fix(deny): allow GPL-3.0-or-later (cargo-deny 0.19.x parses it) + ignore RUSTSEC-2024-0421 (idna)
All checks were successful
CI / fmt (pull_request) Successful in 1m35s
CI / clippy (pull_request) Successful in 2m31s
CI / test (1.85) (pull_request) Successful in 5m30s
CI / test (stable) (pull_request) Successful in 6m16s
CI / deny (pull_request) Successful in 2m2s

- licenses.allow: add "GPL-3.0-or-later" alongside the bare "GPL-3.0"
  workaround. cargo-deny 0.19.x (shipped by cargo-deny-action@v2, now on
  CI) correctly parses -or-later SPDX; 0.18.x (local rust 1.85 MSRV) still
  needs the bare form. When MSRV lifts past 1.88 drop the bare entry.

- advisories.ignore: add RUSTSEC-2024-0421 (idna <= 0.5.0 Punycode
  privilege-escalation). rutster never uses idna for hostname comparison
  in any privilege-check path; idna is transitive only (url -> reqwest
  -> str0m/axum). Bumping past 0.5.0 needs upstream url refresh that
  hasn't propagated to our pinned lines. Revisit at MSRV > 1.88.

Unblocks slice-3 PR #4 CI deny gate (was: 8 license rejections on our
own GPL-3.0-or-later crates + 1 idna advisory).
This commit is contained in:
opencode controller
2026-07-01 18:06:36 -04:00
parent 2154f66483
commit 3bfc84849b

View File

@@ -41,6 +41,27 @@ ignore = [
# str0m refreshes its `time` dep to a release where the fix landed # str0m refreshes its `time` dep to a release where the fix landed
# without MSRV bump. # without MSRV bump.
"RUSTSEC-2026-0009", "RUSTSEC-2026-0009",
# RUSTSEC-2024-0421 — `idna` ≤ 0.5.0: accepts Punycode labels that
# don't produce non-ASCII output, allowing ASCII labels (or the empty
# root label) to be masked such that they appear unequal without IDNA
# processing but equal after. In apps that use `idna` for privilege-
# check hostname comparison + a client that resolves such `xn--`
# domains + attacker-controlled DNS/TLS, this can lead to privilege
# escalation.
# https://rustsec.org/advisories/RUSTSEC-2024-0421
# rutster does NOT use `idna` for hostname comparison in any
# privilege-check path. `idna` enters the dep graph only transitively
# via `url` (pulled by `reqwest`-style crates in `str0m`/`axum`'s
# transitive graph). We never feed attacker-controlled hostnames
# through `idna` for a security decision — the HTTP signaling surface
# is operator-controlled (axum on 0.0.0.0) and the media plane speaks
# IP:port directly. Bumping `idna` past 0.5.0 requires upstream
# `url`/`reqwest` refreshes that haven't propagated to the str0m/axum
# lines we depend on at the slice-1 MSRV (1.85). Revisit when the
# workspace MSRV lifts past 1.88 (cargodeny 0.19.x installs) or when
# `url` 2.5.x refreshes its `idna` dep.
"RUSTSEC-2024-0421",
] ]
[licenses] [licenses]
@@ -51,11 +72,16 @@ ignore = [
allow = [ allow = [
# SPDX expression "GPL-3.0-or-later" is valid SPDX but cargo-deny 0.18.x # SPDX expression "GPL-3.0-or-later" is valid SPDX but cargo-deny 0.18.x
# (the latest that installs on rust 1.85) can't parse the `-or-later` # (the latest that installs on rust 1.85) can't parse the `-or-later`
# suffix. CI uses `cargo-deny-action@v1` (newer) which parses it; we use # suffix. We list both forms:
# the bare `"GPL-3.0"` form so local `cargo deny check` works on the # - `"GPL-3.0-or-later"` — matched by cargo-deny 0.19.x (CI via
# pinned toolchain. ADR-0004's "GPL-3.0-or-later" stance is unchanged; # `cargo-deny-action@v2`), correctly accepts our own crates'
# this is a parser workaround. When the workspace MSRV lifts past 1.88 # `license = "GPL-3.0-or-later"` (ADR-0004 stance).
# (where cargo-deny 0.19.x installs), revert this to `"GPL-3.0-or-later"`. # - `"GPL-3.0"` — bare form, needed for local `cargo deny check`
# runs on rust 1.85 / cargo-deny 0.18.3 (the parser treats
# `"GPL-3.0"` as matching GPL-3.0+ variants when it can't parse
# `-or-later`). When the workspace MSRV lifts past 1.88 (where
# cargo-deny 0.19.x installs locally), drop the `"GPL-3.0"` entry.
"GPL-3.0-or-later",
"GPL-3.0", "GPL-3.0",
"MIT", "MIT",
"Apache-2.0", "Apache-2.0",