mirror of
https://github.com/signalapp/libsignal.git
synced 2024-09-20 03:52:17 +02:00
85e0de9207
`cargo update` performed with Cargo 1.72 to avoid advancing our MSRV. assert_cmd, clap, protobuf, and protobuf-json-mapping needed to be manually held back. Plus, explicit bumps for - env_logger 0.11 - heck 0.5 - itertools 0.13 - num_enum 0.7 - prost 0.13 - tungstenite 0.23 And disallowing downgrading curve25519-dalek below the security update in 4.1.3.
1.5 KiB
1.5 KiB
This directory contains pre-generated acknowledgments for the Rust dependencies of libsignal. CI enforces that they are kept up to date.
Updating
If you update libsignal's dependencies, you'll need to update this listing. Install cargo-about if you haven't already:
cargo +stable install --locked cargo-about --version $(cat acknowledgments/cargo-about-version)
Then:
- Run
bin/regenerate_acknowledgments.sh. - Check the HTML output for new "synthesized" entries. This can indicate that the license for a particular dependency was not properly detected.
- If there are any unaccounted-for "synthesized" entries, add new "clarify" entries to about.toml.
Apart from the projects in this very repo, there are a few other crates that unavoidably have "synthesized" licenses based on their Cargo manifests:
- cesu8: Very old crate whose repository contains a license file for the Rust project itself, rather than the crate.
- half: Not actually synthesized! Their license file just matches the synthesized text perfectly. A bug in cargo-about, presumably.
- pqcrypto-*: Uploaded without a license file, though a license is listed in the Cargo.toml for each crate. The Kyber implementations we use are released as Public Domain, so no acknowledgment is necessary.