documentation. + . + THE DATA FILES AND SOFTWARE ARE PROVIDED "AS IS", WITHOUT WARRANTY OF ANY + KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF + MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF + THIRD PARTY RIGHTS. + . + IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS NOTICE + BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, + OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, + WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, + ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THE DATA + FILES OR SOFTWARE. . - Copyright © 1991-2022 Unicode, Inc. All rights reserved. - Distributed under the Terms of Use in https://www.unicode.org/copyright.html. - . - Permission is hereby granted, free of charge, to any person obtaining - a copy of the Unicode data files and any associated documentation - (the "Data Files") or Unicode software and any associated documentation - (the "Software") to deal in the Data Files or Software - without restriction, including without limitation the rights to use, - copy, modify, merge, publish, distribute, and/or sell copies of - the Data Files or Software, and to permit persons to whom the Data Files - or Software are furnished to do so, provided that either - (a) this copyright and permission notice appear with all copies - of the Data Files or Software, or - (b) this copyright and permission notice appear in associated - Documentation. - . - THE DATA FILES AND SOFTWARE ARE PROVIDED "AS IS", WITHOUT WARRANTY OF - ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE - WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - NONINFRINGEMENT OF THIRD PARTY RIGHTS. - IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS - NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL - DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, - DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER - TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THE DATA FILES OR SOFTWARE. - . - Except as contained in this notice, the name of a copyright holder - shall not be used in advertising or otherwise to promote the sale, - use or other dealings in these Data Files or Software without prior - written authorization of the copyright holder. + Except as contained in this notice, the name of a copyright holder shall + not be used in advertising or otherwise to promote the sale, use or other + dealings in these Data Files or Software without prior written + authorization of the copyright holder. License: Zlib This software is provided 'as-is', without any express or implied warranty. In diff --git a/deny.toml b/deny.toml index 7aa14995c66..375146d7cbe 100644 --- a/deny.toml +++ b/deny.toml @@ -30,5 +30,5 @@ exceptions = [ { name = "secp256k1-sys", allow = ["CC0-1.0"] }, { name = "subtle", allow = ["BSD-3-Clause"] }, { name = "terminfo", allow = ["WTFPL"] }, - { name = "unicode-ident", allow = ["Unicode-DFS-2016"] }, + { name = "unicode-ident", allow = ["Unicode-3.0"] }, ] diff --git a/qa/supply-chain/audits.toml b/qa/supply-chain/audits.toml index 715a3b112f1..4d8d5ff9b86 100644 --- a/qa/supply-chain/audits.toml +++ b/qa/supply-chain/audits.toml @@ -579,6 +579,11 @@ via its methods (one of which is now usable with the new MSRV) instead of via casting. """ +[[audits.crossbeam-utils]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.8.20 -> 0.8.21" + [[audits.crypto-common]] who = "Jack Grigg " criteria = ["crypto-reviewed", "safe-to-deploy"] @@ -1088,6 +1093,15 @@ criteria = "safe-to-deploy" delta = "0.3.29 -> 0.3.30" notes = "Removes `build.rs` now that it can rely on the `target_has_atomic` attribute." +[[audits.futures-channel]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.3.30 -> 0.3.31" +notes = """ +Changes to `unsafe` code are only to wrap the internals of some `unsafe fn`s int +`unsafe` blocks for added clarity. +""" + [[audits.futures-core]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1395,6 +1409,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "2.9.0 -> 2.10.0" +[[audits.ipnet]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "2.10.0 -> 2.10.1" + [[audits.itoa]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -1586,6 +1605,12 @@ criteria = "safe-to-deploy" delta = "0.2.0 -> 0.2.1" notes = "Exposes an existing macro. Note that I am the author of the crate." +[[audits.memuse]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "0.2.1 -> 0.2.2" +notes = "Adds no-std