From 7f8479a894251c3f9ade09c76dc67a53b55334b0 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 14 Nov 2024 16:47:08 -0500 Subject: [PATCH] Add a basic noble migration check script Perform a number of checks to ensure the system is ready for the noble migration. The results are written to a JSON file in /etc/ that other things like the JI and the upgrade script itself can read from. The script is run hourly on a systemd timer but can also be run interactively for administrators who want slightly more details. Refs #7322. --- Cargo.lock | 501 +++++++-- .../testinfra/common/test_release_upgrades.py | 41 + noble-migration/Cargo.toml | 6 + noble-migration/src/bin/check.rs | 359 +++++++ noble-migration/src/main.rs | 3 - .../securedrop-noble-migration-check.service | 7 + .../securedrop-noble-migration-check.timer | 10 + securedrop/debian/rules | 4 +- supply-chain/audits.toml | 102 ++ supply-chain/imports.lock | 954 ++++++++++++++++-- 10 files changed, 1810 insertions(+), 177 deletions(-) create mode 100644 noble-migration/src/bin/check.rs delete mode 100644 noble-migration/src/main.rs create mode 100644 securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service create mode 100644 securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer diff --git a/Cargo.lock b/Cargo.lock index 9626a066e9..3e6b176c92 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -34,9 +34,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.75" +version = "1.0.93" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4668cab20f66d8d020e1fbc0ebe47217433c1b6c8f2040faf858554e394ace6" +checksum = "4c95c10ba0b00a02636238b814946408b1322d5ac4760326e6fb8ec956d85775" [[package]] name = "ascii-canvas" @@ -231,6 +231,17 @@ dependencies = [ "winapi", ] +[[package]] +name = "displaydoc" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "dyn-clone" version = "1.0.14" @@ -260,12 +271,12 @@ checksum = "5443807d6dff69373d433ab9ef5378ad8df50ca6298caf15de6e52e24aaf54d5" [[package]] name = "errno" -version = "0.3.5" +version = "0.3.9" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ac3e13f66a2f95e32a39eaa81f6b95d42878ca0e1db0c7543723dfe12557e860" +checksum = "534c5cf6194dfab3db3242765c03bbe257cf92f22b38f6bc0c58d59108a820ba" dependencies = [ "libc", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -305,6 +316,15 @@ version = "0.1.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b" +[[package]] +name = "form_urlencoded" +version = "1.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456" +dependencies = [ + "percent-encoding", +] + [[package]] name = "generic-array" version = "0.14.7" @@ -363,14 +383,143 @@ dependencies = [ "cc", ] +[[package]] +name = "icu_collections" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" +dependencies = [ + "displaydoc", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_locid" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" +dependencies = [ + "displaydoc", + "litemap", + "tinystr", + "writeable", + "zerovec", +] + +[[package]] +name = "icu_locid_transform" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_locid_transform_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_locid_transform_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" + +[[package]] +name = "icu_normalizer" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_normalizer_data", + "icu_properties", + "icu_provider", + "smallvec", + "utf16_iter", + "utf8_iter", + "write16", + "zerovec", +] + +[[package]] +name = "icu_normalizer_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" + +[[package]] +name = "icu_properties" +version = "1.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" +dependencies = [ + "displaydoc", + "icu_collections", + "icu_locid_transform", + "icu_properties_data", + "icu_provider", + "tinystr", + "zerovec", +] + +[[package]] +name = "icu_properties_data" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" + +[[package]] +name = "icu_provider" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" +dependencies = [ + "displaydoc", + "icu_locid", + "icu_provider_macros", + "stable_deref_trait", + "tinystr", + "writeable", + "yoke", + "zerofrom", + "zerovec", +] + +[[package]] +name = "icu_provider_macros" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "idna" -version = "0.5.0" +version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "634d9b1461af396cad843f47fdba5597a4f9e6ddd4bfb6ff5d85028c25cb12f6" +checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e" dependencies = [ - "unicode-bidi", - "unicode-normalization", + "idna_adapter", + "smallvec", + "utf8_iter", +] + +[[package]] +name = "idna_adapter" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" +dependencies = [ + "icu_normalizer", + "icu_properties", ] [[package]] @@ -409,6 +558,12 @@ dependencies = [ "either", ] +[[package]] +name = "itoa" +version = "1.0.11" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b" + [[package]] name = "js-sys" version = "0.3.64" @@ -454,15 +609,21 @@ checksum = "e2abad23fbc42b3700f2f279844dc832adb2b2eb069b2df918f455c4e18cc646" [[package]] name = "libc" -version = "0.2.149" +version = "0.2.162" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a08173bc88b7955d1b3145aa561539096c421ac8debde8cbc3612ec635fee29b" +checksum = "18d287de67fe55fd7e1581fe933d965a5a9477b38e949cfa9f8574ef01506398" [[package]] name = "linux-raw-sys" -version = "0.4.10" +version = "0.4.14" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "da2479e8c062e40bf0066ffa0bc823de0a9368974af99c9f6df941d2c231e03f" +checksum = "78b3ae25bc7c8c38cec158d1f2757ee79e9b3740fbc7ccf0e59e4b08d793fa89" + +[[package]] +name = "litemap" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "643cb0b8d4fcc284004d5fd0d67ccf61dfffadb7f75e1e71bc420f4688a3a704" [[package]] name = "lock_api" @@ -519,6 +680,14 @@ checksum = "e4a24736216ec316047a1fc4252e27dabb04218aa4a3f37c6e7ddbf1f9782b54" [[package]] name = "noble-migration" version = "0.1.0" +dependencies = [ + "anyhow", + "rustix", + "serde", + "serde_json", + "url", + "walkdir", +] [[package]] name = "num-traits" @@ -558,7 +727,7 @@ checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c" dependencies = [ "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", ] [[package]] @@ -596,6 +765,12 @@ dependencies = [ "windows-targets 0.48.5", ] +[[package]] +name = "percent-encoding" +version = "2.3.