move CCADB fetching into a crate

[mspiegel]

Change the webpki-roots repo to be a workspace that includes a crate that pulls the CCADB stuff and exposes an API. This pull request has a dependency on https://github.com/rustls/webpki/pull/212.

[cpu]

Thanks for the PR! Some initial feedback:

• Based on experience with a similar change in another Rustls repo I think we would prefer to have a workspace-only top-level Cargo.toml and have the two crates live in separate directories.
• While waiting on the webpki fix for the pki-types semver break I think it would be better to leave this repo using alpha.7, and change the pki-types dependencies from 0.2.2 to =0.2.2. That should unbreak the build/CI - probably best done in its own commit ahead of the other work.
• Relatedly, pki-types should probably be a workspace dependency. We'd want both crates to use the same version.
• webpki_ccadb::fetch_ccadb_roots could use a Rustdoc comment since it's now public API surface.
• I think it would be nice to update README.md to mention the webpki-ccadb crate.
• Please don't reference GitHub issues in commit messages (e.g. https://github.com/rustls/webpki-roots/pull/56/commits/b8ae94b981da269871e0108654fcfef9071a6465) - this is mentioned in CONTRIBUTING.md in "code changes".

[cpu]

incorporating feedback from code review

It would be easier to review if you could keep the commit history tidy, with discrete commits instead of layering the feedback on top in one commit. Thank you

[djc]

The first commit here should turn the repo into a Cargo workspace without doing anything else, to untangle that change from everything else. The next commit should do the minimal possible change to move code from codegen.rs into the new crate's lib.rs. Changes like alphabetizing dependencies should not appear in a commit if the ordering issue was introduced in an earlier commit.

(There's also no need to pin the pki-types dependency to =0.2.2 -- just 0.2.2 should suffice.)

[cpu]

(There's also no need to pin the pki-types dependency to =0.2.2 -- just 0.2.2 should suffice.)"

Sorry this one is on me: I accidentally broke semver w/ 0.2.3 and webpki won't build w/ 0.2.3 without landing https://github.com/rustls/webpki/pull/212

[cpu]

Sorry this one is on me: I accidentally https://github.com/rustls/pki-types/pull/14#issuecomment-1830877275 w/ 0.2.3

This is resolved w/ webpki 0.102.0-alpha.8

[mspiegel]

I'll update the commit history to have 2 commits as suggested and use webpki 0.102.0-alpha.8.

[mspiegel]

I've updated the commit history. Let me know if I should make any changes.

[mspiegel]

What license should be assigned to the webpki-ccadb crate? The webpki-ccadb crate contains source code that was moved from the webpki-roots crate. The webpki-roots crate is under "MPL-2.0". Therefore webpki-ccadb should also be "MPL-2.0"?

[mspiegel]

I've added the MPL 2.0 license to the webpki-ccadb crate. Let me know if any more changes are needed.

[ctz]

What license should be assigned to the webpki-ccadb crate? The webpki-ccadb crate contains source code that was moved from the webpki-roots crate. The webpki-roots crate is under "MPL-2.0". Therefore webpki-ccadb should also be "MPL-2.0"?

The webpki-roots crate is distributed under MPL-2.0 because it was an automatically generated derived work from an MPL-2.0-licensed source.

That doesn't really apply to the code we (predominantly, @cpu) wrote which would form the basis of this new library crate. I'd suggest MIT OR Apache-2.0 would be the most natural choice.

[cpu]

I'd suggest MIT OR Apache-2.0 would be the most natural choice.

SGTM.

[mspiegel]

What license should be assigned to the webpki-ccadb crate? The webpki-ccadb crate contains source code that was moved from the webpki-roots crate. The webpki-roots crate is under "MPL-2.0". Therefore webpki-ccadb should also be "MPL-2.0"?

The webpki-roots crate is distributed under MPL-2.0 because it was an automatically generated derived work from an MPL-2.0-licensed source.

That doesn't really apply to the code we (predominantly, @cpu) wrote which would form the basis of this new library crate. I'd suggest MIT OR Apache-2.0 would be the most natural choice.

The webpki-ccadb crate is source code that was in the webpki-roots crate. All the source code of the webpki-roots crate was under the MPL 2.0 license. Can I get confirmation that you wish to change the license of webpki-ccadb to be 'MIT or APACHE-2.0'?

[mspiegel]

Sorry, I didn't see @cpu's affirmation above. I will change the license.

[mspiegel]

Changed license of webpki-ccadb to be "MIT or APACHE-2.0"

[djc]

I've published the webpki-ccadb 0.1.0 release to crates.io.