kalvinparker
3 months ago
1 changed files with 30 additions and 0 deletions
@ -0,0 +1,30 @@ |
|||
# Experiment: reqwest(native-tls) & webauthn-rs bump (2025-11-10) |
|||
|
|||
Summary |
|||
------- |
|||
Two non-destructive experiments were executed in a copied workspace to evaluate remediation paths for the top license clusters. |
|||
|
|||
1) reqwest/native-tls experiment |
|||
- Script: `docker/audit/exp/reqwest_native_exp.sh` |
|||
- Action: attempted to prefer `native-tls` for `reqwest` by editing `Cargo.toml`, running `cargo update -p reqwest`, and running `cargo-deny` (licenses) in a workspace copy. |
|||
- Result: `cargo-deny` reduced license errors to a single error: `ar_archive_writer v0.2.0` (license: Apache-2.0 WITH LLVM-exception) via `lettre` -> `psm` -> `stacker` -> `chumsky` -> `vaultwarden` path. The `webpki-roots` (CDLA-Permissive-2.0) failure was removed in this experiment. |
|||
- Artifacts: `docker/audit/output/deny_reqwest_native.err` (diagnostic), `docker/audit/output/deny_reqwest_native.json` (may be empty), `docker/audit/output/req_exp.done` (marker). |
|||
|
|||
2) webauthn-rs bump experiment |
|||
- Script: `docker/audit/exp/patch_and_run.sh` |
|||
- Action: in a workspace copy, attempted to bump `webauthn-rs` to `0.6` and ran `cargo update -p webauthn-rs` and `cargo-deny` (licenses). |
|||
- Result: MPL-2.0 failures related to the `webauthn-rs` family were removed by the non-destructive bump attempt (in the copied workspace experiment). The remaining single license rejection (same as above) persisted. |
|||
- Artifacts: `docker/audit/output/deny_licenses.err`, `docker/audit/output/deny_licenses.json` (may be empty), `docker/audit/output/exp.done`. |
|||
|
|||
Conclusion & recommended next step |
|||
-------------------------------- |
|||
- Both experiments significantly reduced the license noise: from the previously reported set down to one remaining rejection: `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception). |
|||
- Recommended immediate actions: |
|||
1. Decide whether to temporarily allow `Apache-2.0 WITH LLVM-exception` in `deny.toml` (timeboxed) to unblock CI, OR |
|||
2. Investigate the `lettre`/`psm` chain to find alternative crates or versions that avoid `ar_archive_writer`. |
|||
- If you approve, I can open a follow-up branch that applies the minimal change (either temporary allowlist addition or a patch bump) and run CI to verify `cargo-deny` cleanly passes. |
|||
|
|||
Notes |
|||
----- |
|||
- All changes in these experiments were done in copied workspaces inside the audit container and did not modify the main branch's `Cargo.toml` or lockfile. |
|||
- Full experiment artifacts are saved under `docker/audit/output/` in the repository workspace. |
|||
Loading…
Reference in new issue