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" + [[package]] name = "petgraph" version = "0.6.4" @@ -629,9 +804,9 @@ checksum = "925383efa346730478fb4838dbe9137d2a47675ad789c546d150a6e1dd4ab31c" [[package]] name = "proc-macro2" -version = "1.0.69" +version = "1.0.89" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "134c189feb4956b20f6f547d2cf727d4c0fe06722b20a0eec87ed445a97f92da" +checksum = "f139b0662de085916d1fb67d2b4169d1addddda1919e696f3252b740b629986e" dependencies = [ "unicode-ident", ] @@ -698,9 +873,9 @@ dependencies = [ [[package]] name = "quote" -version = "1.0.33" +version = "1.0.37" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" +checksum = "b5b9d34b8991d19d98081b46eacdd8eb58c6f2b201139f7c5f643cc155a633af" dependencies = [ "proc-macro2", ] @@ -782,15 +957,15 @@ checksum = "c3cbb081b9784b07cceb8824c8583f86db4814d172ab043f3c23f7dc600bf83d" [[package]] name = "rustix" -version = "0.38.21" +version = "0.38.40" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2b426b0506e5d50a7d8dafcf2e81471400deb602392c7dd110815afb4eaf02a3" +checksum = "99e4ea3e1cdc4b559b8e5650f9c8e5998e3e5c1343b4eaf034565f32318d63c0" dependencies = [ "bitflags 2.4.0", "errno", "libc", "linux-raw-sys", - "windows-sys 0.48.0", + "windows-sys 0.52.0", ] [[package]] @@ -799,6 +974,21 @@ version = "1.0.14" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7ffc183a10b4478d04cbbbfc96d0873219d962dd5accaff2ffbd4ceb7df837f4" +[[package]] +name = "ryu" +version = "1.0.18" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f3cb5ba0dc43242ce17de99c180e96db90b235b8a9fdc9543c96d2209116bd9f" + +[[package]] +name = "same-file" +version = "1.0.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93fc1dc3aaa9bfed95e02e6eadabb4baf7e3078b0bd1b4d7b6b0b68378900502" +dependencies = [ + "winapi-util", +] + [[package]] name = "scopeguard" version = "1.2.0" @@ -835,6 +1025,38 @@ dependencies = [ "xxhash-rust", ] +[[package]] +name = "serde" +version = "1.0.215" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6513c1ad0b11a9376da888e3e0baa0077f1aed55c17f50e7b2397136129fb88f" +dependencies = [ + "serde_derive", +] + +[[package]] +name = "serde_derive" +version = "1.0.215" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ad1e866f866923f252f05c889987993144fb74e722403468a4ebd70c3cd756c0" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + +[[package]] +name = "serde_json" +version = "1.0.132" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d726bfaff4b320266d395898905d0eba0345aae23b54aee3a737e260fd46db03" +dependencies = [ + "itoa", + "memchr", + "ryu", + "serde", +] + [[package]] name = "sha1collisiondetection" version = "0.3.1" @@ -853,9 +1075,15 @@ checksum = "38b58827f4464d87d377d175e90bf58eb00fd8716ff0a62f80356b5e61555d0d" [[package]] name = "smallvec" -version = "1.11.1" +version = "1.13.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" + +[[package]] +name = "stable_deref_trait" +version = "1.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "942b4a808e05215192e39f4ab80813e599068285906cc91aa64f923db842bd5a" +checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" [[package]] name = "string_cache" @@ -883,15 +1111,26 @@ dependencies = [ [[package]] name = "syn" -version = "2.0.38" +version = "2.0.87" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e96b79aaa137db8f61e26363a0c9b47d8b4ec75da28b7d1d614c2303e232408b" +checksum = "25aa4ce346d03a6dcd68dd8b4010bcb74e54e62c90c573f394c46eae99aba32d" dependencies = [ "proc-macro2", "quote", "unicode-ident", ] +[[package]] +name = "synstructure" +version = "0.13.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] + [[package]] name = "target-lexicon" version = "0.12.11" @@ -939,7 +1178,7 @@ checksum = "10712f02019e9288794769fba95cd6847df9874d49d871d062172f9dd41bc4cc" dependencies = [ "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", ] [[package]] @@ -952,47 +1191,27 @@ dependencies = [ ] [[package]] -name = "tinyvec" -version = "1.6.0" +name = "tinystr" +version = "0.7.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50" +checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" dependencies = [ - "tinyvec_macros", + "displaydoc", + "zerovec", ] -[[package]] -name = "tinyvec_macros" -version = "0.1.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f3ccbac311fea05f86f61904b462b55fb3df8837a366dfc601a0161d0532f20" - [[package]] name = "typenum" version = "1.17.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825" -[[package]] -name = "unicode-bidi" -version = "0.3.13" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "92888ba5573ff080736b3648696b70cafad7d250551175acbaa4e0385b3e1460" - [[package]] name = "unicode-ident" version = "1.0.12" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b" -[[package]] -name = "unicode-normalization" -version = "0.1.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5c5713f0fc4b5db668a2ac63cdb7bb4469d8c9fed047b1d0292cc7b0ce2ba921" -dependencies = [ - "tinyvec", -] - [[package]] name = "unicode-xid" version = "0.2.4" @@ -1005,6 +1224,29 @@ version = "0.1.