зеркало из https://github.com/mozilla/gecko-dev.git
477 строки
15 KiB
TOML
477 строки
15 KiB
TOML
|
|
# cargo-vet audits file
|
|
|
|
[[audits.android_logger]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.0"
|
|
notes = "Small crate, wrapping Android log functionality, reviewed by janerik"
|
|
|
|
[[audits.android_logger]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.11.0 -> 0.11.1"
|
|
notes = "Small crate, wrapping Android log functionality, now switched to properly using MaybeUninit"
|
|
|
|
[[audits.android_system_properties]]
|
|
who = "Nicolas Silva <nical@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = "I wrote this crate, reviewed by jimb. It is mostly a Rust port of some C++ code we already ship."
|
|
|
|
[[audits.app_units]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.1"
|
|
notes = """
|
|
I'm pretty familiar with this crate. It provides a fixed-point numeric type.
|
|
The code is pretty straight-forward, there's no unsafe code at all.
|
|
"""
|
|
|
|
[[audits.arbitrary]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.1.0 -> 1.1.1"
|
|
|
|
[[audits.ashmem]]
|
|
who = "Matthew Gregan <kinetik@flim.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = """
|
|
Small unsafe wrapper around Android 8.0's ASharedMemory native API that falls
|
|
back to older private ioctl-based API at runtime on earlier OS releases. The
|
|
shim code is small and doesn't inspect the API arguments, so is unlikely to
|
|
expose any safety issues beyond those presented by the native OS API.
|
|
"""
|
|
|
|
[[audits.atomic_refcell]]
|
|
who = "Bobby Holley <bholley@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.8"
|
|
notes = "I maintain this crate and have reviewed every line."
|
|
|
|
[[audits.bindgen]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.59.2"
|
|
notes = "I'm the primary author and maintainer of the crate."
|
|
|
|
[[audits.bit-set]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.2"
|
|
notes = "Another crate I own via contain-rs that is ancient and maintenance mode, no known issues."
|
|
|
|
[[audits.bit-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.3"
|
|
notes = "Another crate I own via contain-rs that is ancient and in maintenance mode but otherwise perfectly fine."
|
|
|
|
[[audits.build-parallel]]
|
|
who = "Jeff Muizelaar <jmuizelaar@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
|
|
[[audits.clap_lex]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.0 -> 0.2.2"
|
|
|
|
[[audits.cstr]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.10"
|
|
notes = """
|
|
I've reviewed the code of the crate thoroughly. It generates an unsafe block
|
|
which is statically guaranteed to be safe. Inputs to the macro have to be
|
|
static so there's no uncontrolled input whatsoever.
|
|
"""
|
|
|
|
[[audits.derive_arbitrary]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-run"
|
|
delta = "1.1.0 -> 1.1.1"
|
|
|
|
[[audits.dogear]]
|
|
who = "Sammy Khamis <skhamis@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.4.0 -> 0.5.0"
|
|
notes = "The repository for this crate belongs in the Mozilla org."
|
|
|
|
[[audits.extend]]
|
|
who = "Ben Dean-Kawamura <bdk@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.1.2"
|
|
notes = "Inspected the crate and noted that the impl block comes directly from the proc-macro input. If no new code can be added by this crate, I don't think there can be any issues."
|
|
|
|
[[audits.flagset]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.3"
|
|
notes = "Uses no ambient capabilities, vetted the one instance of unsafe."
|
|
|
|
[[audits.fluent]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.16.0"
|
|
|
|
[[audits.fluent-bundle]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.15.2"
|
|
|
|
[[audits.fluent-fallback]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.0"
|
|
|
|
[[audits.fluent-langneg]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.13.0"
|
|
|
|
[[audits.fluent-pseudo]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.1"
|
|
|
|
[[audits.fluent-syntax]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.0"
|
|
|
|
[[audits.fluent-testing]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-run"
|
|
version = "0.0.2"
|
|
|
|
[[audits.getrandom]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.2.6 -> 0.2.7"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.2"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "51.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.2 -> 50.1.3"
|
|
notes = "Unchanged from last version"
|
|
|
|
[[audits.glean]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.3 -> 51.0.1"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "50.1.2"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "51.1.0"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.2 -> 50.1.3"
|
|
notes = "Bug fix release with minimal changes, changes done by myself"
|
|
|
|
[[audits.glean-core]]
|
|
who = "Jan-Erik Rediger <jrediger@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "50.1.3 -> 51.0.1"
|
|
notes = "Maintained by the Glean team at Mozilla"
|
|
|
|
[[audits.intl-memoizer]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.1"
|
|
|
|
[[audits.intl_pluralrules]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "7.0.1"
|
|
|
|
[[audits.linked-hash-map]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.5.4"
|
|
notes = "I own this crate (I am contain-rs) and 0.5.4 passes miri. This code is very old and used by lots of people, so I'm pretty confident in it, even though it's in maintenance-mode and missing some nice-to-have APIs."
|
|
|
|
[[audits.log]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.4.17"
|
|
|
|
[[audits.malloc_size_of_derive]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
notes = """
|
|
This was originally servo code which I put on crates.io some years ago but didn't
|
|
examine at the time, so I examined it now. I didn't perform a full logic review
|
|
but convinced myself that any generated code will be entirely safe to deploy.
