DOSE-498 Crate supply chain management (e.g. open-source license veri…

…fication) (openzfs#94)

Signed-off-by: Paul Dagnelie <pcd@delphix.com>

.github/workflows/deny.yml

@@ -0,0 +1,20 @@
+name: cargo-deny
+on: [push, pull_request]
+jobs:
+  cargo-deny:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        checks:
+          - advisories
+          - bans licenses sources
+
+    # Prevent sudden announcement of a new advisory from failing ci:
+    continue-on-error: ${{ matrix.checks == 'advisories' }}
+
+    steps:
+    - uses: actions/checkout@v2
+    - uses: EmbarkStudios/cargo-deny-action@v1
+      with:
+        command: check ${{ matrix.checks }}
+        arguments: --all-features --manifest-path=cmd/zfs_object_agent/Cargo.toml

cmd/zfs_object_agent/client/Cargo.toml

@@ -3,6 +3,7 @@ name = "zoa_test"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/deny.toml

@@ -0,0 +1,45 @@
+vulnerability = "deny"
+unmaintained = "warn"
+yanked = "warn"
+notice = "warn"
+
+#
+# We don't want to violate the licenses of anything we depend on, so we forbid
+# any strong copyleft licenses like the GPL that would require the whole
+# project to be GPL.
+#
+[licenses]
+unlicensed = "deny"
+copyleft = "deny"
+allow-osi-fsf-free = "both"
+default = "deny"
+confidence-threshold = 0.95
+allow = [
+	"CC0-1.0",
+	"BSD-2-Clause",
+	"MPL-2.0",
+]
+#
+# XXX This is here because our packages are currently unlicensed; when they
+# are licensed and published, we should remove this line.
+#
+private = { ignore = true }
+
+[sources]
+allow-git = [
+	"https://github.com/ahrens/rust-libzfs",
+]
+
+[sources.allow-org]
+github = ["delphix"]
+
+[advisories]
+ignore = [
+       #
+       # See https://github.com/time-rs/time/issues/293 for more information;
+       # we don't use any of the functions in question, and we don't have
+       # threads setting the time environment variables while we run.
+       #
+       "RUSTSEC-2020-0071",
+       "RUSTSEC-2020-0159",
+]

cmd/zfs_object_agent/object_perf/Cargo.toml

@@ -3,6 +3,7 @@ name = "zfs_object_perf"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/server/Cargo.toml

@@ -3,6 +3,7 @@ name = "zfs_object_agent"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/util/Cargo.toml

@@ -3,6 +3,7 @@ name = "util"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 [dependencies]

cmd/zfs_object_agent/zcache/Cargo.toml

@@ -3,6 +3,7 @@ name = "zcache"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/zcdb/Cargo.toml

@@ -3,6 +3,7 @@ name = "zcachedb"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/zettacache/Cargo.toml

@@ -3,6 +3,7 @@ name = "zettacache"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/zettaobject/Cargo.toml

@@ -3,6 +3,7 @@ name = "zettaobject"
 version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 

cmd/zfs_object_agent/zoa/Cargo.toml

@@ -4,6 +4,7 @@ version = "0.1.0"
 authors = ["Delphix"]
 edition = "2021"
 build = "src/build.rs"
+publish = false
 
 [build-dependencies]
 cbindgen = "0.20"