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "e1766d682d402817b5ac4490b3c3002d91dfa0d22812f341609f97b08757359c" +[[package]] +name = "url" +version = "2.5.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60" +dependencies = [ + "form_urlencoded", + "idna", + "percent-encoding", +] + +[[package]] +name = "utf16_iter" +version = "1.0.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" + +[[package]] +name = "utf8_iter" +version = "1.0.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" + [[package]] name = "vcpkg" version = "0.2.15" @@ -1017,6 +1259,16 @@ version = "0.9.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f" +[[package]] +name = "walkdir" +version = "2.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "29790946404f91d9c5d06f9874efddea1dc06c5efe94541a7d6863108e3a5e4b" +dependencies = [ + "same-file", + "winapi-util", +] + [[package]] name = "wasi" version = "0.11.0+wasi-snapshot-preview1" @@ -1044,7 +1296,7 @@ dependencies = [ "once_cell", "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", "wasm-bindgen-shared", ] @@ -1066,7 +1318,7 @@ checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" dependencies = [ "proc-macro2", "quote", - "syn 2.0.38", + "syn 2.0.87", "wasm-bindgen-backend", "wasm-bindgen-shared", ] @@ -1093,6 +1345,15 @@ version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6" +[[package]] +name = "winapi-util" +version = "0.1.9" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb" +dependencies = [ + "windows-sys 0.52.0", +] + [[package]] name = "winapi-x86_64-pc-windows-gnu" version = "0.4.0" @@ -1123,7 +1384,7 @@ version = "0.52.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" dependencies = [ - "windows-targets 0.52.0", + "windows-targets 0.52.6", ] [[package]] @@ -1143,17 +1404,18 @@ dependencies = [ [[package]] name = "windows-targets" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd" +checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" dependencies = [ - "windows_aarch64_gnullvm 0.52.0", - "windows_aarch64_msvc 0.52.0", - "windows_i686_gnu 0.52.0", - "windows_i686_msvc 0.52.0", - "windows_x86_64_gnu 0.52.0", - "windows_x86_64_gnullvm 0.52.0", - "windows_x86_64_msvc 0.52.0", + "windows_aarch64_gnullvm 0.52.6", + "windows_aarch64_msvc 0.52.6", + "windows_i686_gnu 0.52.6", + "windows_i686_gnullvm", + "windows_i686_msvc 0.52.6", + "windows_x86_64_gnu 0.52.6", + "windows_x86_64_gnullvm 0.52.6", + "windows_x86_64_msvc 0.52.6", ] [[package]] @@ -1164,9 +1426,9 @@ checksum = "2b38e32f0abccf9987a4e3079dfb67dcd799fb61361e53e2882c3cbaf0d905d8" [[package]] name = "windows_aarch64_gnullvm" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea" +checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" [[package]] name = "windows_aarch64_msvc" @@ -1176,9 +1438,9 @@ checksum = "dc35310971f3b2dbbf3f0690a219f40e2d9afcf64f9ab7cc1be722937c26b4bc" [[package]] name = "windows_aarch64_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef" +checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" [[package]] name = "windows_i686_gnu" @@ -1188,9 +1450,15 @@ checksum = "a75915e7def60c94dcef72200b9a8e58e5091744960da64ec734a6c6e9b3743e" [[package]] name = "windows_i686_gnu" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313" +checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" + +[[package]] +name = "windows_i686_gnullvm" +version = "0.52.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" [[package]] name = "windows_i686_msvc" @@ -1200,9 +1468,9 @@ checksum = "8f55c233f70c4b27f66c523580f78f1004e8b5a8b659e05a4eb49d4166cca406" [[package]] name = "windows_i686_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a" +checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" [[package]] name = "windows_x86_64_gnu" @@ -1212,9 +1480,9 @@ checksum = "53d40abd2583d23e4718fddf1ebec84dbff8381c07cae67ff7768bbf19c6718e" [[package]] name = "windows_x86_64_gnu" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd" +checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" [[package]] name = "windows_x86_64_gnullvm" @@ -1224,9 +1492,9 @@ checksum = "0b7b52767868a23d5bab768e390dc5f5c55825b6d30b86c844ff2dc7414044cc" [[package]] name = "windows_x86_64_gnullvm" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e" +checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" [[package]] name = "windows_x86_64_msvc" @@ -1236,12 +1504,91 @@ checksum = "ed94fce61571a4006852b7389a063ab983c02eb1bb37b47f8272ce92d06d9538" [[package]] name = "windows_x86_64_msvc" -version = "0.52.0" +version = "0.52.6" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04" +checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" + +[[package]] +name = "write16" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" + +[[package]] +name = "writeable" +version = "0.5.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" [[package]] name = "xxhash-rust" version = "0.8.7" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9828b178da53440fa9c766a3d2f73f7cf5d0ac1fe3980c1e5018d899fd19e07b" + +[[package]] +name = "yoke" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6c5b1314b079b0930c31e3af543d8ee1757b1951ae1e1565ec704403a7240ca5" +dependencies = [ + "serde", + "stable_deref_trait", + "yoke-derive", + "zerofrom", +] + +[[package]] +name = "yoke-derive" +version = "0.7.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "28cc31741b18cb6f1d5ff12f5b7523e3d6eb0852bbbad19d73905511d9849b95" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", + "synstructure", +] + +[[package]] +name = "zerofrom" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "91ec111ce797d0e0784a1116d0ddcdbea84322cd79e5d5ad173daeba4f93ab55" +dependencies = [ + "zerofrom-derive", +] + +[[package]] +name = "zerofrom-derive" +version = "0.1.