From ffbfd357ff04174932adf11ca6ccb94dae93921e Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 14 Nov 2024 16:47:08 -0500 Subject: [PATCH] Add a basic noble migration check script Perform a number of checks to ensure the system is ready for the noble migration. The results are written to a JSON file in /etc/ that other things like the JI and the upgrade script itself can read from. The script is run hourly on a systemd timer but can also be run interactively for administrators who want slightly more details. Refs #7322. --- Cargo.lock | 472 ++++++++++--- .../testinfra/common/test_release_upgrades.py | 20 + noble-migration/Cargo.toml | 5 + noble-migration/src/bin/check.rs | 198 ++++++ noble-migration/src/main.rs | 3 - .../securedrop-noble-migration-check.service | 7 + .../securedrop-noble-migration-check.timer | 10 + securedrop/debian/rules | 4 +- supply-chain/audits.toml | 105 +++ supply-chain/imports.lock | 628 ++++++++++++++++++ 10 files changed, 1371 insertions(+), 81 deletions(-) create mode 100644 noble-migration/src/bin/check.rs delete mode 100644 noble-migration/src/main.rs create mode 100644 securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service create mode 100644 securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer diff --git a/Cargo.lock b/Cargo.lock index 9626a066e9..6bef724b5e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -34,9 +34,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.75" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6" +checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" [[package]] name = "ascii-canvas" @@ -231,6 +231,17 @@ dependencies = [ "winapi", ] +[[package]] +name = "displaydoc" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "dyn-clone" version = "1.0.14" @@ -260,12 +271,12 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.5" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac3e13f66a2f95e32a39eaa81f6b95d42878ca0e1db0c7543723dfe12557e860" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -305,6 +316,15 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" +[[package]] +name = "form_urlencoded" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456" +dependencies = [ + "percent-encoding", +] + [[package]] name = "generic-array" version = "0.14.7" @@ -363,14 +383,143 @@ dependencies = [ "cc", ] +[[package]] +name = "icu_collections" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locid" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_locid_transform" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_locid_transform_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_locid_transform_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" + +[[package]] +name = "icu_normalizer" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "utf16_iter", + "utf8_iter", + "write16", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" + +[[package]] +name = "icu_properties" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_locid_transform", + "icu_properties_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" + +[[package]] +name = "icu_provider" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_provider_macros", + "stable_deref_trait", + "tinystr", + "writeable", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_provider_macros" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "idna" -version = "0.5.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6" +checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e" dependencies = [ - "unicode-bidi", - "unicode-normalization", + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" +dependencies = [ + "icu_normalizer", + "icu_properties", ] [[package]] @@ -409,6 +558,12 @@ dependencies = [ "either", ] +[[package]] +name = "itoa" +version = "1.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" + [[package]] name = "js-sys" version = "0.3.64" @@ -454,15 +609,21 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.149" +version = "0.2.162" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b" +checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398" [[package]] name = "linux-raw-sys" -version = "0.4.10" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da2479e8c062e40bf0066ffa0bc823de0a9368974af99c9f6df941d2c231e03f" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" + +[[package]] +name = "litemap" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" [[package]] name = "lock_api" @@ -519,6 +680,13 @@ checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54" [[package]] name = "noble-migration" version = "0.1.0" +dependencies = [ + "anyhow", + "rustix", + "serde", + "serde_json", + "url", +] [[package]] name = "num-traits" @@ -558,7 +726,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", ] [[package]] @@ -596,6 +764,12 @@ dependencies = [ "windows-targets 0.48.5", ] +[[package]] +name = "percent-encoding" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" + [[package]] name = "petgraph" version = "0.6.4" @@ -629,9 +803,9 @@ checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" [[package]] name = "proc-macro2" -version = "1.0.69" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da" +checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" dependencies = [ "unicode-ident", ] @@ -698,9 +872,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.33" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] @@ -782,15 +956,15 @@ checksum = "c3cbb081b9784b07cceb8824c8583f86db4814d172ab043f3c23f7dc600bf83d" [[package]] name = "rustix" -version = "0.38.21" +version = "0.38.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b426b0506e5d50a7d8dafcf2e81471400deb602392c7dd110815afb4eaf02a3" +checksum = "99e4ea3e1cdc4b559b8e5650f9c8e5998e3e5c1343b4eaf034565f32318d63c0" dependencies = [ "bitflags 2.4.0", "errno", "libc", "linux-raw-sys", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -799,6 +973,12 @@ version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" +[[package]] +name = "ryu" +version = "1.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" + [[package]] name = "scopeguard" version = "1.2.0" @@ -835,6 +1015,38 @@ dependencies = [ "xxhash-rust", ] +[[package]] +name = "serde" +version = "1.0.215" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6513c1ad0b11a9376da888e3e0baa0077f1aed55c17f50e7b2397136129fb88f" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.215" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ad1e866f866923f252f05c889987993144fb74e722403468a4ebd70c3cd756c0" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + +[[package]] +name = "serde_json" +version = "1.0.132" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" +dependencies = [ + "itoa", + "memchr", + "ryu", + "serde", +] + [[package]] name = "sha1collisiondetection" version = "0.3.1" @@ -853,9 +1065,15 @@ checksum = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d" [[package]] name = "smallvec" -version = "1.11.1" +version = "1.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" + +[[package]] +name = "stable_deref_trait" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" +checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" [[package]] name = "string_cache" @@ -883,15 +1101,26 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.38" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", "unicode-ident", ] +[[package]] +name = "synstructure" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "target-lexicon" version = "0.12.11" @@ -939,7 +1168,7 @@ checksum = "10712f02019e9288794769fba95cd6847df9874d49d871d062172f9dd41bc4cc" dependencies = [ "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", ] [[package]] @@ -952,47 +1181,27 @@ dependencies = [ ] [[package]] -name = "tinyvec" -version = "1.6.0" +name = "tinystr" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" dependencies = [ - "tinyvec_macros", + "displaydoc", + "zerovec", ] -[[package]] -name = "tinyvec_macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" - [[package]] name = "typenum" version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" -[[package]] -name = "unicode-bidi" -version = "0.3.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" - [[package]] name = "unicode-ident" version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" -[[package]] -name = "unicode-normalization" -version = "0.1.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" -dependencies = [ - "tinyvec", -] - [[package]] name = "unicode-xid" version = "0.2.4" @@ -1005,6 +1214,29 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1766d682d402817b5ac4490b3c3002d91dfa0d22812f341609f97b08757359c" +[[package]] +name = "url" +version = "2.5.