diff options
author | Matthias Beyer <mail@beyermatthias.de> | 2020-12-04 14:27:08 +0100 |
---|---|---|
committer | Matthias Beyer <matthias.beyer@atos.net> | 2021-01-13 15:08:56 +0100 |
commit | 1aae75b405819e4f6d1fb3da4b2d71db80dc28a7 (patch) | |
tree | ab6141fe9c388e9ab9e54d8691df1ba76f6e2454 | |
parent | a3d06a98454273b8ce4ecb7fe967c12b7ba00537 (diff) |
Add deny.toml for cargo-deny
This patch adds the deny.toml configuration file for cargo-deny to
* check licenses of the dependencies
* check that dependencies are fetched from trusted sources
We do not allow copyleft licenses, except for MPL-2.0, which is
considered "safe" as a dependency because it only applies to the code
that's licensed, not code that depends on it. (IANAL)
We allow either OSI or FSF approved "free" licenses.
Signed-off-by: Matthias Beyer <mail@beyermatthias.de>
-rw-r--r-- | deny.toml | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/deny.toml b/deny.toml new file mode 100644 index 0000000..57ee31c --- /dev/null +++ b/deny.toml @@ -0,0 +1,62 @@ +[licenses] +# The lint level for crates which do not have a detectable license +unlicensed = "deny" + +# List of explictly allowed licenses +# See https://spdx.org/licenses/ for list of possible licenses +# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. +allow = ["MPL-2.0"] + +# List of explictly disallowed licenses +# See https://spdx.org/licenses/ for list of possible licenses +# [possible values: any SPDX 3.7 short identifier (+ optional exception)]. +deny = [] + +# The lint level for licenses considered copyleft +copyleft = "deny" + +# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses +# * both - The license will only be approved if it is both OSI-approved *AND* FSF/Free +# * either - The license will be approved if it is either OSI-approved *OR* FSF/Free +# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF/Free +# * fsf-only - The license will be approved if is FSF/Free *AND NOT* OSI-approved +# * neither - The license will be denied if is FSF/Free *OR* OSI-approved +allow-osi-fsf-free = "either" + +# The confidence threshold for detecting a license from license text. +# The higher the value, the more closely the license text must be to the +# canonical license text of a valid SPDX license file. +# [possible values: any between 0.0 and 1.0]. +confidence-threshold = 0.8 + +[bans] +# Lint level for when multiple versions of the same crate are detected +multiple-versions = "warn" + +# The graph highlighting used when creating dotgraphs for crates +# with multiple versions +# * lowest-version - The path to the lowest versioned duplicate is highlighted +# * simplest-path - The path to the version with the fewest edges is highlighted +# * all - Both lowest-version and simplest-path are used +highlight = "all" + +# List of crates that are allowed. Use with care! +allow = [ +] + +# List of crates to deny +deny = [ + # Each entry the name of a crate and a version range. If version is + # not specified, all versions will be matched. +] + +# Certain crates/versions that will be skipped when doing duplicate detection. +skip = [ +] + +# Similarly to `skip` allows you to skip certain crates during duplicate detection, +# unlike skip, it also includes the entire tree of transitive dependencies starting at +# the specified crate, up to a certain depth, which is by default infinite +skip-tree = [ +] + |