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0ea7b4a3637ea8669cedf0f1fd5c286a17f3de97b8dd5a70a6c167a1730e63a5" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", + "synstructure", +] + +[[package]] +name = "zerovec" +version = "0.10.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" +dependencies = [ + "yoke", + "zerofrom", + "zerovec-derive", +] + +[[package]] +name = "zerovec-derive" +version = "0.10.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.87", +] diff --git a/molecule/testinfra/common/test_release_upgrades.py b/molecule/testinfra/common/test_release_upgrades.py index 5eb87a2c3b..b821f2fbb5 100644 --- a/molecule/testinfra/common/test_release_upgrades.py +++ b/molecule/testinfra/common/test_release_upgrades.py @@ -1,3 +1,7 @@ +import json +import time + +import pytest import testutils test_vars = testutils.securedrop_test_vars @@ -27,3 +31,40 @@ def test_release_manager_upgrade_channel(host): _, channel = raw_output.split("=") assert channel == "never" + + +def test_migration_check(host): + """Verify our migration check script works""" + if host.system_info.codename != "focal": + pytest.skip("only applicable/testable on focal") + + with host.sudo(): + # remove state file so we can see if it works + if host.file("/etc/securedrop-noble-migration.json").exists: + host.run("rm /etc/securedrop-noble-migration.json") + cmd = host.run("systemctl start securedrop-noble-migration-check") + assert cmd.rc == 0 + while host.service("securedrop-noble-migration-check").is_running: + time.sleep(1) + + # JSON state file was created + assert host.file("/etc/securedrop-noble-migration.json").exists + + cmd = host.run("cat /etc/securedrop-noble-migration.json") + assert cmd.rc == 0 + + contents = json.loads(cmd.stdout) + print(contents) + # The script did not error out + if "error" in contents: + # Run the script manually to get the error message + cmd = host.run("securedrop-noble-migration-check") + print(cmd.stdout) + # We'll fail in the next line after this + assert "error" not in contents + # staging CI jobs don't have enough free space, so just check + # that it returned a value for it + assert "free_space" in contents + del contents["free_space"] + # All the values should be True + assert all(contents.values()) diff --git a/noble-migration/Cargo.toml b/noble-migration/Cargo.toml index 6714ccddeb..23b92fd926 100644 --- a/noble-migration/Cargo.toml +++ b/noble-migration/Cargo.toml @@ -4,3 +4,9 @@ version = "0.1.0" edition = "2021" [dependencies] +anyhow = "1.0.93" +rustix = { version = "0.38.40", features = ["process"] } +serde = { version = "1.0.215", features = ["derive"] } +serde_json = "1.0.132" +url = "2.5.3" +walkdir = "2.5.0" diff --git a/noble-migration/src/bin/check.rs b/noble-migration/src/bin/check.rs new file mode 100644 index 0000000000..e6c1b0c379 --- /dev/null +++ b/noble-migration/src/bin/check.rs @@ -0,0 +1,359 @@ +//! Check migration of a SecureDrop server from focal to noble +//! +//! This script is run as root on both the app and mon servers. +//! +//! It is typically run by a systemd service/timer, but we also +//! support admins running it manually to get more detailed output. +use anyhow::{bail, Context, Result}; +use rustix::process::geteuid; +use serde::Serialize; +use std::{ + fs, + path::Path, + process::{self, ExitCode}, +}; +use url::{Host, Url}; +use walkdir::WalkDir; + +/// This file contains the state of the pre-migration checks. +/// +/// There are four possible states: +/// * does not exist: check script hasn't run yet +/// * empty JSON object: script determines it isn't on focal +/// * {"error": true}: script encountered an error +/// * JSON object with boolean values for each check (see `State` struct) +const STATE_PATH: &str = "/etc/securedrop-noble-migration.json"; + +#[derive(Serialize)] +struct State { + ssh: bool, + ufw: bool, + free_space: bool, + apt: bool, + systemd: bool, +} + +impl State { + fn is_ready(&self) -> bool { + self.ssh && self.ufw && self.free_space && self.apt && self.systemd + } +} + +/// Parse the OS codename from /etc/os-release +fn os_codename() -> Result { + let contents = fs::read_to_string("/etc/os-release") + .context("reading /etc/os-release failed")?; + for line in contents.lines() { + if line.starts_with("VERSION_CODENAME=") { + // unwrap: Safe because we know the line contains "=" + let (_, codename) = line.split_once("=").unwrap(); + return Ok(codename.trim().to_string()); + } + } + + bail!("Could not find VERSION_CODENAME in /etc/os-release") +} + +/// Check that the UNIX "ssh" group has no members +/// +/// See . +fn check_ssh_group() -> Result { + // There are no clean bindings to getgrpname in rustix, + // so jut shell out to getent to get group members + let output = process::Command::new("getent") + .arg("group") + .arg("ssh") + .output() + .context("spawning getent failed")?; + if output.status.code() == Some(2) { + println!("ssh: group does not exist"); + return Ok(true); + } else if !output.status.success() { + bail!( + "running getent failed: {}", + String::from_utf8_lossy(&output.stderr) + ); + } + + let stdout = String::from_utf8(output.stdout) + .context("getent stdout is not utf-8")?; + let members = parse_getent_output(&stdout)?; + if members.is_empty() { + println!("ssh: group is empty"); + Ok(true) + } else { + println!("ssh: group is not empty: {members:?