From e80618d3ea30d383c8146a505e32467bf96f36cd Mon Sep 17 00:00:00 2001 From: Ray Walker Date: Tue, 16 Jun 2026 07:53:12 +1000 Subject: [PATCH] ci: declare cachekit-core first-party for cargo-vet (end self-audit treadmill) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The weekly Security gate's "Cargo Vet (Supply Chain)" job has been red since the 0.2.1 release. The sole unvetted "dependency" was cachekit-core itself: [policy.cachekit-core] set audit-as-crates-io = true, forcing cargo-vet to audit the crate as a third-party crates.io download — satisfied only by [[exemptions.cachekit-core]] pinned to 0.2.0. Every version bump leaves that exemption stale and re-reds the gate until someone hand-runs `cargo vet certify`. A pure treadmill with zero security value. cachekit-core is the first-party crate of this repo: the local source IS the crate, so auditing it against crates.io is circular. Declaring audit-as-crates-io = false (and dropping the now-unused self-exemption) fixes it permanently with no loss of vetting over genuine third-party deps. Verified: `cargo vet --locked` -> "Vetting Succeeded (83 fully audited, 5 partially audited, 97 exempted)". --- supply-chain/config.toml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 9de3995..8ae2abb 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -23,7 +23,7 @@ url = "https://raw.githubusercontent.com/mozilla/supply-chain/main/audits.toml" url = "https://raw.githubusercontent.com/zcash/rust-ecosystem/main/supply-chain/audits.toml" [policy.cachekit-core] -audit-as-crates-io = true +audit-as-crates-io = false [[exemptions.aead]] version = "0.5.2" @@ -69,10 +69,6 @@ criteria = "safe-to-run" version = "1.11.1" criteria = "safe-to-deploy" -[[exemptions.cachekit-core]] -version = "0.2.0" -criteria = "safe-to-deploy" - [[exemptions.cbindgen]] version = "0.29.2" criteria = "safe-to-deploy"