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8d157f1b96d14500ffdc1f10ba712e780825526c03d9a49b4d0324b0d9113ada" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", +] + +[[package]] +name = "utf16_iter" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + [[package]] name = "vcpkg" version = "0.2.15" @@ -1044,7 +1276,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", "wasm-bindgen-shared", ] @@ -1066,7 +1298,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -1123,7 +1355,7 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.0", + "windows-targets 0.52.6", ] [[package]] @@ -1143,17 +1375,18 @@ dependencies = [ [[package]] name = "windows-targets" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm 0.52.0", - "windows_aarch64_msvc 0.52.0", - "windows_i686_gnu 0.52.0", - "windows_i686_msvc 0.52.0", - "windows_x86_64_gnu 0.52.0", - "windows_x86_64_gnullvm 0.52.0", - "windows_x86_64_msvc 0.52.0", + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", + "windows_i686_gnullvm", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", ] [[package]] @@ -1164,9 +1397,9 @@ checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" [[package]] name = "windows_aarch64_gnullvm" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" [[package]] name = "windows_aarch64_msvc" @@ -1176,9 +1409,9 @@ checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" [[package]] name = "windows_aarch64_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" [[package]] name = "windows_i686_gnu" @@ -1188,9 +1421,15 @@ checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" [[package]] name = "windows_i686_gnu" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" [[package]] name = "windows_i686_msvc" @@ -1200,9 +1439,9 @@ checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" [[package]] name = "windows_i686_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" [[package]] name = "windows_x86_64_gnu" @@ -1212,9 +1451,9 @@ checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" [[package]] name = "windows_x86_64_gnu" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" [[package]] name = "windows_x86_64_gnullvm" @@ -1224,9 +1463,9 @@ checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" [[package]] name = "windows_x86_64_gnullvm" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" [[package]] name = "windows_x86_64_msvc" @@ -1236,12 +1475,91 @@ checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" [[package]] name = "windows_x86_64_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" + +[[package]] +name = "write16" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" + +[[package]] +name = "writeable" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" [[package]] name = "xxhash-rust" version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9828b178da53440fa9c766a3d2f73f7cf5d0ac1fe3980c1e5018d899fd19e07b" + +[[package]] +name = "yoke" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +dependencies = [ + "serde", + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", + "synstructure", +] + +[[package]] +name = "zerofrom" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", + "synstructure", +] + +[[package]] +name = "zerovec" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] diff --git a/molecule/testinfra/common/test_release_upgrades.py b/molecule/testinfra/common/test_release_upgrades.py index 5eb87a2c3b..eb66e8c05f 100644 --- a/molecule/testinfra/common/test_release_upgrades.py +++ b/molecule/testinfra/common/test_release_upgrades.py @@ -1,3 +1,6 @@ +import time + +import pytest import testutils test_vars = testutils.securedrop_test_vars @@ -27,3 +30,20 @@ def test_release_manager_upgrade_channel(host): _, channel = raw_output.split("=") assert channel == "never" + + +def test_migration_check(host): + """Verify our migration check script works""" + if host.system_info.codename != "focal": + pytest.skip("only applicable/testable on focal") + + with host.sudo(): + # remove state file so we can see if it works + if host.file("/etc/securedrop-noble-migration.json").exists: + host.run("rm /etc/securedrop-noble-migration.json") + cmd = host.run("systemctl start securedrop-noble-migration-check") + assert cmd.rc == 0 + while host.service("securedrop-noble-migration-check").is_running: + time.sleep(1) + + assert host.file("/etc/securedrop-noble-migration.json").exists diff --git a/noble-migration/Cargo.toml b/noble-migration/Cargo.toml index 6714ccddeb..af75a0e55b 100644 --- a/noble-migration/Cargo.toml +++ b/noble-migration/Cargo.toml @@ -4,3 +4,8 @@ version = "0.1.0" edition = "2021" [dependencies] +anyhow = "1.0.93" +rustix = { version = "0.38.40", features = ["process"] } +serde = { version = "1.0.215", features = ["derive"] } +serde_json = "1.0.132" +url = "2.5.3" diff --git a/noble-migration/src/bin/check.rs b/noble-migration/src/bin/check.rs new file mode 100644 index 0000000000..d9d3c3d394 --- /dev/null +++ b/noble-migration/src/bin/check.rs @@ -0,0 +1,198 @@ +//! Check migration of a SecureDrop server