support; no other changes. Note that I am the author of the crate." + [[audits.metrics]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -2296,6 +2321,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.193 -> 1.0.194" +[[audits.serde]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.216 -> 1.0.217" + [[audits.serde_derive]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -2337,6 +2367,11 @@ who = "Jack Grigg " criteria = "safe-to-deploy" delta = "1.0.193 -> 1.0.194" +[[audits.serde_derive]] +who = "Jack Grigg " +criteria = "safe-to-deploy" +delta = "1.0.216 -> 1.0.217" + [[audits.serde_json]] who = "Jack Grigg " criteria = "safe-to-deploy" @@ -3087,7 +3122,7 @@ end = "2024-09-21" criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 6289 # Jack Grigg (str4d) start = "2021-09-22" -end = "2024-09-21" +end = "2026-01-02" [[trusted.halo2_gadgets]] criteria = ["safe-to-deploy", "crypto-reviewed"] @@ -3095,12 +3130,24 @@ user-id = 1244 # ebfull start = "2022-05-10" end = "2024-09-21" +[[trusted.halo2_gadgets]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 6289 # Jack Grigg (str4d) +start = "2022-02-15" +end = "2026-01-02" + [[trusted.halo2_legacy_pdqsort]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 199950 # Daira Emma Hopwood (daira) start = "2023-02-24" end = "2024-09-21" +[[trusted.halo2_poseidon]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 6289 # Jack Grigg (str4d) +start = "2024-12-13" +end = "2026-01-02" + [[trusted.halo2_proofs]] criteria = ["safe-to-deploy", "crypto-reviewed"] user-id = 1244 # ebfull @@ -3161,6 +3208,12 @@ user-id = 6289 # Jack Grigg (str4d) start = "2024-01-26" end = "2025-03-18" +[[trusted.sinsemilla]] +criteria = ["safe-to-deploy", "crypto-reviewed"] +user-id = 6289 # Jack Grigg (str4d) +start = "2024-12-13" +end = "2026-01-02" + [[trusted.windows-sys]] criteria = "safe-to-deploy" user-id = 64539 # Kenny Kerr (kennykerr) @@ -3245,6 +3298,12 @@ user-id = 1244 # ebfull start = "2022-10-19" end = "2024-09-21" +[[trusted.zcash_encoding]] +criteria = "safe-to-deploy" +user-id = 6289 # Jack Grigg (str4d) +start = "2021-08-31" +end = "2026-01-02" + [[trusted.zcash_history]] criteria = "safe-to-deploy" user-id = 1244 # ebfull diff --git a/qa/supply-chain/config.toml b/qa/supply-chain/config.toml index cfcd5bc0cc3..6533b0515d0 100644 --- a/qa/supply-chain/config.toml +++ b/qa/supply-chain/config.toml @@ -55,7 +55,7 @@ version = "1.0.1" criteria = "safe-to-deploy" [[exemptions.bech32]] -version = "0.8.1" +version = "0.11.0" criteria = "safe-to-deploy" [[exemptions.bellman]] @@ -114,6 +114,10 @@ criteria = "safe-to-deploy" version = "0.9.6" criteria = "safe-to-deploy" +[[exemptions.core2]] +version = "0.3.3" +criteria = "safe-to-deploy" + [[exemptions.cpufeatures]] version = "0.2.13" criteria = "safe-to-deploy" @@ -123,7 +127,7 @@ version = "0.5.6" criteria = "safe-to-deploy" [[exemptions.crossbeam-deque]] -version = "0.8.2" +version = "0.8.6" criteria = "safe-to-deploy" [[exemptions.crossbeam-epoch]] @@ -395,7 +399,7 @@ version = "0.12.2" criteria = "safe-to-deploy" [[exemptions.proptest]] -version = "1.5.0" +version = "1.6.0" criteria = "safe-to-deploy" [[exemptions.quanta]] @@ -503,7 +507,7 @@ version = "1.0.102" criteria = "safe-to-deploy" [[exemptions.syn]] -version = "2.0.75" +version = "2.0.94" criteria = "safe-to-deploy" [[exemptions.tempfile]] diff --git a/qa/supply-chain/imports.lock b/qa/supply-chain/imports.lock index 76167804d3f..be0e90923a6 100644 --- a/qa/supply-chain/imports.lock +++ b/qa/supply-chain/imports.lock @@ -23,17 +23,18 @@ user-login = "str4d" user-name = "Jack Grigg" [[publisher.f4jumble]] -version = "0.1.0" -when = "2022-05-10" +version = "0.1.1" +when = "2024-12-13" user-id = 6289 user-login = "str4d" user-name = "Jack Grigg" [[publisher.halo2_gadgets]] -version = "0.3.0" -when = "2023-03-22" -user-id = 1244 -user-login = "ebfull" +version = "0.3.1" +when = "2024-12-16" +user-id = 6289 +user-login = "str4d" +user-name = "Jack Grigg" [[publisher.halo2_legacy_pdqsort]] version = "0.1.0" @@ -42,6 +43,13 @@ user-id = 199950 user-login = "daira" user-name = "Daira Emma Hopwood" +[[publisher.halo2_poseidon]] +version = "0.1.0" +when = "2024-12-16" +user-id = 6289 +user-login = "str4d" +user-name = "Jack Grigg" + [[publisher.halo2_proofs]] version = "0.3.0" when = "2023-03-22" @@ -49,15 +57,15 @@ user-id = 1244 user-login = "ebfull" [[publisher.incrementalmerkletree]] -version = "0.7.0" -when = "2024-09-25" +version = "0.7.1" +when = "2024-12-16" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.incrementalmerkletree-testing]] -version = "0.1.0" -when = "2024-09-25" +version = "0.2.0" +when = "2024-10-04" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" @@ -76,6 +84,13 @@ user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" +[[publisher.sinsemilla]] +version = "0.1.0" +when = "2024-12-14" +user-id = 6289 +user-login = "str4d" +user-name = "Jack Grigg" + [[publisher.unicode-normalization]] version = "0.1.23" when = "2024-02-20" @@ -154,17 +169,18 @@ user-login = "kennykerr" user-name = "Kenny Kerr" [[publisher.zcash_address]] -version = "0.6.0" -when = "2024-10-02" +version = "0.6.2" +when = "2024-12-13" user-id = 6289 user-login = "str4d" user-name = "Jack Grigg" [[publisher.zcash_encoding]] -version = "0.2.0" -when = "2022-10-19" -user-id = 1244 -user-login = "ebfull" +version = "0.2.2" +when = "2024-12-13" +user-id = 6289 +user-login = "str4d" +user-name = "Jack Grigg" [[publisher.zcash_history]] version = "0.4.0" @@ -173,13 +189,6 @@ user-id = 6289 user-login = "str4d" user-name = "Jack Grigg" -[[publisher.zcash_note_encryption]] -version = "0.4.0" -when = "2023-06-06" -user-id = 169181 -user-login = "nuttycom" -user-name = "Kris Nuttycombe" - [[publisher.zcash_primitives]] version = "0.19.0" when = "2024-10-02" @@ -195,22 +204,22 @@ user-login = "str4d" user-name = "Jack Grigg" [[publisher.zcash_protocol]] -version = "0.4.0" -when = "2024-10-02" +version = "0.4.3" +when = "2024-12-17" user-id = 169181 user-login = "nuttycom" user-name = "Kris Nuttycombe" [[publisher.zcash_spec]] -version = "0.1.1" -when = "2024-09-20" +version = "0.1.2" +when = "2024-10-22" user-id = 6289 user-login = "str4d" user-name = "Jack Grigg" [[publisher.zip32]] -version = "0.1.1" -when = "2024-03-14" +version = "0.1.3" +when = "2024-12-13" user-id = 6289 user-login = "str4d" user-name = "Jack Grigg" @@ -347,6 +356,22 @@ criteria = "safe-to-deploy" version = "0.3.27" notes = "Unsafe used to implement a concurrency primitive AtomicWaker. Well-commented and not obviously incorrect. Like my other audits of these concurrency primitives inside the futures family, I couldn't certify that it is correct without formal methods, but that is out of scope for this vetting." +[[audits.bytecode-alliance.audits.futures-core]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.3.28 -> 0.3.31" + +[[audits.bytecode-alliance.audits.futures-task]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.31" + +[[audits.bytecode-alliance.audits.futures-util]] +who = "Pat Hickey " +criteria = "safe-to-deploy" +delta = "0.3.27 -> 0.3.31" +notes = "New waker_ref module contains \"FIXME: panics on Arc::clone / refcount changes could wreak havoc...\" comment, but this corner case feels low risk." + [[audits.bytecode-alliance.audits.gimli]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -742,6 +767,15 @@ Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.itoa]] +who = "Liza Burakova " +criteria = "safe-to-deploy" +delta = "1.0.11 -> 1.0.14" +notes = """ +Unsafe review at https://crrev.com/c/6051067 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.lazy_static]] who = "Lukasz Anforowicz " criteria = "safe-to-deploy" @@ -773,6 +807,12 @@ are made about the safety of either of those libraries. :) """ aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.miniz_oxide]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "0.8.0 -> 0.8.2" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.nom]] who = "danakj@chromium.org" criteria = "safe-to-deploy" @@ -859,6 +899,35 @@ Config-related changes in `test_size.rs`. """ aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.86 -> 1.0.87" +notes = "No new unsafe interactions." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Liza Burakova Date: Mon, 6 Jan 2025 14:33:00 +0000 Subject: [PATCH 8/8] CI: Migrate to `cargo-vet 0.10` --- .github/workflows/audits.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/audits.yml b/.github/workflows/audits.yml index e53d3ff6924..304cc4c90a4 100644 --- a/.github/workflows/audits.yml +++ b/.github/workflows/audits.yml @@ -17,7 +17,7 @@ jobs: - uses: dtolnay/rust-toolchain@stable id: toolchain - run: rustup override set ${{steps.toolchain.outputs.name}} - - run: cargo install cargo-vet --version ~0.9 + - run: cargo install cargo-vet --version ~0.10 - run: cargo vet --locked cargo-deny: