Bugzilla

I tried to add exemptions manually into 

So, after using `cargo vet add-exemption` to all the dependencies and adding more `TOLERATED_DUPES` in `vendor_rust.py` I ended up having the following
```
(...)
   Vendoring evercrypt v0.0.11 (/Users/bbeurdouche/.cargo/registry/src/index.crates.io-6f17d22bba15001f/evercrypt-0.0.11) to /opt/mozilla/relay-firefox/third_party/rust/evercrypt
   Vendoring evercrypt-sys v0.0.9 (/Users/bbeurdouche/.cargo/registry/src/index.crates.io-6f17d22bba15001f/evercrypt-sys-0.0.9) to /opt/mozilla/relay-firefox/third_party/rust/evercrypt-sys
(...)
```
The list of vendored is followed by
```
To use vendored sources, add this to your .cargo/config.toml for this project:

 0:18.62 Package bindgen-0.58.1 has a license that is approved for build-time dependencies:
    BSD-3-Clause
    but the package itself is not whitelisted as being a build-time only package.

    If your package is build-time only, please add it to the whitelist of build-time
    only packages. Otherwise, you need to request license review on the package's license.
    If the package's license is approved, please add it to the whitelist of suitable licenses.
    
 0:18.82 The changes from `mach vendor rust` will NOT be added to version control.


NOTE: `cargo vendor` may have made changes to your Cargo.lock. To restore your
Cargo.lock to the HEAD version, run `git checkout -- Cargo.lock` or
`hg revert Cargo.lock`.
```
Then nothing happens and the `third-party/rust` folder does not get populated.
Note that I don't understand the message...

I tried to add exemptions manually into `supply-chain/config.toml` but that didn't seem to work. 

So, after using `cargo vet add-exemption` to all the dependencies and adding more `TOLERATED_DUPES` in `vendor_rust.py` I ended up having the following
```
(...)
   Vendoring evercrypt v0.0.11 (/Users/bbeurdouche/.cargo/registry/src/index.crates.io-6f17d22bba15001f/evercrypt-0.0.11) to /opt/mozilla/relay-firefox/third_party/rust/evercrypt
   Vendoring evercrypt-sys v0.0.9 (/Users/bbeurdouche/.cargo/registry/src/index.crates.io-6f17d22bba15001f/evercrypt-sys-0.0.9) to /opt/mozilla/relay-firefox/third_party/rust/evercrypt-sys
(...)
```
The list of vendored is followed by
```
To use vendored sources, add this to your .cargo/config.toml for this project:

 0:18.62 Package bindgen-0.58.1 has a license that is approved for build-time dependencies:
    BSD-3-Clause
    but the package itself is not whitelisted as being a build-time only package.

    If your package is build-time only, please add it to the whitelist of build-time
    only packages. Otherwise, you need to request license review on the package's license.
    If the package's license is approved, please add it to the whitelist of suitable licenses.
    
 0:18.82 The changes from `mach vendor rust` will NOT be added to version control.


NOTE: `cargo vendor` may have made changes to your Cargo.lock. To restore your
Cargo.lock to the HEAD version, run `git checkout -- Cargo.lock` or
`hg revert Cargo.lock`.
```
Then nothing happens and the `third-party/rust` folder does not get populated.
Note that I don't understand the message...