Open Bug 1811090 Opened 2 months ago Updated 2 months ago

Remove exemptions for precise vendored wgpu crates


(Core :: Graphics: WebGPU, defect)





(Reporter: bholley, Unassigned, NeedInfo)


We recently implemented a new cargo-vet features to allow precise audits for audit-as-crates-io git dependencies. This allows our enforcement to get more precise in situations where we're using the bleeding edge of a public crate. The tool now requires an audit for the base public version, as well as a delta from that version to the actual git commit.

When upgrade cargo-vet on mozilla-central yesterday, I had to handle the handful of cases where our audit coverage was no longer sufficient. A number of them were trivial to audit myself. However, several webgpu crates (wgu-core, wgpu-hal, wgpu-types, and naga) had substantial diffs between what was published and what we're using, so I marked them as exemptions to unblock the upgrade.

My understanding is that we are currently tracking these deltas out of band. Ideally, we'd move this book-keeping into the tree and remove the exemptions. Cargo-vet should support delta chains through git commits and back to public versions, so we should be able to move to a model where we audit exactly what we're pulling in each time we do it.

Flags: needinfo?(jimb)
You need to log in before you can comment on or make changes to this bug.