from focal to noble +//! +//! This script is run as root on both the app and mon servers. +use anyhow::{anyhow, Result}; +use rustix::process::geteuid; +use serde::Serialize; +use std::{ + fs, + process::{self, ExitCode}, +}; +use url::Host; + +const STATE_PATH: &str = "/etc/securedrop-noble-migration.json"; + +#[derive(Serialize)] +struct State { + ssh: bool, + ufw: bool, + free_space: bool, + apt: bool, + systemd: bool, +} + +/// Parse the OS codename from /etc/os-release +fn os_codename() -> Result { + let contents = fs::read_to_string("/etc/os-release")?; + for line in contents.lines() { + if line.starts_with("VERSION_CODENAME=") { + let (_, codename) = line.split_once("=").unwrap(); + return Ok(codename.trim().to_string()); + } + } + + Err(anyhow!( + "Could not find VERSION_CODENAME in /etc/os-release" + )) +} + +/// Check that the UNIX "ssh" group has no members +fn check_ssh_group() -> Result { + // There are no clean bindings to getgrpname in rustix, + // so jut shell out to getent to get group members + let output = process::Command::new("getent") + .arg("group") + .arg("ssh") + .output()?; + if output.status.code() == Some(2) { + println!("ssh: group does not exist"); + return Ok(true); + } else if !output.status.success() { + return Err(anyhow!("running getent failed",)); + } + + let stdout = String::from_utf8(output.stdout)?; + // The format looks like `ssh:x:123:member1,member2` + let (_, members) = stdout.rsplit_once(':').unwrap(); + if members.is_empty() { + println!("ssh: group is empty"); + Ok(true) + } else { + println!("ssh: group is not empty: {members}"); + Ok(false) + } +} + +/// Check that ufw is removed +fn check_ufw_removed() -> Result { + if fs::exists("/usr/sbin/ufw")? { + println!("ufw: ufw is still installed"); + Ok(false) + } else { + println!("ufw: ufw was removed"); + Ok(true) + } +} + +/// Check that there is enough free space +fn check_free_space() -> Result { + // Also no simple bindings to get disk size, so shell out to df + let output = process::Command::new("df").arg("/").output()?; + if !output.status.success() { + return Err(anyhow!("running df failed",)); + } + + let stdout = String::from_utf8(output.stdout)?; + let (_, line) = stdout.split_once('\n').unwrap(); + let parts: Vec<_> = line.split_whitespace().collect(); + + let free_space = parts[3].parse::()?; + // Should be at least 10GB free + if free_space < 10 * 1024 * 1024 * 1024 { + println!("free space: not enough free space"); + Ok(false) + } else { + println!("free space: enough free space"); + Ok(true) + } +} + +const EXPECTED_DOMAINS: [&str; 4] = [ + "archive.ubuntu.com", + "security.ubuntu.com", + "apt.freedom.press", + "apt-test.freedom.press", +]; + +/// Verify only expected sources are configured +fn check_apt() -> Result { + let output = process::Command::new("apt-get") + .arg("indextargets") + .output()?; + if !output.status.success() { + return Err(anyhow!("running apt-get indextargets failed",)); + } + + let stdout = String::from_utf8(output.stdout)?; + for line in stdout.lines() { + if line.starts_with("URI:") { + let uri = line.strip_prefix("URI: ").unwrap(); + let parsed = url::Url::parse(uri)?; + if let Some(Host::Domain(domain)) = parsed.host() { + if !EXPECTED_DOMAINS.contains(&domain) { + println!("apt: unexpected source: {domain}"); + return Ok(false); + } + } else { + println!("apt: unexpected source: {uri}"); + return Ok(false); + } + } + } + + println!("apt: all sources are expected"); + Ok(true) +} + +fn check_systemd() -> Result { + let output = process::Command::new("systemctl") + .arg("is-failed") + .output()?; + if output.status.success() { + // success means some units are failed + println!("systemd: some units are failed"); + Ok(false) + } else { + println!("systemd: no failed units"); + Ok(true) + } +} + +fn run() -> Result { + let codename = os_codename()?; + if codename != "focal" { + println!("Unsupported Ubuntu version: {codename}"); + // nothing to do, write an empty JSON blob + fs::write(STATE_PATH, "{}")?; + return Ok(ExitCode::SUCCESS); + } + + let state = State { + ssh: check_ssh_group()?, + ufw: check_ufw_removed()?, + free_space: check_free_space()?, + apt: check_apt()?, + systemd: check_systemd()?, + }; + + fs::write(STATE_PATH, serde_json::to_string(&state)?)?; + if state.ssh && state.ufw && state.free_space && state.apt && state.systemd + { + println!("All ready for migration!"); + Ok(ExitCode::SUCCESS) + } else { + println!( + "Some errors were found that will block migration. +If you are unsure what to do, please contact the SecureDrop +support team: ." + ); + Ok(ExitCode::FAILURE) + } +} + +fn main() -> Result { + if !geteuid().is_root() { + println!