}"); + Ok(false) + } +} + +/// Parse the output of `getent group ssh`, return true if empty +fn parse_getent_output(stdout: &str) -> Result> { + let stdout = stdout.trim(); + // The format looks like `ssh:x:123:member1,member2` + if !stdout.contains(":") { + bail!("unexpected output from getent: '{stdout}'"); + } + + // unwrap: safe, we know the line contains ":" + let (_, members) = stdout.rsplit_once(':').unwrap(); + if members.is_empty() { + Ok(vec![]) + } else { + Ok(members.split(',').collect()) + } +} + +/// Check that ufw was removed +/// +/// See . +fn check_ufw_removed() -> bool { + if Path::new("/usr/sbin/ufw").exists() { + println!("ufw: ufw is still installed"); + false + } else { + println!("ufw: ufw was removed"); + true + } +} + +/// Estimate the size of the backup so we know how much free space we'll need. +/// +/// We just check the size of `/var/lib/securedrop` since that's really the +/// data that'll take up space; everything else is just config files that are +/// negligible post-compression. We also don't estimate compression benefits. +fn estimate_backup_size() -> Result { + let path = Path::new("/var/lib/securedrop"); + if !path.exists() { + // mon server + return Ok(0); + } + let mut total: u64 = 0; + let walker = WalkDir::new(path); + for entry in walker { + let entry = entry.context("walking /var/lib/securedrop failed")?; + if entry.file_type().is_dir() { + continue; + } + let metadata = entry.metadata().context("getting metadata failed")?; + total += metadata.len(); + } + + Ok(total) +} + +/// We want to have enough space for a backup, the upgrade (~4GB of packages, +/// conservatively), and not take up more than 90% of the disk. +fn check_free_space() -> Result { + // Also no simple bindings to get disk size, so shell out to df + let output = process::Command::new("df") + .arg("/") + .output() + .context("spawning df failed")?; + if !output.status.success() { + bail!( + "running df failed: {}", + String::from_utf8_lossy(&output.stderr) + ); + } + + let stdout = + String::from_utf8(output.stdout).context("df stdout is not utf-8")?; + let parsed = parse_df_output(&stdout)?; + + let backup_needs = estimate_backup_size()?; + let upgrade_needs: u64 = 4 * 1024 * 1024 * 1024; // 4GB + let headroom = parsed.total / 10; // 10% headroom + let total_needs = backup_needs + upgrade_needs + headroom; + + if parsed.free < total_needs { + println!( + "free space: not enough free space, have {}, need {total_needs}", + parsed.free + ); + Ok(false) + } else { + println!("free space: enough free space"); + Ok(true) + } +} + +struct DfOutput { + total: u64, + free: u64, +} + +fn parse_df_output(stdout: &str) -> Result { + let line = match stdout.split_once('\n') { + Some((_, line)) => line, + None => bail!("df output didn't have a newline"), + }; + let parts: Vec<_> = line.split_whitespace().collect(); + + if parts.len() < 4 { + bail!("df output didn't have enough columns"); + } + + // vec indexing is safe because we did the bounds check above + let total = parts[1] + .parse::() + .context("parsing total space failed")?; + let free = parts[3] + .parse::() + .context("parsing free space failed")?; + + Ok(DfOutput { total, free }) +} + +const EXPECTED_DOMAINS: [&str; 3] = [ + "archive.ubuntu.com", + "security.ubuntu.com", + "apt.freedom.press", +]; + +const TEST_DOMAINS: [&str; 2] = + ["apt-qa.freedom.press", "apt-test.freedom.press"]; + +/// Verify only expected sources are configured for apt +fn check_apt() -> Result { + let output = process::Command::new("apt-get") + .arg("indextargets") + .output() + .context("spawning apt-get indextargets failed")?; + if !output.status.success() { + bail!( + "running apt-get indextargets failed: {}", + String::from_utf8_lossy(&output.stderr) + ); + } + + let stdout = String::from_utf8(output.stdout) + .context("apt-get stdout is not utf-8")?; + for line in stdout.lines() { + if line.starts_with("URI:") { + let uri = line.strip_prefix("URI: ").unwrap(); + let parsed = Url::parse(uri)?; + if let Some(Host::Domain(domain)) = parsed.host() { + if TEST_DOMAINS.contains(&domain) { + println!("apt: WARNING test source found ({domain})"); + } else if !EXPECTED_DOMAINS.contains(&domain) { + println!("apt: unexpected source: {domain}"); + return Ok(false); + } + } else { + println!("apt: unexpected source: {uri}"); + return Ok(false); + } + } + } + + println!("apt: all sources are expected"); + Ok(true) +} + +/// Check that systemd has no failed units +fn check_systemd() -> Result { + let output = process::Command::new("systemctl") + .arg("is-failed") + .output() + .context("spawning systemctl failed")?; + if output.status.success() { + // success means some units are failed + println!("systemd: some units are failed"); + Ok(false) + } else { + println!("systemd: no failed units"); + Ok(true) + } +} + +fn run() -> Result<()> { + let codename = os_codename()?; + if codename != "focal" { + println!("Unsupported Ubuntu version: {codename}"); + // nothing to do, write an empty JSON blob + fs::write(STATE_PATH, "{}")?; + return Ok(()); + } + + let state = State { + ssh: check_ssh_group()?, + ufw: check_ufw_removed(), + free_space: check_free_space()?, + apt: check_apt()?, + systemd: check_systemd()?, + }; + + fs::write( + STATE_PATH, + serde_json::to_string(&state).context("serializing state failed")?, + ) + .context("writing state file failed")?; + if state.is_ready() { + println!("All ready for migration!"); + } else { + println!( + "Some errors were found that will block migration. +If you are unsure what to do, please contact the SecureDrop +support team: ." + ); + // Logically we should exit with a failure here, but we don't + // want the systemd unit to fail. + } + Ok(()) +} + +fn main() -> Result { + if !geteuid().is_root() { + println!