Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reduce the number of Zebra dependencies, and remove duplicate dependencies #3184

Closed
1 task
Tracked by #2311
teor2345 opened this issue Dec 9, 2021 · 3 comments
Closed
1 task
Tracked by #2311

Reduce the number of Zebra dependencies, and remove duplicate dependencies #3184

teor2345 opened this issue Dec 9, 2021 · 3 comments
Labels
A-dependencies Area: Dependency file updates C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage

Comments

@teor2345
Copy link
Contributor

teor2345 commented Dec 9, 2021
edited
Loading

Motivation

In Zebra, we have a lot of:

  • different crate dependencies, and
  • duplicate versions of the same crate dependency.

But each dependency is a security risk, because dependency code runs in the Zebra process, and some of that code could be unsafe. (Or impact performance or privacy.) Each dependency also makes compilation and runtime performance slower.

So we need to carefully review Zebra's dependencies, particularly before we are audited.

Scheduling

This risk is acceptable for the first stable release, but we should review it when we handle user-generated transactions with lightwalletd.

Tasks

Remove unused dependencies:
- [ ] Identify unused dependencies and remove them
- [ ] Run cargo udeps in CI

  • Remove duplicate dependencies
    • TODO: add easy duplicate dependency tickets here

Related Work
@teor2345 teor2345 added A-dependencies Area: Dependency file updates S-needs-triage Status: A bug report needs triage P-Medium C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage labels Dec 9, 2021
@teor2345 teor2345 mentioned this issue Dec 9, 2021
Closed
@teor2345
Copy link
Contributor Author

teor2345 commented Jan 6, 2022

I ran cargo udeps recently, and there were no unused dependencies.

@mpguerra
Copy link
Contributor

Hey team! Please add your planning poker estimate with ZenHub @conradoplg @dconnolly @jvff @oxarbitrage @teor2345 @upbqdn

@mpguerra mpguerra mentioned this issue Jan 27, 2022
Closed
40 tasks
@ftm1000 ftm1000 removed the S-needs-triage Status: A bug report needs triage label Feb 8, 2022
@teor2345
Copy link
Contributor Author

teor2345 commented Mar 1, 2022

This is an ongoing task that we will do as dependencies upgrade.

@teor2345 teor2345 closed this as completed Mar 1, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-dependencies Area: Dependency file updates C-security Category: Security issues I-heavy Problems with excessive memory, disk, or CPU usage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mpguerra @teor2345 @ftm1000