Skip to content
This repository has been archived by the owner on Nov 15, 2023. It is now read-only.

WIP: add cargo-deny job #925

Closed
wants to merge 5 commits into from
Closed

WIP: add cargo-deny job #925

wants to merge 5 commits into from

Conversation

TriplEight
Copy link
Contributor

@TriplEight TriplEight commented Mar 22, 2020
edited
Loading

Resolves #922

  • temporarily runs every commit but later will change it to run before the merge and nightly
  • fails when encounters
    • unlicensed workspace members
    • vulnerabilities from advisories
    • uncertain and unlicensed deps
    • parity-util-mem <0.6
  • warns about everything else:
    • unknown git sources
    • duplicate dependencies
    • unmaintained/yanked crates

@TriplEight TriplEight self-assigned this Mar 22, 2020
@TriplEight TriplEight mentioned this pull request Mar 22, 2020
Merged
@TriplEight
Copy link
Contributor Author

An example of the check: https://gitlab.parity.io/parity/polkadot/-/jobs/427639

kirushik
kirushik reviewed Mar 23, 2020
View reviewed changes
Copy link
Contributor

@kirushik kirushik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's good that the new check indicates our own unlicensed dependencies.
At the same time, I'm not sure I understand, who and why did pick this rather questionable licensing approach. Say, why wouldn't we want MPL-licensed dependecied in our GPL-licensed client?

Also: you could've at least clarified ring's license in the config.

@TriplEight TriplEight added the A3-in_progress Pull request is in progress. No review needed at this stage. label Mar 23, 2020
@TriplEight TriplEight changed the title add cargo-deny job WIP: add cargo-deny job Mar 23, 2020
@TriplEight
Copy link
Contributor Author

Example of job now: https://gitlab.parity.io/parity/polkadot/-/jobs/429231

@s3krit s3krit mentioned this pull request Mar 25, 2020
Closed
5 tasks
@TriplEight
Copy link
Contributor Author

Also: you could've at least clarified ring's license in the config.

done, what else needs to be done in this PR? @gnunicorn ?

@gnunicorn
Copy link
Contributor

With #922 already resolved, what we are trying to accomplish here exactly? I am rather hesitant to add more CI tasks unless they are strictly necessary, as our CI is already under a lot of load.

Is the plan to have that run with every PR? Or as a nightly job? If the later I think this is fine to do (aside from that it currently fails, so merging is blocked ;) ) – but we should probably automatically open tickets when we find this one failing as well.

//cc @s3krit

@TriplEight
Copy link
Contributor Author

@gnunicorn

Is the plan to have that run with every PR? Or as a nightly job?

Of course it doesn't make sense to run it every commit. Ideally, I'd want it before merges (but currently we can't do that). I can suggest running it either on master (so after merges and nightly) or just nightly, but the latter would only make sense if it would automatically create issues.

it currently fails

I'm not sure if we've decided something on what to do with those 17 internal licensing errors.

@kirushik
Copy link
Contributor

@gnunicorn IMO, merging a PR (especially a third-party one) with some questionable licensing should be avoided, even if at cost of some additional CI load (this task shouldn't add much anyway).

  1. Merging a PR with potentially questionable licensing might be viral, and can taint the licensing state of the whole codebase on master at that point. No simple PR would be enough to fix that, we would need some revision history surgery on master to undo the damage (and it's still not 100% certain that it will fix all the potential issues). Think of merging a GPL-licensed dependency into a MIT-licensed library — isn't all your code now implicitly GPL-licensed forever? Tough question, let's not find out.

  2. Woudn't it be much easier to resolve the issue with an offending dependency right in the PR where it was added, while everyone's context is still fresh? Again, for the case of third-party contributor it would require someone else than the official author to reengineer our freshly-merged code — not ideal.

All this of course doesn't apply to checking advisories with cargo-deny, only to its license-checking capabilities.

@gavofyork
Copy link
Member

@s3krit closing due to being stale. reopen if needed.

@gavofyork gavofyork closed this May 21, 2020
HCastano added a commit that referenced this pull request Apr 29, 2021
@HCastano
Squashed 'bridges/' changes from 89a76998..801c99f3
3af7342 
801c99f3 Add Wococo<>Rococo Header Relayer (#925)
21f49051 Remove Westend<>Rococo header sync (#940)
06235f16 do not panic if pallet is not yet initialized (#937)
a13ee0bc Bump Substrate (#939)
f8680cbf jsonrpsee alpha6 (#938)
6163bcbf reonnect to failed client in on-demand relay background task (#936)
14e82bea Do not spawn additional task for on-demand relays (#933)
b1557b88 Relay at least one header for every source chain session (#923)
9420649c Remove deprecated Runtime Header APIs (#932)
9627011e Update README.md (#931)
7b736b9c Truncate output in logs. (#930)
faad06e3 Make sure that relayers have dates in logs. (#927)
07734535 Update dump-logs script. (#928)
c2d56b2e Add pruning to bechmarks & update weights. (#918)
a30c51dc Add properties to Chain Spec (#917)
d691c73e Fix issue with on-demand headers relay not starting (#921)
8ee55c1e Fix image publishing. (#922)
f51fb59d Prefix in relay loops logs (#920)

