The implementation of #599, fixing #488, correctly addresses the case where a dependency uses publish = false in its Cargo.toml.
Unfortunately, it does not address the case where the dependency is published to a private registry. #599 made use of the crate::Krate.is_private function, but it doesn't pass the declared private registries. These are declared in the licenses section of deny.toml:
[licenses.private]
# If true, ignores workspace crates that aren't published, or are only
# published to private registries.
# To see how to mark a crate as unpublished (to the official registry),
# visit https://doc.rust-lang.org/cargo/reference/manifest.html#the-publish-field.
ignore = false
# One or more private registries that you might publish crates to, if a crate
# is only published to private registries, and ignore is true, the crate will
# not have its license(s) checked
registries = [
#"https://sekretz.com/registry
]
I can open a PR with a kludgy implementation that passes the crate::licenses::cfg::ValidConfig to crate::bans::check so one can extract the private registries before checking if the dependency is private:
...
if allow_wildcard_paths {
let private_registries: Vec<_> = private_ctx
.cfg
.private
.registries
.iter()
.map(|s| s.as_str())
.collect();
let is_private = krate.is_private(&private_registries);
...
However, this does not seem like the best approach as it mixes configuration contexts across different types of checks, and it seems to me like a more expansive change to the private registry declaration would be needed in order to more cleanly organise the code.
To reproduce
Dependency declared as publishing to a private repo:
[package]
name = "wildcards-test-allow-git-private-repo"
version = "0.1.0"
authors = []
edition = "2018"
license = "MIT"
publish = ["private-registry"]
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
[dependencies]
# An arbitrary choice of actually existent Git repository
wildcards-test-allow-git = { package = "krates", git = "https://github.com/EmbarkStudios/krates", rev = "b03ecd6f3204a1b1ec04fbaead2d0d122a3a4494" }
.cargo/config.toml file:
[registries]
private-registry = { index = "https://private-registry.com/git/index.git" }
deny.toml file:
[licenses.private]
# So we don't have to declare a license on our own unpublished crates.
ignore = true
registries = ["private-registry"]
[bans]
wildcards = "deny"
allow-wildcard-paths = true
Describe the bug
The implementation of #599, fixing #488, correctly addresses the case where a dependency uses
publish = falsein itsCargo.toml.Unfortunately, it does not address the case where the dependency is published to a private registry. #599 made use of the
crate::Krate.is_privatefunction, but it doesn't pass the declared private registries. These are declared in the licenses section ofdeny.toml:I can open a PR with a kludgy implementation that passes the
crate::licenses::cfg::ValidConfigtocrate::bans::checkso one can extract the private registries before checking if the dependency is private:However, this does not seem like the best approach as it mixes configuration contexts across different types of checks, and it seems to me like a more expansive change to the private registry declaration would be needed in order to more cleanly organise the code.
To reproduce
Dependency declared as publishing to a private repo:
.cargo/config.tomlfile:deny.tomlfile:cargo-deny version
0.14.20
What OS were you running cargo-deny on?
Linux
Additional context
See https://github.com/joaommartins/cargo-deny/tree/fix-private-repo-dependency-wildcard for a wip implementation.