Add deny.toml for cargo-deny

This patch adds the deny.toml configuration file for cargo-deny to * check licenses of the dependencies * check that dependencies are fetched from trusted sources We do not allow copyleft licenses, except for MPL-2.0, which is considered "safe" as a dependency because it only applies to the code that's licensed, not code that depends on it. (IANAL) We allow either OSI or FSF approved "free" licenses. Signed-off-by: Matthias Beyer <[email protected]>
ammernico · Jan 13, 2021 · 1aae75b · 1aae75b
1 parent a3d06a9
commit 1aae75b
Showing 1 changed file with 62 additions and 0 deletions.
diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,62 @@
+[licenses]
+# The lint level for crates which do not have a detectable license
+unlicensed = "deny"
+
+# List of explictly allowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+allow = ["MPL-2.0"]
+
+# List of explictly disallowed licenses
+# See https://spdx.org/licenses/ for list of possible licenses
+# [possible values: any SPDX 3.7 short identifier (+ optional exception)].
+deny = []
+
+# The lint level for licenses considered copyleft
+copyleft = "deny"
+
+# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
+# * both - The license will only be approved if it is both OSI-approved *AND* FSF/Free
+# * either - The license will be approved if it is either OSI-approved *OR* FSF/Free
+# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF/Free
+# * fsf-only - The license will be approved if is FSF/Free *AND NOT* OSI-approved
+# * neither - The license will be denied if is FSF/Free *OR* OSI-approved
+allow-osi-fsf-free = "either"
+
+# The confidence threshold for detecting a license from license text.
+# The higher the value, the more closely the license text must be to the
+# canonical license text of a valid SPDX license file.
+# [possible values: any between 0.0 and 1.0].
+confidence-threshold = 0.8
+
+[bans]
+# Lint level for when multiple versions of the same crate are detected
+multiple-versions = "warn"
+
+# The graph highlighting used when creating dotgraphs for crates
+# with multiple versions
+# * lowest-version - The path to the lowest versioned duplicate is highlighted
+# * simplest-path - The path to the version with the fewest edges is highlighted
+# * all - Both lowest-version and simplest-path are used
+highlight = "all"
+
+# List of crates that are allowed. Use with care!
+allow = [
+]
+
+# List of crates to deny
+deny = [
+    # Each entry the name of a crate and a version range. If version is
+    # not specified, all versions will be matched.
+]
+
+# Certain crates/versions that will be skipped when doing duplicate detection.
+skip = [
+]
+
+# Similarly to `skip` allows you to skip certain crates during duplicate detection,
+# unlike skip, it also includes the entire tree of transitive dependencies starting at
+# the specified crate, up to a certain depth, which is by default infinite
+skip-tree = [
+]
+