dahjah/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2026-04-09 11:01:39 -06:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

docs(audit): add reqwest/webauthn experiments summary

Browse Source
This commit is contained in:
kalvinparker 2025-11-10 22:45:40 +00:00
parent 9679613cfa
commit 101d9aefa3
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
issues/EXP-REQWEST-WEBAUTHN-2025-11-10.md Normal file
View File

@ -0,0 +1,30 @@
# Experiment: reqwest(native-tls) & webauthn-rs bump (2025-11-10)
Summary
-------
Two non-destructive experiments were executed in a copied workspace to evaluate remediation paths for the top license clusters.
1) reqwest/native-tls experiment
- Script: `docker/audit/exp/reqwest_native_exp.sh`
- Action: attempted to prefer `native-tls` for `reqwest` by editing `Cargo.toml`, running `cargo update -p reqwest`, and running `cargo-deny` (licenses) in a workspace copy.
- Result: `cargo-deny` reduced license errors to a single error: `ar_archive_writer v0.2.0` (license: Apache-2.0 WITH LLVM-exception) via `lettre` -> `psm` -> `stacker` -> `chumsky` -> `vaultwarden` path. The `webpki-roots` (CDLA-Permissive-2.0) failure was removed in this experiment.
- Artifacts: `docker/audit/output/deny_reqwest_native.err` (diagnostic), `docker/audit/output/deny_reqwest_native.json` (may be empty), `docker/audit/output/req_exp.done` (marker).
2) webauthn-rs bump experiment
- Script: `docker/audit/exp/patch_and_run.sh`
- Action: in a workspace copy, attempted to bump `webauthn-rs` to `0.6` and ran `cargo update -p webauthn-rs` and `cargo-deny` (licenses).
- Result: MPL-2.0 failures related to the `webauthn-rs` family were removed by the non-destructive bump attempt (in the copied workspace experiment). The remaining single license rejection (same as above) persisted.
- Artifacts: `docker/audit/output/deny_licenses.err`, `docker/audit/output/deny_licenses.json` (may be empty), `docker/audit/output/exp.done`.
Conclusion & recommended next step
--------------------------------
- Both experiments significantly reduced the license noise: from the previously reported set down to one remaining rejection: `ar_archive_writer v0.2.0` (Apache-2.0 WITH LLVM-exception).
- Recommended immediate actions:
1. Decide whether to temporarily allow `Apache-2.0 WITH LLVM-exception` in `deny.toml` (timeboxed) to unblock CI, OR
2. Investigate the `lettre`/`psm` chain to find alternative crates or versions that avoid `ar_archive_writer`.
- If you approve, I can open a follow-up branch that applies the minimal change (either temporary allowlist addition or a patch bump) and run CI to verify `cargo-deny` cleanly passes.
Notes
-----
- All changes in these experiments were done in copied workspaces inside the audit container and did not modify the main branch's `Cargo.toml` or lockfile.
- Full experiment artifacts are saved under `docker/audit/output/` in the repository workspace.