Last week we announced
a new system for auditing Rust dependencies called cargo-vet
. To govern the usage of this system, I'd like to create a new module — Supply Chain — under Core.
This is primarily a policy module. The intent is not for its members to audit dependencies directly, but rather to determine what auditing is required and approve audit record submissions for inclusion in our set. Because of how cargo-vet works, these duties map relatively cleanly to reviewing changes to the files in the top-level supply-chain directory.
Eventually, it could make sense to widen the scope of this module to cover other languages, in coordination with the TLMC. For now though, we're just going to focus on Rust. Here are the proposed details:
Name: Core :: Supply Chain
Description: Policy management for third-party Rust dependencies.
Owner: Bobby Holley
Peers: Aria Beingessner, Nika Layzell, Tom Ritter
Source Dir(s): supply-chain/
Bugzilla Component: Firefox Build System :: General
Let me know if anyone has questions or concerns. Absent any, I plan to update the wiki next week.