-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update cargo deny #12178
Update cargo deny #12178
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After looking over the relevant documentation and release notes, this looks good. I'm not particularly familiar with cargo-deny
, though, so take my review with a grain of salt. :)
(Make sure to follow up with François's review, though.)
5cfb9e9
to
aab6a75
Compare
exceptions = [ | ||
{ name = "unicode-ident", allow = [ | ||
"Unicode-DFS-2016", | ||
] }, | ||
{ name = "symphonia", allow = [ | ||
"MPL-2.0", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO we may just want to make a blanket exception for weak-copyleft licenses like MPL. Any strong-copyleft (i.e. GPL), should remain disallowed due to their virality.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah but: #10544 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, my stance is currently "weak-copyleft only in very optional components, and preference to avoid".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK sounds good to me. If that's the case I think we may just want to only allow it if and only if the crate itself is platform agnostic, which I think Symphonia is (cpal is the platform integration for audio, Symphonia is primarily there to provide encoders/decoders), and to prefer more permissive alternatives where available.
# Objective Cargo-deny has being updated and now some keys are being deprecated. Fix these warnings: <details> ```rs warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:6:1 │ 6 │ vulnerability = "deny" │ ^^^^^^^^^^^^^ warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:7:1 │ 7 │ unmaintained = "deny" │ ^^^^^^^^^^^^ warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:9:1 │ 9 │ notice = "deny" │ ^^^^^^ warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:13:1 │ 13 │ unlicensed = "deny" │ ^^^^^^^^^^ warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:14:1 │ 14 │ copyleft = "deny" │ ^^^^^^^^ warning[deprecated]: this key will be removed in a future update, see EmbarkStudios/cargo-deny#611 for details ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:15:1 │ 15 │ default = "deny" │ ^^^^^^^ warning[deprecated]: this key has been moved to [graph] ┌─ /Users/ameknite/code/rust/repos/bevy/deny.toml:1:1 │ 1 │ all-features = true │ ^^^^^^^^^^^^ ``` </details> This also fix ci by temporarily skipping the check for cpal dependencies. bevyengine#11917 (comment) ## Solution - Remove keys deprecated. - Update the list of licenses allowed. (All these licenses are already being use for some dependencies) - Skip cpal dependencies to avoid falining in CI, while we wait for new releases bevyengine#11917 (comment)
Objective
Cargo-deny has being updated and now some keys are being deprecated.
Fix these warnings:
This also fix ci by temporarily skipping the check for cpal dependencies.
#11917 (comment)
Solution