Remove exemptions for precise vendored wgpu crates
(Core :: Graphics: WebGPU, defect)
(Reporter: bholley, Unassigned, NeedInfo)
We recently implemented a new cargo-vet features to allow precise audits for
audit-as-crates-io git dependencies. This allows our enforcement to get more precise in situations where we're using the bleeding edge of a public crate. The tool now requires an audit for the base public version, as well as a delta from that version to the actual git commit.
When upgrade cargo-vet on mozilla-central yesterday, I had to handle the handful of cases where our audit coverage was no longer sufficient. A number of them were trivial to audit myself. However, several webgpu crates (wgu-core, wgpu-hal, wgpu-types, and naga) had substantial diffs between what was published and what we're using, so I marked them as exemptions to unblock the upgrade.
My understanding is that we are currently tracking these deltas out of band. Ideally, we'd move this book-keeping into the tree and remove the exemptions. Cargo-vet should support delta chains through git commits and back to public versions, so we should be able to move to a model where we audit exactly what we're pulling in each time we do it.
2 months ago