[advisories] unmaintained = "allow" ignore = [ "RUSTSEC-2020-0071", "RUSTSEC-2022-0093", # Timing attack on RSA. # Delta Chat does not use RSA for new keys # and this requires precise measurement of the decryption time by the attacker. # There is no fix at the time of writing this (2023-11-28). # "RUSTSEC-2023-0071", ] [bans] # Accept some duplicate versions, ideally we work towards this list # becoming empty. Adding versions forces us to revisit this at least # when upgrading. # Please keep this list alphabetically sorted. skip = [ { name = "async-channel", version = "1.9.0" }, { name = "base16ct", version = "0.1.1" }, { name = "base64", version = "<0.21" }, { name = "bitflags", version = "1.3.2" }, { name = "block-buffer", version = "<0.10" }, { name = "convert_case", version = "0.4.0" }, { name = "curve25519-dalek", version = "3.2.0" }, { name = "darling_core", version = "<0.14" }, { name = "darling_macro", version = "<0.14" }, { name = "darling", version = "<0.14" }, { name = "der", version = "0.6.1" }, { name = "digest", version = "<0.10" }, { name = "ed25519-dalek", version = "1.0.1" }, { name = "ed25519", version = "1.5.3" }, { name = "event-listener", version = "2.5.3" }, { name = "getrandom", version = "<0.2" }, { name = "h2", version = "0.3.22" }, { name = "http-body", version = "0.4.5" }, { name = "http", version = "0.2.11" }, { name = "hyper", version = "0.14.27" }, { name = "idna", version = "0.4.0" }, { name = "pem-rfc7468", version = "0.6.0" }, { name = "pkcs8", version = "0.9.0" }, { name = "quick-error", version = "<2.0" }, { name = "rand_chacha", version = "<0.3" }, { name = "rand_core", version = "<0.6" }, { name = "rand", version = "<0.8" }, { name = "redox_syscall", version = "0.3.5" }, { name = "regex-automata", version = "0.1.10" }, { name = "regex-syntax", version = "0.6.29" }, { name = "ring", version = "0.16.20" }, { name = "sec1", version = "0.3.0" }, { name = "sha2", version = "<0.10" }, { name = "signature", version = "1.6.4" }, { name = "spin", version = "<0.9.6" }, { name = "spki", version = "0.6.0" }, { name = "syn", version = "1.0.109" }, { name = "time", version = "<0.3" }, { name = "untrusted", version = "0.7.1" }, { name = "wasi", version = "<0.11" }, { name = "windows_aarch64_gnullvm", version = "<0.52" }, { name = "windows_aarch64_msvc", version = "<0.52" }, { name = "windows_i686_gnu", version = "<0.52" }, { name = "windows_i686_msvc", version = "<0.52" }, { name = "windows-sys", version = "<0.52" }, { name = "windows-targets", version = "<0.52" }, { name = "windows", version = "0.32.0" }, { name = "windows_x86_64_gnullvm", version = "<0.52" }, { name = "windows_x86_64_gnu", version = "<0.52" }, { name = "windows_x86_64_msvc", version = "<0.52" }, ] [licenses] allow = [ "0BSD", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "BSL-1.0", # Boost Software License 1.0 "CC0-1.0", "ISC", "MIT", "MPL-2.0", "OpenSSL", "Unicode-DFS-2016", "Zlib", ] [[licenses.clarify]] name = "ring" expression = "MIT AND ISC AND OpenSSL" license-files = [ { path = "LICENSE", hash = 0xbd0eed23 }, ] [sources.allow-org] # Organisations which we allow git sources from. github = [ "async-email", "deltachat", ]