git-subtree-dir: bridges
git-subtree-split: 801c99f3de0fa4d0b61e4e065fa30817179368ea
tomusdrw added a commit that referenced this pull request May 3, 2021
@tomusdrw
Squashed 'bridges/' changes from 89a76998f..f43c92430
7c6e5cd 
f43c92430 Fix account derivation in CLI (#952)
9ac07e733 Add backbone configuration of cargo-spellcheck (#924)
2761c3fef Message dispatch support multiple instances (#942)
801c99f3d Add Wococo<>Rococo Header Relayer (#925)
21f490514 Remove Westend<>Rococo header sync (#940)
06235f162 do not panic if pallet is not yet initialized (#937)
a13ee0bc3 Bump Substrate (#939)
f8680cbfc jsonrpsee alpha6 (#938)
6163bcbf4 reonnect to failed client in on-demand relay background task (#936)
14e82bea3 Do not spawn additional task for on-demand relays (#933)
b1557b882 Relay at least one header for every source chain session (#923)
9420649c1 Remove deprecated Runtime Header APIs (#932)
9627011e1 Update README.md (#931)
7b736b9cc Truncate output in logs. (#930)
faad06e39 Make sure that relayers have dates in logs. (#927)
077345351 Update dump-logs script. (#928)
c2d56b2e9 Add pruning to bechmarks & update weights. (#918)
a30c51dc9 Add properties to Chain Spec (#917)
d691c73e9 Fix issue with on-demand headers relay not starting (#921)
8ee55c1e1 Fix image publishing. (#922)
f51fb59d0 Prefix in relay loops logs (#920)

git-subtree-dir: bridges
git-subtree-split: f43c924301c227d29ec161f6815d9bac458a211d
HCastano added a commit that referenced this pull request May 4, 2021
@HCastano
Squashed 'bridges/' changes from 89a76998..b2099c5c
70985ce 
b2099c5c Bump Substrate to `b094edaf` (#958)
3f037094 Bump endowment amounts on Rialto and Millau (#957)
b21fd07c Bump Substrate WASM builder (#947)
30ccd07c Bump Substrate to `ec180313` (#955)
a7422ab1 Upgrade to GitHub-native Dependabot (#945)
ed20ef34 Move pallet-bridge-dispatch types to primitives (#948)
2070c4d6 Endow accounts and add `bridgeIds` to chainspec. (#951)
f43c9243 Fix account derivation in CLI (#952)
9ac07e73 Add backbone configuration of cargo-spellcheck (#924)
2761c3fe Message dispatch support multiple instances (#942)
801c99f3 Add Wococo<>Rococo Header Relayer (#925)
21f49051 Remove Westend<>Rococo header sync (#940)
06235f16 do not panic if pallet is not yet initialized (#937)
a13ee0bc Bump Substrate (#939)
f8680cbf jsonrpsee alpha6 (#938)
6163bcbf reonnect to failed client in on-demand relay background task (#936)
14e82bea Do not spawn additional task for on-demand relays (#933)
b1557b88 Relay at least one header for every source chain session (#923)
9420649c Remove deprecated Runtime Header APIs (#932)
9627011e Update README.md (#931)
7b736b9c Truncate output in logs. (#930)
faad06e3 Make sure that relayers have dates in logs. (#927)
07734535 Update dump-logs script. (#928)
c2d56b2e Add pruning to bechmarks & update weights. (#918)
a30c51dc Add properties to Chain Spec (#917)
d691c73e Fix issue with on-demand headers relay not starting (#921)
8ee55c1e Fix image publishing. (#922)
f51fb59d Prefix in relay loops logs (#920)

git-subtree-dir: bridges
git-subtree-split: b2099c5c0baf569e2ec7228507b6e4f3972143cc
@TriplEight TriplEight mentioned this pull request Sep 28, 2021
Closed
@TriplEight TriplEight mentioned this pull request Jan 9, 2023
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@kirushik kirushik kirushik left review comments

@montekki montekki Awaiting requested review from montekki

@gabreal gabreal Awaiting requested review from gabreal

@ordian ordian Awaiting requested review from ordian

@Demi-Marie Demi-Marie Awaiting requested review from Demi-Marie

@gnunicorn gnunicorn Awaiting requested review from gnunicorn

Assignees

@s3krit s3krit

@TriplEight TriplEight

Labels
A3-in_progress Pull request is in progress. No review needed at this stage.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Ban multiple versions of parity-util-mem
5 participants
@TriplEight @gnunicorn @kirushik @gavofyork @s3krit