|
|
"""
|
|
|
|
[[audits.matches]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.9"
|
|
notes = "This is a trivial crate."
|
|
|
|
[[audits.naga]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.8.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.new_debug_unreachable]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.4"
|
|
notes = "This is a trivial crate."
|
|
|
|
[[audits.origin-trial-token]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = """
|
|
I'm the author of the crate. The only unsafe code is a view over a byte array
|
|
which is properly validated.
|
|
|
|
Cryptography shenanigans are delegated to the caller so there's no possible
|
|
unsoundness there.
|
|
"""
|
|
|
|
[[audits.packed_simd_2]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.3.7 -> 0.3.8"
|
|
|
|
[[audits.precomputed-hash]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.1"
|
|
notes = "This is a trivial crate."
|
|
|
|
[[audits.rust_decimal]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.24.0 -> 1.25.0"
|
|
|
|
[[audits.semver]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.9 -> 1.0.10"
|
|
|
|
[[audits.thin-vec]]
|
|
who = "Aria Beingessner <a.beingessner@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.5"
|
|
notes = "I own this crate, and most of its versions were codeveloped and reviewed by Nika Layzell. This version was not explicitly reviewed by her, but it was specifically a release that made the code pass miri and was reviewed by me. Firefox uses it in the gecko-ffi configuration which is less thoroughly tested and more dangerous but we're reasonably confident in it. The real danger is from C++ code failing to use it correctly in FFI but that's just how FFI is."
|
|
|
|
[[audits.tinystr]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.3.4"
|
|
|
|
[[audits.tinystr]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.6.0"
|
|
|
|
[[audits.tracy-rs]]
|
|
who = "Glenn Watson <git@intuitionlibrary.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.1.2"
|
|
|
|
[[audits.uluru]]
|
|
who = "Emilio Cobos Álvarez <emilio@crisal.io>"
|
|
criteria = "safe-to-deploy"
|
|
version = "3.0.0"
|
|
notes = """
|
|
I've reviewed multiple patches in this crate, including the initial
|
|
implementation back in the day. It has no unsafe code at all nowadays.
|
|
"""
|
|
|
|
[[audits.unic-langid]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unic-langid-impl]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unic-langid-macros]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unic-langid-macros-impl]]
|
|
who = "Zibi Braniecki <zibi@unicode.org>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.9.0"
|
|
|
|
[[audits.unicode-ident]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "1.0.0 -> 1.0.1"
|
|
|
|
[[audits.unicode-normalization]]
|
|
who = "Mike Hommey <mh+mozilla@glandium.org>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.1.19 -> 0.1.20"
|
|
notes = "I am the author of most of these changes upstream, and prepared the release myself, at which point I looked at the other changes since 0.1.19."
|
|
|
|
[[audits.uniffi]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams"
|
|
|
|
[[audits.uniffi_bindgen]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.uniffi_build]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.uniffi_macros]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.19.3"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.void]]
|
|
who = "Bobby Holley <bobbyholley@gmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "1.0.2"
|
|
notes = "Very small crate, just hosts the Void type for easier cross-crate interfacing."
|
|
|
|
[[audits.wasm-encoder]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.7.0"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. This has no unsafe code and uses no ambient capabilities."
|
|
|
|
[[audits.wasm-encoder]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
delta = "0.7.0 -> 0.14.0"
|
|
notes = "wasm-encoder has no unsafe code and uses no ambient capabilities."
|
|
|
|
[[audits.wasm-smith]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.11.2"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code."
|
|
|
|
[[audits.wasmparser]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.87.0"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. I've vetted the one instance of unsafe code."
|
|
|
|
[[audits.wast]]
|
|
who = "Ryan Hunt <rhunt@eqrion.net>"
|
|
criteria = "safe-to-deploy"
|
|
version = "44.0.0"
|
|
notes = "Maintained by the Bytecode Alliance, with contributions from Mozilla. wast has no unsafe code and the only ambient capability it uses is to read the full contents of a file that is given to it."
|
|
|
|
[[audits.webdriver]]
|
|
who = "Henrik Skupin <mail@hskupin.info>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.46.0"
|
|
notes = "Maintained by the DevTools team at Mozilla and has no unsafe code."
|
|
|
|
[[audits.weedle2]]
|
|
who = "Travis Long <tlong@mozilla.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "3.0.0"
|
|
notes = "Maintained by the Glean and Application Services teams."
|
|
|
|
[[audits.wgpu-core]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.xmldecl]]
|
|
who = "Henri Sivonen <hsivonen@hsivonen.fi>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.2.0"
|
|
notes = "I, Henri Sivonen, wrote this crate myself for Gecko even though it's published on crates.io."
|
|
|
|
[[audits.wgpu-hal]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|
|
[[audits.wgpu-types]]
|
|
who = "Dzmitry Malyshau <kvark@fastmail.com>"
|
|
criteria = "safe-to-deploy"
|
|
version = "0.12.0"
|
|
notes = """
|
|
This crate, up through the indicated version, was written or reviewed
|
|
by Dzmitry Malyshau while he was a Mozilla employee. Dzmitry left
|
|
Mozilla at the beginning of February 2022. This audit statement was
|
|
collected by Jim Blandy, a Mozilla employee, over email in July 2022:
|
|
Dzmitry was shown, and agreed to, the 'safe-to-deploy' text.
|
|
"""
|
|
|