kalvinparker
3 months ago
2 changed files with 47 additions and 0 deletions
@ -0,0 +1,11 @@ |
|||||
|
Temporary license allowlist: MPL-2.0 and CDLA-Permissive-2.0 were added to deny.toml on branch experiment/webauthn-upgrade to unblock CI while coordinated upgrades/replacements are attempted. This is timeboxed and tracked in issues/FEASIBILITY-WEBAUTHN-WEBPKI.md and issues/TRACK-2025-11-09-RSA-PASTE.md. See the experiment artifacts in docker/audit/output/. |
||||
|
|
||||
|
## Tasks |
||||
|
- [ ] Owner: Security lead — confirm timebox and approve temporary allowlist (by 2025-11-17) |
||||
|
- [ ] Owner: Maintainer — attempt `webauthn-rs` upgrade or replacement; report feasibility (see issues/FEASIBILITY-WEBAUTHN-WEBPKI.md) |
||||
|
- [ ] Owner: Maintainer — coordinate `reqwest`/`hyper-rustls`/`openidconnect` upgrades to remove `webpki-roots` (see docker/audit/output/* and reqwest/webpki trees) |
||||
|
- [ ] Owner: Maintainer — verify cargo-deny clean runs on CI after each change |
||||
|
- [ ] Owner: Maintainer — remove temporary allowlist and update deny.toml when all issues resolved |
||||
|
|
||||
|
## Triage summary |
||||
|
See issues/LICENSE-TRIAGE-2025-11-10.md for a short summary of the top offenders and remediation options. |
||||
@ -0,0 +1,36 @@ |
|||||
|
# License triage summary (2025-11-10) |
||||
|
|
||||
|
Summary |
||||
|
------- |
||||
|
This short report summarizes the top remaining license failures reported by `cargo-deny` after temporary allowlist adjustments and initial experiments. |
||||
|
|
||||
|
Top offenders (extracted from `docker/audit/output/license_triage_2025-11-09.csv`): |
||||
|
|
||||
|
- webauthn-rs family (MPL-2.0): |
||||
|
- `webauthn-rs v0.5.3` (direct dependency) |
||||
|
- `webauthn-rs-core v0.5.3` |
||||
|
- `webauthn-rs-proto v0.5.3` |
||||
|
- `webauthn-attestation-ca v0.5.3` |
||||
|
- `base64urlsafedata v0.5.3` |
||||
|
|
||||
|
- webpki-roots (CDLA-Permissive-2.0): |
||||
|
- `webpki-roots v1.0.3` pulled via `hyper-rustls v0.27.7` -> `reqwest v0.12.24` -> `openidconnect v4.0.1` (and also via `opendal`/`yubico_ng`). |
||||
|
|
||||
|
Counts and impact |
||||
|
----------------- |
||||
|
- cargo-deny reported 7 license errors in the most recent run. The list above represents the full set of failing crates. |
||||
|
|
||||
|
Short remediation guidance |
||||
|
------------------------ |
||||
|
- `webauthn-rs`: direct dependency. Options: (a) upgrade (if a permissively licensed version exists), (b) replace with an alternative WebAuthn crate, or (c) vendor minimal functionality. Immediate step: contact upstream and search for forks/relicensing. |
||||
|
- `webpki-roots`: transitive via the TLS/HTTP stack. Options: (a) coordinated upgrade of `reqwest`/`hyper-rustls`/`openidconnect` or (b) switch TLS backend/features to avoid `webpki-roots`. |
||||
|
|
||||
|
Artifacts |
||||
|
--------- |
||||
|
- Full diagnostics and experiment artifacts: `docker/audit/output/` (files: `*_deny.err`, `*_deny.json`, `*_build.err`). |
||||
|
|
||||
|
Next steps |
||||
|
---------- |
||||
|
1. Owner assignment and tasking in PR checklist (see draft PR #2). |
||||
|
2. Continue coordinated upgrades for `reqwest` chain and attempt to upgrade/replace `webauthn-rs`. |
||||
|
3. Remove temporary allowlist once all offenders are resolved. |
||||
Loading…
Reference in new issue