Add deny.toml for cargo-deny

matthiasbeyer · Matthias Beyer · commit 1aae75b40581 · 2021-01-13T15:08:56.000+01:00
This patch adds the deny.toml configuration file for cargo-deny to

* check licenses of the dependencies
* check that dependencies are fetched from trusted sources

We do not allow copyleft licenses, except for MPL-2.0, which is
considered "safe" as a dependency because it only applies to the code
that's licensed, not code that depends on it. (IANAL)
We allow either OSI or FSF approved "free" licenses.

Signed-off-by: Matthias Beyer &lt;mail@beyermatthias.de&gt;
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,62 @@
+[licenses]
+# The lint level for crates which do not have a detectable license
+unlicensed = "deny"
+
+# List of explictly allowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+allow = ["MPL-2.0"]
+
+# List of explictly disallowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+deny = []
+
+# The lint level for licenses considered copyleft
+copyleft = "deny"
+
+# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
+# * both - The license will only be approved if it is both OSI-approved *AND* FSF/Free
+# * either - The license will be approved if it is either OSI-approved *OR* FSF/Free
+# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF/Free
+# * fsf-only - The license will be approved if is FSF/Free *AND NOT* OSI-approved
+# * neither - The license will be denied if is FSF/Free *OR* OSI-approved
+allow-osi-fsf-free = "either"
+
+# The confidence threshold for detecting a license from license text.
+# The higher the value, the more closely the license text must be to the
+# canonical license text of a valid SPDX license file.
+# [possible values: any between 0.0 and 1.0].
+confidence-threshold = 0.8
+
+[bans]
+# Lint level for when multiple versions of the same crate are detected
+multiple-versions = "warn"
+
+# The graph highlighting used when creating dotgraphs for crates
+# with multiple versions
+# * lowest-version - The path to the lowest versioned duplicate is highlighted
+# * simplest-path - The path to the version with the fewest edges is highlighted
+# * all - Both lowest-version and simplest-path are used
+highlight = "all"
+
+# List of crates that are allowed. Use with care!
+allow = [
+]
+
+# List of crates to deny
+deny = [
+    # Each entry the name of a crate and a version range. If version is
+    # not specified, all versions will be matched.
+]
+
+# Certain crates/versions that will be skipped when doing duplicate detection.
+skip = [
+]
+
+# Similarly to `skip` allows you to skip certain crates during duplicate detection,
+# unlike skip, it also includes the entire tree of transitive dependencies starting at
+# the specified crate, up to a certain depth, which is by default infinite
+skip-tree = [
+]
+