("This script must be run as root"); + return Ok(ExitCode::FAILURE); + } + + match run() { + Ok(()) => Ok(ExitCode::SUCCESS), + Err(e) => { + // Try to log the error in the least complex way possible + fs::write(STATE_PATH, "{\"error\": true}")?; + eprintln!("Error running migration pre-check: {e}"); + Ok(ExitCode::FAILURE) + } + } +} + +#[cfg(test)] +mod tests { + use super::*; + + #[test] + fn test_parse_getent_output() { + // no members + assert_eq!( + parse_getent_output("ssh:x:123:\n").unwrap(), + Vec::<&str>::new() + ); + // one member + assert_eq!( + parse_getent_output("ssh:x:123:member1\n").unwrap(), + vec!["member1"] + ); + // two members + assert_eq!( + parse_getent_output("ssh:x:123:member1,member2\n").unwrap(), + vec!["member1", "member2"] + ); + } + + #[test] + fn test_parse_df_output() { + // Taken from my Qubes VM, but the output of df is the same on Ubuntu + let output = parse_df_output( + "Filesystem 1K-blocks Used Available Use% Mounted on +/dev/mapper/dmroot 20260052 10727468 8478072 56% / +", + ) + .unwrap(); + + assert_eq!(output.total, 20260052); + assert_eq!(output.free, 8478072); + } +} diff --git a/noble-migration/src/main.rs b/noble-migration/src/main.rs deleted file mode 100644 index e7a11a969c..0000000000 --- a/noble-migration/src/main.rs +++ /dev/null @@ -1,3 +0,0 @@ -fn main() { - println!("Hello, world!"); -} diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service new file mode 100644 index 0000000000..250d073e03 --- /dev/null +++ b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.service @@ -0,0 +1,7 @@ +[Unit] +Description=Check noble migration readiness + +[Service] +Type=exec +ExecStart=/usr/bin/securedrop-noble-migration-check +User=root diff --git a/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer new file mode 100644 index 0000000000..1fcdcd0ac2 --- /dev/null +++ b/securedrop/debian/config/lib/systemd/system/securedrop-noble-migration-check.timer @@ -0,0 +1,10 @@ +[Unit] +Description=Check noble migration readiness + +[Timer] +OnCalendar=hourly +Persistent=true +RandomizedDelaySec=5m + +[Install] +WantedBy=timers.target diff --git a/securedrop/debian/rules b/securedrop/debian/rules index e5637bfdd2..548660c328 100755 --- a/securedrop/debian/rules +++ b/securedrop/debian/rules @@ -22,7 +22,7 @@ override_dh_auto_install: cd /srv/rust/noble-migration && cargo build --release --locked && \ cd /srv/securedrop && \ mkdir -p ./debian/securedrop-config/usr/bin && \ - mv /srv/rust/target/release/noble-migration ./debian/securedrop-config/usr/bin/noble-migration + mv /srv/rust/target/release/check ./debian/securedrop-config/usr/bin/securedrop-noble-migration-check # Build redwood wheel python3 /srv/rust/redwood/build-wheel.py --release --redwood /srv/rust/redwood --target /srv/rust/target # Set up virtualenv and install dependencies @@ -91,6 +91,7 @@ override_dh_systemd_enable: dh_systemd_enable --no-enable securedrop-remove-packages.service dh_systemd_enable --no-enable securedrop-cleanup-ossec.service dh_systemd_enable --no-enable securedrop-reboot-required.service + dh_systemd_enable --no-enable securedrop-noble-migration-check.service dh_systemd_enable # This is basically the same as the enable stanza above, just whether the @@ -102,4 +103,5 @@ override_dh_systemd_start: dh_systemd_start --no-start securedrop-remove-packages.service dh_systemd_start --no-start securedrop-cleanup-ossec.service dh_systemd_start --no-start securedrop-reboot-required.service + dh_systemd_start --no-start securedrop-noble-migration-check.service dh_systemd_start diff --git a/supply-chain/audits.toml b/supply-chain/audits.toml index d3bc786e4b..a420308c26 100644 --- a/supply-chain/audits.toml +++ b/supply-chain/audits.toml @@ -207,12 +207,23 @@ who = "Kunal Mehta " criteria = "safe-to-run" version = "1.15.0" +[[audits.url]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "2.5.3 -> 2.5.4" +notes = "primarily reverting one of the changes made in 2.5.3" + [[audits.xxhash-rust]] who = "Kunal Mehta " criteria = "safe-to-run" version = "0.8.7" notes = "Only the `xxh3` feature, used by Sequoia, was reviewed" +[[audits.zerofrom-derive]] +who = "Kunal Mehta " +criteria = "safe-to-run" +delta = "0.1.3 -> 0.1.4" + [[trusted.aho-corasick]] criteria = "safe-to-deploy" user-id = 189 # Andrew Gallant (BurntSushi) @@ -227,6 +238,13 @@ start = "2019-10-05" end = "2024-04-10" notes = "Rust Project member" +[[trusted.anyhow]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-10-05" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.buffered-reader]] criteria = "safe-to-deploy" user-id = 33886 # Neal H. Walfield (nwalfield) @@ -255,6 +273,13 @@ start = "2019-03-01" end = "2024-04-10" notes = "Rust Project member" +[[trusted.displaydoc]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2024-06-20" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.dyn-clone]] criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) @@ -303,6 +328,20 @@ start = "2019-04-02" end = "2024-04-10" notes = "Rust Project member" +[[trusted.icu_properties]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2022-01-31" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.idna]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2024-07-01" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.indexmap]] criteria = "safe-to-deploy" user-id = 539 # Josh Stone (cuviper) @@ -345,6 +384,13 @@ start = "2021-01-27" end = "2024-04-10" notes = "Rust Project member" +[[trusted.libc]] +criteria = "safe-to-deploy" +user-id = 55123 # rust-lang-owner +start = "2024-08-15" +end = "2025-05-14" +notes = "Rust Project role