("This script must be run as root"); + return Ok(ExitCode::FAILURE); + } + + match run() { + Ok(code) => Ok(code), + Err(e) => { + // Try to log the error in the least complex way possible + fs::write(STATE_PATH, "{\"error\": true}")?; + eprintln!("Error: {e}"); + Ok(ExitCode::FAILURE) + } + } +} diff --git a/noble-migration/src/main.rs b/noble-migration/src/main.rs deleted file mode 100644 index e7a11a969c..0000000000 --- a/noble-migration/src/main.rs +++ /dev/null @@ -1,3 +0,0 @@ -fn main() { - println!("Hello, world!"); -} diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service new file mode 100644 index 0000000000..1ef696317d --- /dev/null +++ b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service @@ -0,0 +1,7 @@ +[Unit] +Description=Check noble migration readiness + +[Service] +Type=oneshot +ExecStart=/usr/bin/securedrop-noble-migration-check +User=root diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer new file mode 100644 index 0000000000..1fcdcd0ac2 --- /dev/null +++ b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Check noble migration readiness + +[Timer] +OnCalendar=hourly +Persistent=true +RandomizedDelaySec=5m + +[Install] +WantedBy=timers.target diff --git a/securedrop/debian/rules b/securedrop/debian/rules index 7cf036e286..c30672f1c7 100755 --- a/securedrop/debian/rules +++ b/securedrop/debian/rules @@ -22,7 +22,7 @@ override_dh_auto_install: cd /srv/rust/noble-migration && cargo build --release --locked && \ cd /srv/securedrop && \ mkdir -p ./debian/securedrop-config/usr/bin && \ - mv /srv/rust/target/release/noble-migration ./debian/securedrop-config/usr/bin/noble-migration + mv /srv/rust/target/release/check ./debian/securedrop-config/usr/bin/securedrop-noble-migration-check # Build redwood wheel python3 /srv/rust/redwood/build-wheel.py --release --redwood /srv/rust/redwood --target /srv/rust/target # Set up virtualenv and install dependencies @@ -90,6 +90,7 @@ override_dh_systemd_enable: dh_systemd_enable --no-enable securedrop-remove-pending-sources.service dh_systemd_enable --no-enable securedrop-remove-packages.service dh_systemd_enable --no-enable securedrop-cleanup-ossec.service + dh_systemd_enable --no-enable securedrop-noble-migration-check.service dh_systemd_enable # This is basically the same as the enable stanza above, just whether the @@ -100,4 +101,5 @@ override_dh_systemd_start: dh_systemd_start --no-start securedrop-remove-pending-sources.service dh_systemd_start --no-start securedrop-remove-packages.service dh_systemd_start --no-start securedrop-cleanup-ossec.service + dh_systemd_start --no-start securedrop-noble-migration-check.service dh_systemd_start diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index e635bfd415..5ef0c0a2c4 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -227,6 +227,13 @@ start = "2019-10-05" end = "2024-04-10" notes = "Rust Project member" +[[trusted.anyhow]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-05" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.buffered-reader]] criteria = "safe-to-deploy" user-id = 33886 # Neal H. Walfield (nwalfield) @@ -255,6 +262,13 @@ start = "2019-03-01" end = "2024-04-10" notes = "Rust Project member" +[[trusted.displaydoc]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2024-06-20" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.dyn-clone]] criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) @@ -303,6 +317,20 @@ start = "2019-04-02" end = "2024-04-10" notes = "Rust Project member" +[[trusted.icu_properties]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2022-01-31" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.idna]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2024-07-01" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.indexmap]] criteria = "safe-to-deploy" user-id = 539 # Josh Stone (cuviper) @@ -345,6 +373,13 @@ start = "2021-01-27" end = "2024-04-10" notes = "Rust Project member" +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2024-08-15" +end = "2025-05-14" +notes = "Rust Project role account" + [[trusted.linux-raw-sys]] criteria = "safe-to-deploy" user-id = 6825 # Dan Gohman (sunfishcode) @@ -352,6 +387,13 @@ start = "2021-06-12" end = "2024-04-10" notes = "Rust Project member" +[[trusted.linux-raw-sys]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-06-12" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.lock_api]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) @@ -471,6 +513,13 @@ start = "2021-10-29" end = "2024-04-10" notes = "Rust Project member" +[[trusted.rustix]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-10-29" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.rustversion]] criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) @@ -478,6 +527,13 @@ start = "2019-07-08" end = "2024-04-10" notes = "Rust Project member" +[[trusted.ryu]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-05-02" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.scopeguard]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) @@ -499,6 +555,27 @@ start = "2019-03-14" end = "2024-12-12" notes = "Sequoia developer" +[[trusted.serde]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.serde_derive]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.serde_json]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-02-28" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.sha1collisiondetection]] criteria = "safe-to-deploy" user-id = 33886 # Neal H. Walfield (nwalfield) @@ -527,6 +604,13 @@ start = "2019-03-01" end = "2024-04-10" notes = "Rust Project member" +[[trusted.syn]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.target-lexicon]] criteria = "safe-to-deploy" user-id = 6825 # Dan Gohman (sunfishcode) @@ -561,3 +645,24 @@ user-id = 3618 # David Tolnay (dtolnay) start = "2019-08-17" end = "2024-04-10" notes = "Rust Project member" + +[[trusted.url]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2021-02-18" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.zerofrom-derive]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2022-04-06" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.zerovec-derive]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2021-12-11" +end = "2025-05-14" +notes = "Rust Project member" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index a2cc6730e9..7fff225707 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -15,6 +15,13 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.anyhow]] +version = "1.0.93" +when = "2024-11-06" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.buffered-reader]] version = "1.3.0" when = "2023-10-26" @@ -43,6 +50,13 @@ user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" +[[publisher.displaydoc]] +version = "0.2.5" +when = "2024-06-20" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[publisher.dyn-clone]] version = "1.0.14" when = "2023-09-19" @@ -71,6 +85,13 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" +[[publisher.errno]] +version = "0.3.8" +when = "2023-11-28" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + [[publisher.hashbrown]] version = "0.14.1" when = "2023-09-29" @@ -78,6 +99,13 @@ user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" +[[publisher.icu_properties]] +version = "1.5.1" +when = "2024-06-24" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[publisher.indexmap]] version = "2.0.2" when = "2023-09-29" @@ -106,6 +134,12 @@ user-id = 1386 user-login = "nikomatsakis" user-name = "Niko Matsakis" +[[publisher.libc]] +version = "0.2.162" +when = "2024-11-07" +user-id = 55123 +user-login = "rust-lang-owner" + [[publisher.linux-raw-sys]] version = "0.4.10" when = "2023-10-09" @@ -113,6 +147,13 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" +[[publisher.linux-raw-sys]] +version = "0.4.14" +when = "2024-05-17" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + [[publisher.lock_api]] version = "0.4.10" when = "2023-06-05" @@ -169,6 +210,13 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.proc-macro2]] +version = "1.0.79" +when = "2024-03-12" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.quote]] version = "1.0.33" when = "2023-08-17" @@ -211,6 +259,13 @@ user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" +[[publisher.rustix]] +version = "0.38.40" +when = "2024-11-10" +user-id = 6825 +user-login = "sunfishcode" +user-name = "Dan Gohman" + [[publisher.rustversion]] version = "1.0.14" when = "2023-07-15" @@ -218,6 +273,13 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.ryu]] +version = "1.0.18" +when = "2024-05-07" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.scopeguard]] version = "1.2.0" when = "2023-07-17" @@ -232,6 +294,27 @@ user-id = 33711 user-login = "teythoon" user-name = "Justus Winter" +[[publisher.serde]] +version = "1.0.215" +when = "2024-11-11" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_derive]] +version = "1.0.215" +when = "2024-11-11" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + +[[publisher.serde_json]] +version = "1.0.132" +when = "2024-10-19" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.sha1collisiondetection]] version = "0.3.1" when = "2023-09-13" @@ -253,6 +336,13 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.syn]] +version = "2.0.87" +when = "2024-11-02" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.target-lexicon]] version = "0.12.11" when = "2023-07-31" @@ -288,6 +378,20 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.utf8_iter]] +version = "1.0.4" +when = "2023-12-01" +user-id = 4484 +user-login = "hsivonen" +user-name = "Henri Sivonen" + +[[publisher.zerovec-derive]] +version = "0.10.3" +when = "2024-06-24" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[audits.bytecode-alliance.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -300,6 +404,25 @@ criteria = "safe-to-deploy" version = "0.21.0" notes = "This crate has no dependencies, no build.rs, and contains no unsafe code." +[[audits.bytecode-alliance.audits.bitflags]] +who = "Jamey Sharp " +criteria = "safe-to-deploy" +delta = "2.1.0 -> 2.2.1" +notes = """ +This version adds unsafe impls of traits from the bytemuck crate when built +with that library enabled, but I believe the impls satisfy the documented +safety requirements for bytemuck. The other changes are minor. +""" + +[[audits.bytecode-alliance.audits.bitflags]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +delta = "2.3.2 -> 2.3.3" +notes = """ +Nothing outside the realm of what one would expect from a bitflags generator, +all as expected. +""" + [[audits.bytecode-alliance.audits.block-buffer]] who = "Benjamin Bouvier " criteria = "safe-to-deploy" @@ -389,6 +512,16 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" +[[audits.bytecode-alliance.audits.percent-encoding]] +who = "Alex Crichton " +criteria = "safe-to-deploy" +version = "2.2.0" +notes = """ +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. +""" + [[audits.bytecode-alliance.audits.tempfile]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -430,6 +563,22 @@ criteria = "safe-to-deploy" version = "0.2.15" notes = "no build.rs, no macros, no unsafe. It reads the filesystem and makes copies of DLLs into OUT_DIR." +[[audits.google.audits.bitflags]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.3.2" +notes = """ +Security review of earlier versions of the crate can be found at +(Google-internal, sorry): go/image-crate-chromium-security-review + +The crate exposes a function marked as `unsafe`, but doesn't use any +`unsafe` blocks (except for tests of the single `unsafe` function). I +think this justifies marking this crate as `ub-risk-1`. + +Additional review comments can be found at https://crrev.com/c/4723145/31 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.bitflags]] who = "Dennis Kempin " criteria = "safe-to-run" @@ -520,6 +669,35 @@ criteria = "safe-to-run" version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.10" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are a few places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5350697. + +Version 1.0.1 of this crate has been added to Chromium in +https://crrev.com/c/3321896. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.11" +notes = """ +Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: + +* Bumping up the version +* A touch up of comments +* And my own PR to make `unsafe` blocks more granular: + https://github.com/dtolnay/itoa/pull/42 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.lazy_static]] who = "Android Legacy" criteria = "safe-to-run" @@ -584,6 +762,101 @@ criteria = "safe-to-run" version = "0.3.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.80" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.80 -> 1.0.81" +notes = "Comment changes only" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.82" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.82 -> 1.0.83" +notes = "Substantive change is replacing String with Box, saving memory." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.84" +notes = "Only doc comment changes in `src/lib.rs`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +delta = "1.0.84 -> 1.0.85" +notes = "Test-only changes." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.85 -> 1.0.86" +notes = """ +Comment-only changes in `build.rs`. +Reordering of `Cargo.toml` entries. +Just bumping up the version number in `lib.rs`. +Config-related changes in `test_size.rs`. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.86 -> 1.0.87" +notes = "No new unsafe interactions." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Liza Burakova