diff options
| -rw-r--r-- | .github/workflows/rust-supply-chain.yml | 9 | ||||
| -rw-r--r-- | .github/workflows/verify-locked-down-signatures.yml | 1 | ||||
| -rw-r--r-- | mullvad-ios/deny.toml | 42 |
3 files changed, 52 insertions, 0 deletions
diff --git a/.github/workflows/rust-supply-chain.yml b/.github/workflows/rust-supply-chain.yml index 32116c1544..f2650d886c 100644 --- a/.github/workflows/rust-supply-chain.yml +++ b/.github/workflows/rust-supply-chain.yml @@ -28,3 +28,12 @@ jobs: log-level: warn rust-version: stable command: check all + + # Run an additional license check for the iOS crate to catch GPL3 issues + - name: Run cargo deny for iOS (GPL3 check) + uses: EmbarkStudios/cargo-deny-action@v2 + with: + manifest-path: mullvad-ios/Cargo.toml + log-level: error + rust-version: stable + command: check licenses diff --git a/.github/workflows/verify-locked-down-signatures.yml b/.github/workflows/verify-locked-down-signatures.yml index e4d71a99fb..157012fd3d 100644 --- a/.github/workflows/verify-locked-down-signatures.yml +++ b/.github/workflows/verify-locked-down-signatures.yml @@ -13,6 +13,7 @@ on: - test/Cargo.lock - deny.toml - test/deny.toml + - mullvad-ios/deny.toml - rust-toolchain.toml - desktop/package-lock.json - wireguard-go-rs/libwg/go.sum diff --git a/mullvad-ios/deny.toml b/mullvad-ios/deny.toml new file mode 100644 index 0000000000..ea0f7f7883 --- /dev/null +++ b/mullvad-ios/deny.toml @@ -0,0 +1,42 @@ +# This file is for an additional check to prevent GPL-3.0 licensed crates +# from being introduced into the iOS app's Rust dependency tree, due to +# App Store restrictions. +# It does not override the main deny.toml file and needs to be run separately. +# See .github/workflows/rust-supply-chain.yml for the workflow that runs this check. + +[licenses] +allow = [ + "Apache-2.0", + "MIT", + "MPL-2.0", + "WTFPL", + "ISC", + "BSD-3-Clause", + "BSD-2-Clause", + "CC0-1.0", + "Unicode-DFS-2016", + "Unicode-3.0", + "CDLA-Permissive-2.0", +] + +# Allow GPL3 licensed crates with permission to relicense like Mullvads own. +exceptions = [ + { crate = "intersection-derive", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-api", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-api-constants", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-encrypted-dns-proxy", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-fs", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-ios", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-masque-proxy", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-types", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-update", allow = ["GPL-3.0-only"] }, + { crate = "mullvad-version", allow = ["GPL-3.0-only"] }, + { crate = "talpid-future", allow = ["GPL-3.0-only"] }, + { crate = "talpid-routing", allow = ["GPL-3.0-only"] }, + { crate = "talpid-time", allow = ["GPL-3.0-only"] }, + { crate = "talpid-tunnel", allow = ["GPL-3.0-only"] }, + { crate = "talpid-tunnel-config-client", allow = ["GPL-3.0-only"] }, + { crate = "talpid-types", allow = ["GPL-3.0-only"] }, + { crate = "talpid-windows", allow = ["GPL-3.0-only"] }, + { crate = "tunnel-obfuscation", allow = ["GPL-3.0-only"] }, +] |