account" + [[trusted.linux-raw-sys]] criteria = "safe-to-deploy" user-id = 6825 # Dan Gohman (sunfishcode) @@ -352,6 +398,13 @@ start = "2021-06-12" end = "2024-04-10" notes = "Rust Project member" +[[trusted.linux-raw-sys]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-06-12" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.lock_api]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) @@ -471,6 +524,13 @@ start = "2021-10-29" end = "2024-04-10" notes = "Rust Project member" +[[trusted.rustix]] +criteria = "safe-to-deploy" +user-id = 6825 # Dan Gohman (sunfishcode) +start = "2021-10-29" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.rustversion]] criteria = "safe-to-deploy" user-id = 3618 # David Tolnay (dtolnay) @@ -478,6 +538,13 @@ start = "2019-07-08" end = "2024-04-10" notes = "Rust Project member" +[[trusted.ryu]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-05-02" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.scopeguard]] criteria = "safe-to-deploy" user-id = 2915 # Amanieu d'Antras (Amanieu) @@ -527,6 +594,13 @@ start = "2019-03-01" end = "2024-04-10" notes = "Rust Project member" +[[trusted.syn]] +criteria = "safe-to-deploy" +user-id = 3618 # David Tolnay (dtolnay) +start = "2019-03-01" +end = "2025-05-14" +notes = "Rust Project member" + [[trusted.target-lexicon]] criteria = "safe-to-deploy" user-id = 6825 # Dan Gohman (sunfishcode) @@ -561,3 +635,31 @@ user-id = 3618 # David Tolnay (dtolnay) start = "2019-08-17" end = "2024-04-10" notes = "Rust Project member" + +[[trusted.url]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2021-02-18" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.walkdir]] +criteria = "safe-to-deploy" +user-id = 189 # Andrew Gallant (BurntSushi) +start = "2019-06-09" +end = "2025-05-22" +notes = "Rust Project member" + +[[trusted.zerofrom-derive]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2022-04-06" +end = "2025-05-14" +notes = "Rust Project member" + +[[trusted.zerovec-derive]] +criteria = "safe-to-deploy" +user-id = 1139 # Manish Goregaokar (Manishearth) +start = "2021-12-11" +end = "2025-05-14" +notes = "Rust Project member" diff --git a/supply-chain/imports.lock b/supply-chain/imports.lock index a2cc6730e9..ce168f3c3e 100644 --- a/supply-chain/imports.lock +++ b/supply-chain/imports.lock @@ -9,8 +9,8 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.anyhow]] -version = "1.0.75" -when = "2023-08-17" +version = "1.0.93" +when = "2024-11-06" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -43,6 +43,13 @@ user-id = 5946 user-login = "jrmuizel" user-name = "Jeff Muizelaar" +[[publisher.displaydoc]] +version = "0.2.5" +when = "2024-06-20" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[publisher.dyn-clone]] version = "1.0.14" when = "2023-09-19" @@ -65,8 +72,8 @@ user-login = "cuviper" user-name = "Josh Stone" [[publisher.errno]] -version = "0.3.5" -when = "2023-10-08" +version = "0.3.8" +when = "2023-11-28" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" @@ -78,6 +85,20 @@ user-id = 2915 user-login = "Amanieu" user-name = "Amanieu d'Antras" +[[publisher.icu_properties]] +version = "1.5.1" +when = "2024-06-24" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + +[[publisher.idna]] +version = "1.0.2" +when = "2024-07-01" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[publisher.indexmap]] version = "2.0.2" when = "2023-09-29" @@ -106,9 +127,15 @@ user-id = 1386 user-login = "nikomatsakis" user-name = "Niko Matsakis" +[[publisher.libc]] +version = "0.2.162" +when = "2024-11-07" +user-id = 55123 +user-login = "rust-lang-owner" + [[publisher.linux-raw-sys]] -version = "0.4.10" -when = "2023-10-09" +version = "0.4.14" +when = "2024-05-17" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" @@ -163,15 +190,8 @@ user-login = "Amanieu" user-name = "Amanieu d'Antras" [[publisher.proc-macro2]] -version = "1.0.69" -when = "2023-10-09" -user-id = 3618 -user-login = "dtolnay" -user-name = "David Tolnay" - -[[publisher.quote]] -version = "1.0.33" -when = "2023-08-17" +version = "1.0.79" +when = "2024-03-12" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -205,8 +225,8 @@ user-login = "BurntSushi" user-name = "Andrew Gallant" [[publisher.rustix]] -version = "0.38.21" -when = "2023-10-26" +version = "0.38.40" +when = "2024-11-10" user-id = 6825 user-login = "sunfishcode" user-name = "Dan Gohman" @@ -218,6 +238,13 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.ryu]] +version = "1.0.18" +when = "2024-05-07" +user-id = 3618 +user-login = "dtolnay" +user-name = "David Tolnay" + [[publisher.scopeguard]] version = "1.2.0" when = "2023-07-17" @@ -247,8 +274,8 @@ user-login = "dtolnay" user-name = "David Tolnay" [[publisher.syn]] -version = "2.0.38" -when = "2023-10-05" +version = "2.0.87" +when = "2024-11-02" user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" @@ -288,6 +315,27 @@ user-id = 3618 user-login = "dtolnay" user-name = "David Tolnay" +[[publisher.utf8_iter]] +version = "1.0.4" +when = "2023-12-01" +user-id = 4484 +user-login = "hsivonen" +user-name = "Henri Sivonen" + +[[publisher.walkdir]] +version = "2.5.0" +when = "2024-03-01" +user-id = 189 +user-login = "BurntSushi" +user-name = "Andrew Gallant" + +[[publisher.zerovec-derive]] +version = "0.10.3" +when = "2024-06-24" +user-id = 1139 +user-login = "Manishearth" +user-name = "Manish Goregaokar" + [[audits.bytecode-alliance.audits.adler]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -341,29 +389,6 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.1" -[[audits.bytecode-alliance.audits.idna]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "0.3.0" -notes = """ -This is a