chore(ci): add cargo vet

[MCJOHN974]

Hi all, it's my first PR there!

Description

This PR adds cargo vet to CI and all necessary files to make it work. cargo vet is a tool, to check if crates you use in your project was audited, and will highlight if some was not. If some crate wasn't audited, you still can use it -- just audit it by yourself (put version you audited in supply-chain/audits.toml). This tool improves project security, forcing you to think a bit if you want to use an unaudited crate, and explicitly write that you want it.

Changes

• this PR adds one more job to lint.yml which runs cargo vet.
• this PR adds supply_chain/ directory, which is directory with cargo vet config files, files where you will put manually audited files, etc. Whole this directory was generated by running cargo vet init, so once you trust cargo vet creators and do cargo vet init by yourself you can be calm that all this a lot of lines are okish

Testing

This PR don't add any actual code, but a new CI job, so once CI is green it's fine. Also, you probably would want to run cargo vet init by yourself and see that supply_chain/ was generated by it.

Appendix

Of course it is up to maintainers to decide if you want add cargo vet or not, but I think it is always good to add because:

• it don't stop you from anything, you still can use any crate you want
• it pings you when some crate you use wasn't audited, which can improve security in some cases
• from my experience majority of crates are audited, so most of the time you even don't remember that you have this in your CI

[MCJOHN974]

I believe I don't have access to put no_changelog label, and I think this changes shouldn't be reflected in the changelog

[bobbinth]

Thank you for submitting this PR! We haven't used cargo vet before - so, will need to think about pros and cons here. I did leave a couple of questions in the inline comments which could help us understand this better.

[bobbinth]

If I'm understanding this file correctly, we are basically saying that most dependencies are "exempted" from audits (i.e., they haven't been audited) - right?

If that's correct, the usefulness of this file seems limited because almost everything is treated as an exception. What are some ways to make the exemption list much smaller?

[MCJOHN974]

Hi @bobbinth and thank you for your review! You are correct, by default cargo vet do not mark any crate as "audited" by itself, and, yes, just "exempt" all crates you use when you do cargo vet init. To shrink size of "exempted" crates and actually do some auditing you can import audits from some repository you trust.

In 027f2fc I copied audit imports which are used in cargo-vet repo. This audits are from such parties as Google, Mozilla, Bytecode Alliance, etc. This moved 124 crates from "exempted" to "audited" stage.

However, there are still 382 "exempted" crates. To move them into "audited" stage we should audit it by ourselves or import some more audits from trusted parties

[MCJOHN974]

If you think you want to use cargo-vet in your repo, I can search for more audits from well known auditors and add them to this PR, trying to minimize amount of "exempted" crates.