crate without unsafe code or usage of the standard library. The large -size of this crate comes from the large generated unicode tables file. This -crate is broadly used throughout the ecosystem and does not contain anything -suspicious. -""" - -[[audits.bytecode-alliance.audits.libc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.2.146 -> 0.2.147" -notes = "Only new type definitions and updating others for some platforms, no major changes" - -[[audits.bytecode-alliance.audits.libc]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "0.2.148 -> 0.2.149" -notes = "Lots of new functions and constants for new platforms and nothing out of the ordinary for what one would expect of the `libc` crate." - [[audits.bytecode-alliance.audits.memoffset]] who = "Alex Crichton " criteria = "safe-to-deploy" @@ -389,40 +414,21 @@ who = "Pat Hickey " criteria = "safe-to-deploy" version = "0.1.0" -[[audits.bytecode-alliance.audits.tempfile]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -delta = "3.5.0 -> 3.6.0" -notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." - -[[audits.bytecode-alliance.audits.tinyvec]] +[[audits.bytecode-alliance.audits.percent-encoding]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "1.6.0" +version = "2.2.0" notes = """ -This crate, while it implements collections, does so without `std::*` APIs and -without `unsafe`. Skimming the crate everything looks reasonable and what one -would expect from idiomatic safe collections in Rust. +This crate is a single-file crate that does what it says on the tin. There are +a few `unsafe` blocks related to utf-8 validation which are locally verifiable +as correct and otherwise this crate is good to go. """ -[[audits.bytecode-alliance.audits.tinyvec_macros]] -who = "Alex Crichton " -criteria = "safe-to-deploy" -version = "0.1.0" -notes = """ -This is a trivial crate which only contains a singular macro definition which is -intended to multiplex across the internal representation of a tinyvec, -presumably. This trivially doesn't contain anything bad. -""" - -[[audits.bytecode-alliance.audits.unicode-bidi]] +[[audits.bytecode-alliance.audits.tempfile]] who = "Alex Crichton " criteria = "safe-to-deploy" -version = "0.3.8" -notes = """ -This crate has no unsafe code and does not use `std::*`. Skimming the crate it -does not attempt to out of the bounds of what it's already supposed to be doing. -""" +delta = "3.5.0 -> 3.6.0" +notes = "Dependency updates and new optimized trait implementations, but otherwise everything looks normal." [[audits.bytecode-alliance.audits.vcpkg]] who = "Pat Hickey " @@ -520,22 +526,41 @@ criteria = "safe-to-run" version = "0.10.5" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +version = "1.0.10" +notes = ''' +I grepped for \"crypt\", \"cipher\", \"fs\", \"net\" - there were no hits. + +There are a few places where `unsafe` is used. Unsafe review notes can be found +in https://crrev.com/c/5350697. + +Version 1.0.1 of this crate has been added to Chromium in +https://crrev.com/c/3321896. +''' +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.itoa]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.10 -> 1.0.11" +notes = """ +Straightforward diff between 1.0.10 and 1.0.11 - only 3 commits: + +* Bumping up the version +* A touch up of comments +* And my own PR to make `unsafe` blocks more granular: + https://github.com/dtolnay/itoa/pull/42 +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + [[audits.google.audits.lazy_static]] who = "Android Legacy" criteria = "safe-to-run" version = "1.4.0" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" -[[audits.google.audits.libc]] -who = "George Burgess IV " -criteria = "safe-to-run" -version = "0.2.146" -notes = """ -Much like the getrandom crate, this exports interfaces to APIs which perform -crypto, but does not implement any crypto itself. -""" -aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" - [[audits.google.audits.log]] who = "ChromeOS" criteria = "safe-to-run" @@ -584,22 +609,360 @@ criteria = "safe-to-run" version = "0.3.26" aggregated-from = "https://chromium.googlesource.com/chromiumos/third_party/rust_crates/+/refs/heads/main/cargo-vet/audits.toml?format=TEXT" +[[audits.google.audits.proc-macro2]] +who = "Adrian Taylor " +criteria = "safe-to-deploy" +delta = "1.0.79 -> 1.0.80" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.80 -> 1.0.81" +notes = "Comment changes only" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.81 -> 1.0.82" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Dustin J. Mitchell " +criteria = "safe-to-deploy" +delta = "1.0.82 -> 1.0.83" +notes = "Substantive change is replacing String with Box, saving memory." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.83 -> 1.0.84" +notes = "Only doc comment changes in `src/lib.rs`." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj@chromium.org" +criteria = "safe-to-deploy" +delta = "1.0.84 -> 1.0.85" +notes = "Test-only changes." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Lukasz Anforowicz " +criteria = "safe-to-deploy" +delta = "1.0.85 -> 1.0.86" +notes = """ +Comment-only changes in `build.rs`. +Reordering of `Cargo.toml` entries. +Just bumping up the version number in `lib.rs`. +Config-related changes in `test_size.rs`. +""" +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "danakj " +criteria = "safe-to-deploy" +delta = "1.0.86 -> 1.0.87" +notes = "No new unsafe interactions." +aggregated-from = "https://chromium.googlesource.com/chromium/src/+/main/third_party/rust/chromium_crates_io/supply-chain/audits.toml?format=TEXT" + +[[audits.google.audits.proc-macro2]] +who = "Liza Burakova